SearchProtectToolbar_8e0da017ba

by malwarelabrobot on August 16th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.Agent.aeph (Kaspersky), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 8e0da017ba8021a7d587a49ead1f5c72
SHA1: d7a3ff2fa7648c85de2c3bdd1a70e1f54b1e3deb
SHA256: e7b713055e95e7eb532530f8f147f0d2049dc658ae118e246d79f549f3dd0bc8
SSDeep: 6144:Xrkb9uEo2S1YnQmCX492DkwNP3qpYF6mYj4IEvKavM2xx0J30F/KTHJ4yWEI5:XrkRu6/eIo4eVIEvFM2KkZKTphu
Size: 289104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

putfu.exe:2752
nsiC3.exe:840
sp-downloader.exe:1700
CltMngSvc.exe:1912
CltMngSvc.exe:1324
cltmng.exe:660
nsgBD.tmp:1656
usetup.exe:3280
cltmngui.exe:1540
rundll32.exe:2928
rundll32.exe:2880
%original file name%.exe:224
nspC7.exe:2460
nsdB5.exe:1708
nsdB5.exe:384
UpdateSoftware.exe:1580
UpdateSoftware.exe:3816

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process putfu.exe:2752 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\ProgramUpdater\Assistant.dll (264574 bytes)
%Program Files%\ProgramUpdater\AssistantSvc.dll (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

The process nsiC3.exe:840 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjC5.tmp\inetc.dll (30 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjC5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC5.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC5.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstC4.tmp (0 bytes)

The process sp-downloader.exe:1700 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscB3.tmp (7189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\downloadstub[1] (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\MiniStubUtils.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spstub[1].exe (11736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB5.exe (11736 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\MiniStubUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt1_M1E95D34D-01FE-4869-AA16-13BE9143470C (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB5.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB2.tmp (0 bytes)

The process CltMngSvc.exe:1912 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (9 bytes)

The process cltmng.exe:660 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserSettings.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (1751 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\STG\Init_C6.tmp (0 bytes)

The process nsgBD.tmp:1656 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\SearchProtect\UI\dialogs\Images\close-win-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_checked.png (360 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgUninstall.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-selected.png (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\v.png (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64.dll (103387 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32.dll (287458 bytes)
%Program Files%\SearchProtect\EULA.txt (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-onclick.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\gray-bg.png (2 bytes)
%Program Files%\SearchProtect\Main\bin\uninstall.exe (33747 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.css (4 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.css (5 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (6584 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button2.png (886 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnSilver.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\main.js (10 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox.png (378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnClose.png (933 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPTool64.exe (50351 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\json2.min.js (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettings.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshC2.tmp (763 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\defaults.js (983 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez.png (256 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\close-win-over-click.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button.png (859 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\bin\cltmngui.exe (100378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiC3.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\style.css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswC0.tmp (691196 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettingsDS.png (9 bytes)
%Program Files%\SearchProtect\Main\bin\CltMngSvc.exe (97773 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\cltmng.exe (170836 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-uninstall.png (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\info-icon.png (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\browsers32.sdb (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\button-bg.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.js (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\SPDialogAPI.js (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings.html (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgNotif.png (9 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\SPtool.dll (81046 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.html (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Settings-icon.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-with-logo.png (1552 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-selected.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-rollover.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.html (12 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (2225 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\text-field.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.css (4 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_def.png (274 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\icon-win.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\dialogUtils.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnBlue.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspC7.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\x.png (1 bytes)
%Program Files%\SearchProtect\Main\bin\SPTool.dll (81732 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (478 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\inetc.dll (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-default.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C6.tmp (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.css (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-Rollover.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-selected.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\CT3309297[1] (763 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.js (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\defaults.js (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (8560 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nswBF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\SPtool.dll (0 bytes)

The process usetup.exe:3280 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\UpdateSoftware.exe (33792 bytes)

The process cltmngui.exe:1540 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI\rep\UIRepository.dat (1057 bytes)

The process %original file name%.exe:224 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\down.224.4_3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sp-downloader[1].exe (5064 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Custom.dll (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinCEA5.bat (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\_Setup.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\4_3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8e0da017ba8021a7d587a49ead1f5c72.log (3053202 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\2[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinE12B.bat (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.4_2.ini (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.sp-downloader.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60} (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.putfu.exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu926E9E8E.dll (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.ico (4 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Readme.txt (2 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.dat (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\4_2[1].txt (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\_Setup.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\general_logo.bmp.tmp (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.2.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.1.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\tpq[1].exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3202_appcompat.txt (2286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\agup[1].exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\general_logo[1].bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.usetup.exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Custom.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D29ACE87.dat (13584 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\down.224.4_2.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons\putfu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinCEA5.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.usetup.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\r2.monitorbox1[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Readme.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.3.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D29ACE87.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.4_3.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinE12B.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\_Setup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x64\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons\usetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.putfu.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x86 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.sp-downloader.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons\sp-downloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\general_logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.2.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x86\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Custom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFDE71.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu926E9E8E.dll (0 bytes)

The process nspC7.exe:2460 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsvC9.tmp\inetc.dll (30 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsvC9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfC8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvC9.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvC9.tmp\inetc.dll (0 bytes)

The process nsdB5.exe:1708 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\StubUtils.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBE.txt (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (11152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\System.dll (11 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsqBA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBE.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\StubUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt2_M1E95D34D-01FE-4869-AA16-13BE9143470C_{BA808747-6D26-4AE9-BED0-C8ED1A8042F1} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\System.dll (0 bytes)

The process nsdB5.exe:384 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBD.txt (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB8.tmp (11152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBD.tmp (434424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\SPSetup[1].exe (434424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\StubUtils.dll (9320 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsgB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt2_M1E95D34D-01FE-4869-AA16-13BE9143470C_{35413975-D066-4445-8433-15088E18B9C2} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBD.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\StubUtils.dll (0 bytes)

The process UpdateSoftware.exe:3816 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Tasks\UpdateSoftware-S-3956077583.job (692 bytes)
%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\3956077583.ini (42494 bytes)

Registry activity

The process putfu.exe:2752 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"27ddcf6f" = "///%"
"8b9e4cbc" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c6c5dd44" = "V/////%%"
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"InstallDate" = "20130815"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"340d3099" = "/P////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"NoModify" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c99a5f5c" = "///%"
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Install_Dir" = "%Program Files%\\ProgramUpdater"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"data.0" = "ylN02cK nhU8Hmnikg92tuMhLH5HfWDMiEHK1xyVZoZwltKt9LjQD4XzWA BH1aMfJJDr7ICpnik"
"data.1" = "vgP13lWKxnlmjlhabc/G7q3CGSP8lqE/0 MhsGl7d1ID1tctLxNX0FEQ2U CVCgBVWIcwhMtpybZC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"uuid" = "5684ccde-7fd252c6-a8a67a25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"6a096ac0" = "%Program Files%\ProgramUpdater\Assistant.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"uuid" = "5684ccde-7fd252c6-a8a67a25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\PROGRA~1\ASSIST~1.DLL,_uninstall /un /uq"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Version" = "22021985"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"dlpath" = "c:\progra~1\progra~1\assist~1.dll"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0c230bcb" = "///%"
"7367429f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"Publisher" = "Certified Publisher"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\PROGRA~1\ASSIST~1.DLL,_uninstall /un"
"DisplayName" = "ProgramUpdater 1.80"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\searchprotect\searchprotect\bin\spvc32loader.dll c:\progra~1\progra~1\assist~1.dll"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"svi" = "0"
"svpath" = "c:\progra~1\progra~1\AssistantSvc.dll"
"svn" = "ProgramUpdater"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"svx" = ""

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"usr.0" = "YnL46Dxztvqomjlhab"
"usr.1" = "Xu4HyM/XZTVNPRJLFH"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"svt" = "1408101046"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 4E EE 49 BF D2 C3 E7 32 44 F8 07 6E F1 90 31"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"State" = "0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"date" = "1408101045"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0c230bcb" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"CategoryName" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"340d3099" = "///%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"n" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"414bc593" = "///%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"2d71d5ab" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"51d2f2ea" = "J/Af/X6/GlAf/XD/aPAK/Y//G/Ay/YP/GPAf/B//VP/j/Cx/V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"data.1" = "vgP13lWKxnlmjlhabc/G7q3CGSP8lqE/0 MhsGl7d1ID1tctLxNX0FEQ2U CVCgBVWIcwhMtpybZC"
"data.0" = "ylN02cK nhU8Hmnikg92tuMhLH5HfWDMiEHK1xyVZoZwltKt9LjQD4XzWA BH1aMfJJDr7ICpnik"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c5705860" = "Vx////%%"
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"414bc593" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"iiid" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"a0743acc" = "N/////%%"
"a2e3b941" = "///%"
"0e93c3f3" = "///%"
"51d2f2ea" = "J/Af/X6/GlAf/XD/aPAK/Y//G/Ay/YP/GPAf/B//VP/j/Cx/V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"a2e3b941" = "///%"
"a0743acc" = "N/////%%"

"7f69fa1f" = "///%"
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"587b5709" = "V/////%%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"7f69fa1f" = "///%"
"e46c271e" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"usr.1" = "Xu4HyM/XZTVNPRJLFH"
"usr.0" = "YnL46Dxztvqomjlhab"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"iiid" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"date" = "1408101045"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsiC3.exe:840 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslBC.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjC5.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 01 BB A0 9E 60 44 47 3D D3 96 60 C7 6E B8 78"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sp-downloader.exe:1700 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslBC.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjC5.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvC9.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB9.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxB4.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 C0 A6 E5 C6 4F 09 FF 84 1E C8 11 76 9B A3 E5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process CltMngSvc.exe:1912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\SearchProtect]
"TS" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E C9 B6 7F 07 0E C9 D5 05 0C F5 AD 1E 62 7C B9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process CltMngSvc.exe:1324 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 52 C2 A6 2D F2 5A 23 12 91 29 80 C9 32 58 34"

The process cltmng.exe:660 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 FA C4 97 8B C6 1E 87 20 E6 6C F8 15 7C 6F 3F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsgBD.tmp:1656 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslBC.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchProtect]
"SPID" = "SP2C59908A-129D-4A5A-982C-0E0732D1907D"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"Publisher" = "Client Connect LTD"

[HKLM\SOFTWARE\SearchProtect]
"Environment" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"UninstallString" = "C:\PROGRA~1\SearchProtect\Main\bin\uninstall.exe /S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayVersion" = "2.16.20.192"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\SearchProtect]
"InstallDir" = "C:\PROGRA~1\SearchProtect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayIcon" = "C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe"
"DisplayName" = "Search Protect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 86 40 52 20 28 53 31 2E 17 00 D7 03 FA 2F A3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallCleanUp"

The process usetup.exe:3280 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 7E 08 7C 9B 5F D8 C4 30 A3 3A 5A F6 6C 30 4E"

The process cltmngui.exe:1540 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC E8 89 88 FB AC 03 A3 DD D7 49 AB B8 F0 F4 24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:2928 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 09 7C B0 A7 38 3C 86 F9 F3 ED 02 0D EA 8C AC"

The process rundll32.exe:2880 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 36 F5 F5 0F 6F 45 6E 3D 6A AD 04 45 5B 67 33"

The process %original file name%.exe:224 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ReceiveTimeout" = "600000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\83ef4af0-d010-4d84-b5c5-54b2fb84b01c]
"Language" = "1033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslBC.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjC5.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvC9.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB9.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxB4.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Tsu926E9E8E.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons]
"sp-downloader.exe" = "Search Protect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\83ef4af0-d010-4d84-b5c5-54b2fb84b01c]
"VersionMinor" = "0"

"QuietUninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{0FD22~1\Setup.exe /remove /q"
"VersionMajor" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\83ef4af0-d010-4d84-b5c5-54b2fb84b01c]
"Version" = "16777216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\83ef4af0-d010-4d84-b5c5-54b2fb84b01c]
"EstimatedSize" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Fonts" = "%WinDir%\Fonts"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 15 F4 6E D5 72 C2 9C 4C FD C6 C5 68 B4 09 31"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\83ef4af0-d010-4d84-b5c5-54b2fb84b01c]
"UninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{0FD22~1\Setup.exe /remove /q0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\83ef4af0-d010-4d84-b5c5-54b2fb84b01c]
"TSAware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons]
"usetup.exe" = "usetup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\83ef4af0-d010-4d84-b5c5-54b2fb84b01c]
"TizPath" = "c:\%original file name%.exe"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process nspC7.exe:2460 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslBC.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjC5.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvC9.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 0B 42 CF 41 7E 03 3F 5E 86 35 B1 ED 5D 31 56"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsdB5.exe:1708 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslBC.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 04 52 FE A7 64 70 56 20 25 C4 5A E0 3C 6F B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsdB5.exe:384 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslBC.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjC5.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvC9.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB9.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 59 9C E7 E7 79 0E 63 52 0B ED 00 89 A1 8B FC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process UpdateSoftware.exe:1580 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"
"0dc3ee96" = "/P////%%"
"7367429f" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"2d71d5ab" = "V/////%%"
"7f69fa1f" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"493c7345" = ""

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"587b5709" = "V/////%%"
"340d3099" = "/P////%%"
"72758a5d" = "///%"
"6185d035" = "VP/h/CP/V//l////"
"0e93c3f3" = "///%"
"51d2f2ea" = "J/Af/X6/GlAf/XD/aPAK/Y//G/Ay/YP/GPAf/B//VP/j/Cx/V/////%%"
"c24899a6" = "MP/f/CF/Mx/l/C/////%"
"d1abcdb6" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"0c230bcb" = "///%"
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"f0bf0bde" = "///%"
"65114b36" = "Vl/l////"
"f1f24e29" = "Vl/l/C/////%"
"a0743acc" = "N/////%%"
"c6c5dd44" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"3c09c42b" = "///%"
"c5705860" = "Vx////%%"
"c99a5f5c" = "///%"
"414bc593" = "///%"
"a2e3b941" = "///%"
"e46c271e" = "///%"
"fe94ce1e" = "V/////%%"
"1520c6f1" = "V/////%%"
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 6A D3 33 07 E7 4C AC 33 5C A4 6A 29 73 99 C7"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"27ddcf6f" = "///%"
"8b9e4cbc" = "V/////%%"
"bbf88800" = "///%"
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

The process UpdateSoftware.exe:3816 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 jyYwQburpniZRRB5FiXXl0Nh4RV" = "NP6yu5 vmsLWrtvqomdnZfXgratpYVnb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"URLUpdateInfo" = ""
"URLInfoAbout" = ""

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 iI0lv89/XZTpmaWCAW6XiF/xIowoplYxrEc" = "NP6yu5 op/1ESUMOQIiA/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"Publisher" = "PremiumSoft"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 rK2YdOCDWYSo sSZJb0LFNMK7umzJ4f" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 obHhU6789/Xu3lMQKQBU9v0o8l1 pwHGQ7a" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 jnTHsfABCDWtWkUM/W1aPBtS1 VQW3XAfac" = "NP6yu5 su8YtQ34567VnKOTlN"
"NP6yu5 t4SMY89/XZTo241UBcL1FgCdQgO" = "NP6yu5 jnxjzOdefABNqu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"SilentUninstall" = "c:\documents and settings\all users\application data\softsafe\updatesoftware\updatesoftware.exe /uninstall"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 oRN6utIKEG digPng1ySOBlAVHvZrTks5X3JZ0jUs" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 t p YmhabcdJfHSAepXR5o1j1c DKl8GWf2QPTqLd" = "NP6yu5 v S3HjlhabcDHyP897ocAuGqJgsg5"
"NP6yu5 qnt FxztvqoDfBtS/GCPHJVoOIo2SDnPtKi" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 kq14RlhabcdIjFSyg16YzyLsH" = "NP6yu5 jWjbxOabcdeYHzRJ8BJsKJZOV"
"NP6yu5 qCEj2JrpnikTXYRb/hjk8pv2i7" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 mGMVNpnikg0UES4we2P15TB9y" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 kzHwZuJLFHw5Fr3FSOzPpISE/F" = "NP6yu5 vnNnZzG xztBe7qNMhrU5nv7p2jg3MSoGKR2AOifGjaisEzPiKveJre7eC2osjAxko/vUyvZtN4IYuES3zz9TinpNYuYzUZrmzq09xRJjuTq5AlcMd3b9ymQA4IBVY581FGF0U3Y qvoIHd3yitOyzlhhUG9isJtU cLS4On UnxKakKxqiq7s2UoJE3nd3krWq 9v5e1lcOEFzZuwR0C5G0Buk1ekwXnca4/GyWLQ0RKA9/gnyRwN doQEiqxnReBKT7HtpltL5cigNEXkGeb6N3PGb6 KyXobYwYER8wYBbGekIO59ZF2 v3RA rA9WcH4txlPPE9YV8gwJ1qDAFwj/PZPKgcu2OOVdZjePKZtQKwHQzU0RtDHELJESORhEr2Tb bhyJwiujYtSlzFVmWr9noi3dhI8YGcrw XL7KqDHuJCUbSKlV3Y4qrbtWHvv8m5nZ93LHYjJcoiD3QD8ZTuqjowIP0PH1FyNY3/n"
"NP6yu5 jJE/mnBCDWYvA42sczUv9SClfrqvZXt8sBARO" = "NP6yu5 vmsLWrtvqomdnZfXgratpYVnb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"NoModify" = "1"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 mA7A/0RJLFH3oCqCND9QOs7c7LJLxGmTX4Y5fn0nd" = "NP6yu5 xztvqomjlha"
"NP6yu5 zUPS3jlhabcQDMNIScd6AO3aDxmTq1WIaX6" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"DisplayName" = "UpdateSoftware"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 tJp3sbqomjlSvJfgkDPgofAaSAq8LeS0XEI" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 imD09G789/XrRUo/jOxMoD5p8s7z6" = "NP6yu5 owmZMztvqom44"
"NP6yu5 y9R/xAztvqoWETd7yHx7kCFYzD24sLA" = "NP6yu5 xztvqomjlha"
"NP6yu5 rOHR67habcdI6oQitBZylEDlKv" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 pNrKTFbcdefEjL8Z1TlnENCpBpb" = "NP6yu5 rBInjOlhabcD1FUrNUWvK5"
"NP6yu5 m493B1JLFHwfSLP0cq" = "NP6yu5 rBInjOlhabcD1FUrNUWvK5"
"NP6yu5 t5w/eBhabcdLg7/sFSAaTxRvG" = "NP6yu5 xvTqlqdefABK 80Gq2mWBC1o0 "
"NP6yu5 qAAIJrpnikgVSUoLaz3mK8u RgKbxPY" = "NP6yu5 ms6Kogvqomje5FgkwM"
"NP6yu5 o/JAuurpnikZzc72iod641QVSkWTqJSu5zR" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 q2cpRx789/XueIe5iLgmR36Hi9ZR5HNZs2A" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 mPpwLQDWYSUoj8v7lBa0 8W0MSmWN4ClWM7" = "NP6yu5 mAzKd789/XZzLMPPGMuVLt9zIJASWw"
"NP6yu5 me6uTVNPRJL13Jfl4Pkq3 KZkkBGDuDhpPPquV" = "NP6yu5 owmZMztvqom44"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 sFynDebcdef tMD" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 vGPjjAfABCDtsHMzvqSfT7E4si" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 u2C5SlhabcdKYXGD2X5Dtp " = "NP6yu5 n6OXwBkg012Ddmp9hN1dZbdGi"
"NP6yu5 yEFhrM xztvBTqybYrHCKZLQDEDd77yDa71" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 xyxzUr xztv8XRDd4dOlw/ 0eLrMM" = "NP6yu5 p/RcQikg012CPtvY0JqomLb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"NoRepair" = "1"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 s2TbxEefABCxJ0DAXr /fsJdEdZsSHr HV" = "NP6yu5 jWjbxOabcdeYHzRJ8BJsKJZOV"
"NP6yu5 ow1rR56789/ue1sByvUf4kVuix" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 jxu9x/ztvqoWwAvzzG1eDHhjPa" = "NP6yu5 mAzKd789/XZzLMPPGMuVLt9zIJASWw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"InstallDate" = "20130815"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 q83XdcabcdeK18vAC0H9NVFErZY89qziqz" = "NP6yu5 xvTqlqdefABK 80Gq2mWBC1o0 "
"NP6yu5 xegqyZTVNPRhap40RL5nzk9RVF fIgeuX" = "NP6yu5 ouLGsR/XZTVHZg6"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 7C 54 1B 91 E4 06 75 06 27 D7 D6 BD DA 95 07"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"_In" = "20140815"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 upBrs456789yYTFdDrzVA0PJHl5GUN4cRRU6I0 /b" = "NP6yu5 ms6Kogvqomje5FgkwM"
"NP6yu5 mGooxrikg01VravP7V/5b68FyY" = "NP6yu5 su8YtQ34567VnKOTlN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 t3BD56789/Xu4TF4qCfDCBTHm9BO81oA/UPCl" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 vbNHYCDWYSUoiK7bPU/LiTlOXXB/Y/8ZsgUeDPvDrC" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 sH9 Y xztvq/XYWHIi jTIOMPd" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 iqFGhLqomjlSrvHfNHJ3oZIgyJwy44WgZ8t" = "NP6yu5 vnNnZzG xztBe7qNMhrU5nv7p2jg3MSoGKR2AOifGjaisEzPiKveJre7eC2osjAxko/vUyvZtN4IYuES3zz9TinpNYuYzUZrmzq09xRJjuTq5AlcMd3b9ymQA4IBVY581FGF0U3Y qvoIHd3yitOyzlhhUG9isJtU cLS4On UnxKakKxqiq7s2UoJE3nd3krWq 9v5e1lcOEFzZuwR0C5G0Buk1ekwXnca4/GyWLQ0RKA9/gnyRwN doQEiqxnReBKT7HtpltL5cigNEXkGeb6N3PGb6 KyXobYwYER8wYBbGekIO59ZF2 v3RA rA9WcH4txlPPE9YV8gwJ1qDAFwj/PZPKgcu2OOVdZjePKZtQKwHQzU0RtDHELJESORhEr2Tb bhyJwiujYtSlzFVmWr9noi3dhI8YGcrw XL7KqDHuJCUbSKlV3Y4qrbtWHvv8m5nZ93LHYjJcoiD3QD8ZTuqjowIP0PH1FyNY3/n"
"NP6yu5 jO7cksRJLFHdItgO4" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 kMSXeBMOQIKhE69m1QE674UDEx" = "NP6yu5 op/1ESUMOQIiA/"
"NP6yu5 qwDMhUjlhabRi95gdx9wB Kt8h" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 s/N9q2LFHwy5Ge3vWafDDyM0XgIXL/SocfUpBEc2iz" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 oFUvMDbcdefHBbxrMluGJ9Aygj" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 qmagWavqomjYke3rg3RaIWgtRR6ly542b" = "NP6yu5 n6OXwBkg012Ddmp9hN1dZbdGi"
"NP6yu5 oxTCwROQIKEbfoQmXOVq3pyCV" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 u4W7I3FHwysfpPWVEc640Vgj7vuI5FRvR" = "NP6yu5 xKYF 812345Z1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"UninstallString" = "c:\documents and settings\all users\application data\softsafe\updatesoftware\updatesoftware.exe /uninstall"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 uGnmtBCDWYSqb6jM/jZxaHmJs4bb/qRin 8" = "NP6yu5 mbJv4NCDWYSFDYGY/idAu1r"
"NP6yu5 xh2uW4Hwysu7Ssr8oWZx2xW2hDd4djxqbX" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 r 8G2h34567HEDrcOMl 7 u93c" = "NP6yu5 mbJv4NCDWYSFDYGY/idAu1r"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"DisplayVersion" = "4.2.0.1452"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 xGCT2oqomjlV2gRnCoLMWn7nyn" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"

Dropped PE files

MD5	File path
af7ce801c8471c5cd19b366333c153c4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Tsu926E9E8E.dll
81c1d94ffd2c170a86c4c0c7b183e9ef	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsgBD.tmp
02c162fd7706e887624dfcc410979355	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiC3.exe
02c162fd7706e887624dfcc410979355	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nspC7.exe
23912df27a61ea0463c5509ba6a97579	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons\putfu.exe
0b813086a3400aafa1639d08823fbd46	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Addons\sp-downloader.exe
5f8e3ef6090df78ed65b967f0f31c88c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Custom.dll
e717f6ce3a7429bfa6d7f3cf66737a4b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.exe
dcb9a8355be913b52d77c9040141cd3c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\_Setup.dll
a90faa6449a4beca4466564510991bb1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spstub[1].exe
23912df27a61ea0463c5509ba6a97579	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\tpq[1].exe
81c1d94ffd2c170a86c4c0c7b183e9ef	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\SPSetup[1].exe
9dfbb035592ea044a4b29977a3f272ff	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\agup[1].exe
0b813086a3400aafa1639d08823fbd46	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sp-downloader[1].exe
d4d1cc69e363813c14f289694756aa1e	c:\Program Files\ProgramUpdater\Assistant.dll
348bd6c1565bd5f85ed13b56d2401f05	c:\Program Files\ProgramUpdater\AssistantSvc.dll
49010923a074f8c93b0cbc10600187cd	c:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
41ea3a902bcc76650664b8a10e4a1722	c:\Program Files\SearchProtect\Main\bin\SPTool.dll
75323751eb811da0bd13430d8cb81d83	c:\Program Files\SearchProtect\Main\bin\uninstall.exe
fe7292c8fc7d1a0314a26e253af2254d	c:\Program Files\SearchProtect\SearchProtect\bin\SPTool64.exe
95d43017acf77911d801bbda1125d428	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC32.dll
f303bf7e33c8e5ed667d751501981c63	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
6c365122d30012d9316cd1dee0c005d4	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC64.dll
9d0e94e14d5808cd42cf28b076f19fb1	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
2875ed5399cd95ad378b35097311fb1e	c:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
fcd5525df15e9f59707ae0cbe0d636c2	c:\Program Files\SearchProtect\UI\bin\cltmngui.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SoftSafe
Product Name: SoftSafe
Product Version: 1.0.0.1
Legal Copyright: Copyright (c) 2012 SoftSafe
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2013.3.24.1715
File Description: Installer for SoftSafe
Comments: WinNT (x86) Unicode Lib Rel
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	7672	7680	4.5056	b1ae6dcdc3a7ba319c6d5e0b1a2eadbc
.rdata	12288	1794	2048	3.26018	cd4f20f041a2da05dfe5974fe61bd4ec
.data	16384	1040	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	20480	8288	8704	3.02575	7f1e8474d5f70f889b937f9375db5f5e
.reloc	32768	348	512	2.09579	938152484b33bca77bd622973abb524e
.tsustub	36864	120967	121344	5.54275	5ed0ad3f3bf3a02aac779aec261f64e8
.tsuarch	159744	143872	143872	5.54308	4989d490d7a796c29503175e9dacc9dd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2026
0b01d1d6e64db0f42e95f7673aa20c8d
ee5a918e0071b8ddfc5e1459507cdb0c
90d174bf957ec052ffac0a3ff0975a87
59de7fbdc6af7d28cfde8dbc60eaf9d9
6223fd901c30fb54ecba1704fa2da545
bbd5163a81c9f5c760169b782223bb41
b69b50306ec6bd331c6344afd43a7318
079c002b726e9367df3746ab6562fe23
bed6c0b1480c33d78178968c26206259
8a0a68d16fec55ea3c07ea6de4500b8f
53d570578307032d3f921ec2ba3cccf0
278c31aac865261c6efdfad5c44b3abf
3b71a2f9d418d95636623890887ec4e5
47adc2ef8540d44b6901860fd3c98b25
cafac5ed92504095a31aaf116d898c88
f183ec1d34fbe1a400c1e1919e5af1b6
9bc0019bc805331ba01ce31ed7e96b75
ca995c0ac4096a501c869ed0577f855f
a2bd18fdcff95c6aed5854f20d593748
fc8da1d6dce390b557ec6d4046dc2a8a
0c7d6124a15abd2f81dada99607a3813
0b07fde626af7b707befb5bce2e7c855
6b86612b8eb8359085ed6eb76e919fce
acd146488fc046a0a14fff05ece8d7d6
63057b7b765029e34aaacd56a1705c81
e7060de701746e204db1379bf6e5091c

URLs

URL	IP
hxxp://Jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://e9287.g.akamaiedge.net/stub/spstub.exe
hxxp://sp-download.va.spccint.com/download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP
hxxp://e9287.g.akamaiedge.net/Installer/2.16.20.192/SPSetup.exe
hxxp://spms-download.va.spccint.com/download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP
hxxp://monitorbox1.info/?report_version=5&
hxxp://e3937.g.akamaiedge.net/spinstallersettings/2.16.20.192/test/ABTEST_SETTINGS_ID/carrierId/CT3309297
hxxp://sp-ip2location.va.spccint.com/ip/?client=sp
hxxp://a1015.g1.akamai.net/UP/settings/?ctid=CT3309297&UM=&c=CA&DUM=2
hxxp://monitorbox1.info/?step_id=4_2&installer_id=690071314&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3416576962&external_id=0&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&installer_file_name=setup&uuid=*
hxxp://monitorbox1.info/addons/dfndr/180/tpq.exe
hxxp://datadownloadscan.info/get/?data=P/5VPunecjjtVl2XZT3pNPi74PImCtFB6hjJgTO4z7S5cbJwJFDhcNcDQGkX1fDa5Vy6HonzQcuuI39XGeo7ncmyCc0hl3lfGDomndl7srEdmClBZxzsWa7m7a5uiLdFlU7sfX733FbAWSCuiJbfOTvsv4Auo2u063ooFZG2hJ9neHGVokQh84nkyeoHowmgph9JOvnDL8nZ0IC9+hBB7MIUQ/7HokDjhUPbXapp89QO9TMhOv1Q7z4MKfkFkrjTI3T302H+u4k0KfVcefYYJZNWIYpYt0dJ+ShM4hMIugZsZvBf02BLPPxvYbtDSmYfrkh6BgXAMpyjspBMymUvQbKx/qhXXnsM/Ghn02+l/eVOpDkXBCmEfjZc7MWLxLjLCjProPOBQ4+U7P08CH/PD2pLzc6a+kdGRbLj3082peSz342AP+KDZ3rWMK6//d3jGUPxjFmUDjd4HAYnUOiQzHrUQk4enOo78UHu0w2hYGFaeSkg6z&version=4	162.210.192.21
hxxp://monitorbox1.info/?step_id=4_3&installer_id=690071314&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3416576962&external_id=0&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&installer_file_name=setup&uuid=*
hxxp://monitorbox1.info/addons/agup.exe
hxxp://sp-storage.spccinta.com/stub/spstub.exe	23.9.111.99
hxxp://sp-download.spccint.com/download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP	199.101.114.124
hxxp://sp-storage.spccinta.com/Installer/2.16.20.192/SPSetup.exe	23.9.111.99
hxxp://spms-download.spccint.com/download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP	199.101.115.231
hxxp://orbtr-installer.databssint.com/	107.22.223.150
hxxp://r2.monitorbox1.info/?report_version=5&	54.191.186.103
hxxp://c1.installbox1.info/?step_id=4_3&installer_id=690071314&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3416576962&external_id=0&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&installer_file_name=setup&uuid=*
hxxp://c1.installbox1.info/?step_id=4_2&installer_id=690071314&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3416576962&external_id=0&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&installer_file_name=setup&uuid=*
hxxp://c.api.seccint.com/UP/settings/?ctid=CT3309297&UM=&c=CA&DUM=2	184.84.243.35
hxxp://sp-alive-msg.databssint.com/	54.225.145.186
hxxp://sp-usage.databssint.com/	54.225.157.67
hxxp://sp-settings.spccint.com/spinstallersettings/2.16.20.192/test/ABTEST_SETTINGS_ID/carrierId/CT3309297	23.9.97.214
hxxp://i1.installbox1.info/addons/agup.exe
hxxp://sp-ip2location.spccint.com/ip/?client=sp	199.101.114.209
hxxp://sp-installer.databssint.com/	54.225.145.186
hxxp://i1.installbox1.info/addons/dfndr/180/tpq.exe
c-sp-download.spccint.com	23.9.97.214
sp-autoupdate.spccint.com	23.9.97.214
servicemap.spccint.com	23.9.97.214

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE W32/InstallRex.Adware Report CnC Beacon
ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

<font color="red">POST / HTTP/1.0<br>

Content-Type: application/json<br>

Accept: */*<br>

Host: sp-usage.databssint.com<br>

Content-Length: 417<br>

Connection: Keep-Alive<br>

Pragma: no-cache<br>

<br>

{"SP_ID":"SP2C59908A-129D-4A5A-982C-0E0732D1907D","Experiment":"","Variant":"","oslocale":"","environment":"","OS_version":"5.1","OS_name":"Microsoft Windows XP","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","sequence_timestamp":"1408101022108","SP_version":"2.16.20.192","brand":"SP","action_type":"driver_first_enabled","result":"success","failure_reason":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Access-Control-Allow-Methods: GET,POST,HEAD,OPTIONS,PUT<br>

Access-Control-Allow-Origin: *<br>

Date: Fri, 15 Aug 2014 16:09:33 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></pre></font><br><br

<font color="red">GET /UP/settings/?ctid=CT3309297&UM=&c=CA&DUM=2 HTTP/1.1<br>

User-Agent: SearchProtect;2.16.20.192;Microsoft Windows XP;SP2C59908A-129D-4A5A-982C-0E0732D1907D<br>

Accept: */*<br>

Host: c.api.seccint.com<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Content-Type: application/json; charset=utf-8<br>

Server: Microsoft-IIS/7.5<br>

X-AspNetMvc-Version: 3.0<br>

X-AspNet-Version: 4.0.30319<br>

X-Powered-By: ASP.NET<br>

Content-Length: 4227<br>

Cache-Control: private, max-age=3600<br>

Expires: Fri, 15 Aug 2014 17:09:38 GMT<br>

Date: Fri, 15 Aug 2014 16:09:38 GMT<br>

Connection: keep-alive<br><pre>{"GeneralId":null,"Ctid":"CT3309297","ProviderId":2,"ProviderName":"Bi<br>ng","UserIP":""%local server IP%"","UserLanguage":"en","ToolbarLanguage":"en<br>","EntityLanguage":"en","CountryShortCode":"CA","IsUserRTL":false,"IsT<br>oolbarRTL":false,"IsEntityRTL":false,"ShowClientDialog":true,"HomePage<br>Url":"hXXp://VVV.trovi.com/?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&<br>ISID=ISID_ID&SearchSource=55&CUI=SB_CUI&UM=6&UP=UP_ID","IsCustomizedHo<br>mepage":false,"HomePageButtonUrl":"hXXp://VVV.trovi.com/?gd=&ctid=CT33<br>09297&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=55&CUI=SB_CUI&U<br>M=6&UP=UP_ID&SAT=HPB","UM":"","SearchDomain":"VVV.trovi.com","ToolbarS<br>earchBox":{"History":{"IsEnabled":true,"Position":1,"MaxAmount":5,"Lab<br>el":{"Text":"History"}},"Verticals":[{"Name":"SearchImages","SearchUrl<br>":"hXXp://VVV.trovi.com/?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&ISI<br>D=ISID_ID&SearchSource=67&SearchType=SearchImages&CUI=SB_CUI&UM=6&UP=U<br>P_ID&q=UCM_SEARCH_TERM","EmptySearchUrl":"hXXp://VVV.trovi.com/?gd=&ct<br>id=CT3309297&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=67&Searc<br>hType=SearchImages&CUI=SB_CUI&UM=6&UP=UP_ID"}],"EmptySearchUrl":"http:<br>//VVV.trovi.com/?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&ISID=ISID_I<br>D&SearchSource=67&CUI=SB_CUI&UM=6&UP=UP_ID","SearchUrl":"hXXp://VVV.tr<br>ovi.com/Results.aspx?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&ISID=IS<br>ID_ID&SearchSource=67&CUI=SB_CUI&UM=6&UP=UP_ID&q=UCM_SEARCH_TERM","Sug<br>gest":{"SearchResultsUrl":"hXXp://VVV.trovi.com/Results.aspx?gd=&ctid=<br>CT3309297&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=67&Sugg</pre><<< skipped >>></font><br><br

<font color="red">POST / HTTP/1.1<br>

Content-Type: application/json<br>

Accept: */*<br>

User-Agent: SearchProtect;2.16.20.192;Microsoft Windows XP;SP2C59908A-129D-4A5A-982C-0E0732D1907D<br>

Host: sp-alive-msg.databssint.com<br>

Content-Length: 461<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"SP_ID":"SP2C59908A-129D-4A5A-982C-0E0732D1907D","SP_version":"2.16.20.192","OS_name":"Microsoft Windows XP","OS_version":"5.1","install_date":"20140815","environment":"","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","Experiment":"","Variant":"","driver_enabled":"false","action_type":"alive","type":"","brand":"SP","carrier_ID":"CT3309297","browser":"InternetExplorer","browser_version":"6.0.2900.5512"}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:37 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></pre></font><br><br

<font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: orbtr-installer.databssint.com<br>

Content-Length: 707<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"orbtr_Stub_Init", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M1E95D34D-01FE-4869-AA16-13BE9143470C -downloadlength=1093 -EXT_ISID=false -orbiter", "download_length": "1093", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "ORBTR", "EXT_ISID":"false","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","installer_version":"2.4.3.0", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1"}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:17 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></font>....</pre></font><br><br><font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: orbtr-installer.databssint.com<br>

Content-Length: 907<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"orbtr_Stub_DownloadComplete", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M1E95D34D-01FE-4869-AA16-13BE9143470C -downloadlength=1093 -EXT_ISID=false -orbiter", "download_length": "1093", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "ORBTR", "EXT_ISID":"false","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","installer_version":"2.4.3.0","result":"success","reason":"50" , "log":"10#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_download_time_sec":"1", "Installer_url":"hXXp://spms-storage.spccint.com/Installer/0.0.0.0/OrbiterInstaller.exe", "ExtraData":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:20 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></font>....</pre></font><br><br><font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: orbtr-installer.databssint.com<br>

Content-Length: 803<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"orbtr_Stub_Complete", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M1E95D34D-01FE-4869-AA16-13BE9143470C -downloadlength=1093 -EXT_ISID=false -orbiter", "download_length": "1093", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "ORBTR", "EXT_ISID":"false","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","installer_version":"2.4.3.0","result":"success","reason":"50" , "log":"10#16#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_time_sec":"1", "ExtraData":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:23 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></pre></font><br><br

<font color="red">GET /addons/dfndr/180/tpq.exe HTTP/1.1<br>

Accept: */*<br>

User-Agent: TixDll<br>

Host: i1.installbox1.info<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: openresty<br>

Date: Fri, 15 Aug 2014 16:09:44 GMT<br>

Content-Type: application/octet-stream<br>

Content-Length: 4983808<br>

Last-Modified: Wed, 30 Jul 2014 00:07:02 GMT<br>

Connection: close<br>

ETag: "53d83726-4c0c00"<br>

Accept-Ranges: bytes<br><pre>MZ......................@.............................................<br>..!..L.!This program cannot be run in DOS mode....$...........U...U...<br>[email protected].....\...P...U.......U...T....L\.X....LF.T....L<br>C.T...RichU...................PE..L......R.....................0D.....<br>[email protected]...@...............<br>...................3..<.......0.A..................pK..E...........<br>...........................@..........................................<br>..text............................... ..`.rdata..t-...................<br>.......@[email protected]... [email protected][email protected]<br>.................@[email protected]......,[email protected].........<br>......................................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>...............................................U......E......E......E.<br>[email protected].;E.s..E..E....3E..E..E.i......E....E...U..].U.....<br>.}..u..e...r.E..E..E..E..E..E..E..E....E.@@.E..E.@@.E..E.H.E..}..v7.E.<br>....M....;.t%.E.....M....;.}..M.....E......E..E......e...E...U......M.<br>.E..M...;.u..P.E..8.t6.E......E..}..u.j..M..H....M.........E....E..E..<br>M.....j..M.."....M..v....E.....U..Q.M...U......M..E..x..r..E..E..E....<br>E....E..E..E..E..E.P.M.......E...D!H..E.....U..Q.M..M..O....E....t..u.<br>.....Y.E.....U..Q.M..M..(.....U..j.h..G.d.....Pd.%......,.M.j..M..</pre><<< skipped >>></font><br><br

<font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-installer.databssint.com<br>

Content-Length: 968<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"install_start","SP_ID":"SP2C59908A-129D-4A5A-982C-0E0732D1907D","SP_version":"2.16.20.192","OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)","OS_version":"5.1","browser":"InternetExplorer","browser_version":"6.0.2900.5512","carrier_type":"ctid","carrier_ID":"CT3309297","carrier_version":"","carrier_userid":"","carrier_UM":"","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","hp_takeover":"true","other_takeover":"true","environment":"","sequence_timestamp":"1408101016796","profile_number":"1","user_number":"1", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "download_length": 3906, "install_type": "install", "result": "SP_RESULT", "reason": "SP_FAIL_REASON","v_env_tests":"V_ENV_TESTS_ALIAS","v_env_codes":"V_ENV_CODES_ALIAS","channel_id": "", "brand": "SP" , "previous_brand":"", "brand_install_type":"","extra_info":"","Experiment":"","Variant":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:28 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></pre></font><br><br

<font color="red">GET /ip/?client=sp HTTP/1.1<br>

User-Agent: SearchProtect;2.16.20.192;Microsoft Windows XP;SP2C59908A-129D-4A5A-982C-0E0732D1907D<br>

Accept: */*<br>

Host: sp-ip2location.spccint.com<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Cache-Control: private<br>

Content-Length: 167<br>

Content-Type: application/json; charset=text/plain<br>

Server: Microsoft-IIS/7.5<br>

X-AspNet-Version: 4.0.30319<br>

X-Powered-By: ASP.NET<br>

Date: Fri, 15 Aug 2014 16:08:08 GMT<br><pre>{"Location":{"City":"MONTREAL","Country":"CANADA","CountryCode":"CA","<br>IP":""%local server IP%"","Latitude":45.50884,"Longitude":-73.58781,"Region"<br>:"QUEBEC"},"Language":"en"}..</pre></font><br><br

<font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-installer.databssint.com<br>

Content-Length: 689<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"Stub_Init", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M1E95D34D-01FE-4869-AA16-13BE9143470C -downloadlength=1093 -EXT_ISID=false", "download_length": "1093", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","installer_version":"2.4.3.0", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1"}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:11 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></font>....</pre></font><br><br><font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-installer.databssint.com<br>

Content-Length: 886<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"Stub_DownloadComplete", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M1E95D34D-01FE-4869-AA16-13BE9143470C -downloadlength=1093 -EXT_ISID=false", "download_length": "1093", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","installer_version":"2.4.3.0","result":"success","reason":"0" , "log":"10#6-0#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_download_time_sec":"4", "Installer_url":"hXXp://sp-storage.spccinta.com/Installer/2.16.20.192/SPSetup.exe", "ExtraData":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:18 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></font>....</pre></font><br><br><font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-installer.databssint.com<br>

Content-Length: 794<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"Stub_Complete", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M1E95D34D-01FE-4869-AA16-13BE9143470C -downloadlength=1093 -EXT_ISID=false", "download_length": "1093", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","installer_version":"2.4.3.0","result":"success","reason":"0" , "log":"10#6-0#8#9-0-0#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_time_sec":"23", "ExtraData":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:42 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></pre></font><br><br

<font color="red">GET /Installer/2.16.20.192/SPSetup.exe HTTP/1.1<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-storage.spccinta.com<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Last-Modified: Fri, 15 Aug 2014 18:49:18 GMT<br>

Accept-Ranges: bytes<br>

ETag: "30fa0875de550a8d5c8d3bc251a75073"<br>

Server: Microsoft-IIS/7.5<br>

X-Powered-By: ASP.NET<br>

Content-Length: 6837632<br>

Date: Fri, 15 Aug 2014 16:09:13 GMT<br>

Connection: keep-alive<br><pre>MZ......................@.............................................<br>..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7<br>.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........<br>..............PE..L....q.N.................d.......B..K5............@.<br>......................... *.....5.h...................................<br>............(..y...........=h.........................................<br>.....................................................text....c.......d<br>.................. ..`.rdata...............h..............@[email protected]...<br>[email protected]....!...........................<br>...rsrc....y....(..z..................@..@............................<br>......................................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>............................................U....\.}..t .}.F.E.u..H...<br>...G..H.P.u..u..u...|[email protected][email protected].....@<br>..}[email protected]... M..........M........E...FQ.....NU..M<br>.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u<br>[email protected]}[email protected].}.j.W.E......E.......P<br>[email protected][email protected][email protected] [email protected]..<br>...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..<br>...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.</pre><<< skipped >>></font><br><br

<font color="red">GET /get/?data=P/5VPunecjjtVl2XZT3pNPi74PImCtFB6hjJgTO4z7S5cbJwJFDhcNcDQGkX1fDa5Vy6HonzQcuuI39XGeo7ncmyCc0hl3lfGDomndl7srEdmClBZxzsWa7m7a5uiLdFlU7sfX733FbAWSCuiJbfOTvsv4Auo2u063ooFZG2hJ9neHGVokQh84nkyeoHowmgph9JOvnDL8nZ0IC9+hBB7MIUQ/7HokDjhUPbXapp89QO9TMhOv1Q7z4MKfkFkrjTI3T302H+u4k0KfVcefYYJZNWIYpYt0dJ+ShM4hMIugZsZvBf02BLPPxvYbtDSmYfrkh6BgXAMpyjspBMymUvQbKx/qhXXnsM/Ghn02+l/eVOpDkXBCmEfjZc7MWLxLjLCjProPOBQ4+U7P08CH/PD2pLzc6a+kdGRbLj3082peSz342AP+KDZ3rWMK6//d3jGUPxjFmUDjd4HAYnUOiQzHrUQk4enOo78UHu0w2hYGFaeSkg6z&version=4 HTTP/1.1<br>

Accept: */*<br>

User-Agent: win32<br>

Host: datadownloadscan.info<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: ngx_openresty<br>

Date: Fri, 15 Aug 2014 16:11:44 GMT<br>

Content-Length: 0<br>

Connection: close<br><pre></pre></font><br><br

<font color="red">GET /stub/spstub.exe HTTP/1.1<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-storage.spccinta.com<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Last-Modified: Fri, 15 Aug 2014 19:08:13 GMT<br>

Accept-Ranges: bytes<br>

ETag: "8089503af264c1568a46208aea546eff"<br>

Server: Microsoft-IIS/7.5<br>

X-Powered-By: ASP.NET<br>

Content-Length: 177352<br>

Date: Fri, 15 Aug 2014 16:09:09 GMT<br>

Connection: keep-alive<br><pre>MZ......................@.............................................<br>..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7<br>.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........<br>..............PE..L....q.N.................d.......B..K5............@.<br>.........................p!......~....................................<br>...........`!.0.......................................................<br>.....................................................text....c.......d<br>.................. ..`.rdata...............h..............@[email protected]...<br>[email protected]............................<br>...rsrc...0....`!.....................@..@............................<br>......................................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>............................................U....\.}..t .}.F.E.u..H...<br>...G..H.P.u..u..u...|[email protected][email protected].....@<br>..}[email protected]... M..........M........E...FQ.....NU..M<br>.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u<br>[email protected]}[email protected].}.j.W.E......E.......P<br>[email protected][email protected][email protected] [email protected]..<br>...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..<br>...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.</pre><<< skipped >>></font><br><br

<font color="red">GET /download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP HTTP/1.1<br>

Accept: application/sp-download-v2<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-download.spccint.com<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Cache-Control: no-cache, no-store<br>

Pragma: no-cache<br>

Content-Type: application/json; charset=utf-8<br>

Expires: -1<br>

Server: Microsoft-IIS/7.5<br>

X-AspNet-Version: 4.0.30319<br>

X-Powered-By: ASP.NET<br>

Date: Fri, 15 Aug 2014 16:07:44 GMT<br>

Content-Length: 71<br><pre>"http:\/\/sp-storage.spccinta.com\/Installer\/2.16.20.192\/SPSetup.exe<br>"..</pre></font><br><br

<font color="red">GET /download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP HTTP/1.1<br>

Accept: application/sp-download-v2<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: spms-download.spccint.com<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Cache-Control: no-cache, no-store<br>

Pragma: no-cache<br>

Content-Length: 79<br>

Content-Type: application/json; charset=utf-8<br>

Expires: -1<br>

Server: Microsoft-IIS/7.5<br>

X-AspNet-Version: 4.0.30319<br>

X-Powered-By: ASP.NET<br>

Date: Fri, 15 Aug 2014 16:07:49 GMT<br><pre>"http:\/\/spms-storage.spccint.com\/Installer\/0.0.0.0\/OrbiterInstall<br>er.exe 1"..</pre></font><br><br

<font color="red">GET /?step_id=4_3&installer_id=690071314&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3416576962&external_id=0&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&installer_file_name=setup&uuid=* HTTP/1.1<br>

Accept: */*<br>

User-Agent: TixDll<br>

Host: c1.installbox1.info<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: openresty<br>

Date: Fri, 15 Aug 2014 16:10:01 GMT<br>

Content-Type: text/html<br>

Content-Length: 6884<br>

Connection: close<br>

Content-Disposition: attachment; filename="4_3.txt"<br><pre>..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.<br>o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".5.b.b.<br>b.0.4.8.e.-.4.7.3.c.-.4.7.2.e.-.8.c.c.b.-.a.7.f.1.b.0.2.0.5.7.6.a."...<br>P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.<br>I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".1._.e.x.e."...I.n.s.t.a.l.l.e.<br>r.I.D.=.".6.9.0.0.7.1.3.1.4."...L.o.c.a.l.e.=.".<.L.a.n.g.u.a.g.e.&<br>gt;."...D.a.t.e.=.".2.0.1.4./.0.8./.1.5."...T.i.m.e.=.".1.6.:.1.0.:.0.<br>1."...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.n.s.=.".0.<br>"...R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.r.t.e.d.=.<br>"."...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.d.R.e.p.o.<br>r.t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.S.e.r.v.e.<br>r.]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.I.n.f.o.].<br>..C.o.u.n.t.r.y.C.o.d.e.=.".U.S."...I.P.A.d.d.r.e.s.s.=.".1.8.4...1.0.<br>7...3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.e.n.]...P.<br>e.r.c.e.n.t.a.g.e.=.".6.2.".....[.S.c.r.e.e.n.7.6.]...T.i.t.l.e.=.".S.<br>e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.o.n.2.=.".<br>C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.h.e. .d.o.<br>w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n... .P.l.e.<br>a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.e. .f.o.r.<br> .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.e.n.7.5.]...T.<br>i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.<br>".N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.e.l.e.</pre><<< skipped >>></font><br><br

<font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-installer.databssint.com<br>

Content-Length: 1079<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"install_completed","SP_ID":"SP2C59908A-129D-4A5A-982C-0E0732D1907D","SP_version":"2.16.20.192","OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)","OS_version":"5.1","browser":"InternetExplorer","browser_version":"6.0.2900.5512","carrier_type":"ctid","carrier_ID":"CT3309297","carrier_version":"","carrier_userid":"","carrier_UM":"","machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG","hp_takeover":"true","other_takeover":"true","environment":"","sequence_timestamp":"1408101030530","profile_number":"1","user_number":"1", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C", "download_length": 3906, "install_type": "install", "result": "success", "reason": "0","v_env_tests":{"10_ProcessesExists":"0","10_ModuleInjected":"0","10_FakeSPServiceParent":"0","12_ProcessesExists":"0","12_StatusKeyExists":"0"},"v_env_codes":{"10":"0","12":"0"},"channel_id": "", "brand": "SP" , "previous_brand":"", "brand_install_type":"cleanmachine","extra_info":"","Experiment":"","Variant":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:42 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre>HTTP/1.1 202 Accepted..Date: Fri, 15 Aug 2014 16:09:42 GMT..P3P: CP="N<br>OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length<br>: 0..Connection: keep-alive..</pre></font><br><br

<font color="red">GET /?step_id=4_2&installer_id=690071314&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3416576962&external_id=0&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&session_id=4193620160&hardware_id=1419924024&installer_file_name=setup&uuid=* HTTP/1.1<br>

Accept: */*<br>

User-Agent: TixDll<br>

Host: c1.installbox1.info<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: openresty<br>

Date: Fri, 15 Aug 2014 16:09:44 GMT<br>

Content-Type: text/html<br>

Content-Length: 9094<br>

Connection: close<br>

Content-Disposition: attachment; filename="4_2.txt"<br><pre>..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.<br>o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".7.7.5.<br>e.8.6.5.0.-.2.1.7.d.-.4.7.7.e.-.b.e.8.2.-.f.e.0.f.f.8.5.5.c.7.2.1."...<br>P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.<br>I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".1._.e.x.e."...I.n.s.t.a.l.l.e.<br>r.I.D.=.".6.9.0.0.7.1.3.1.4."...L.o.c.a.l.e.=.".<.L.a.n.g.u.a.g.e.&<br>gt;."...D.a.t.e.=.".2.0.1.4./.0.8./.1.5."...T.i.m.e.=.".1.6.:.0.9.:.4.<br>4."...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.n.s.=.".0.<br>"...R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.r.t.e.d.=.<br>"."...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.d.R.e.p.o.<br>r.t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.S.e.r.v.e.<br>r.]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.I.n.f.o.].<br>..C.o.u.n.t.r.y.C.o.d.e.=.".U.S."...I.P.A.d.d.r.e.s.s.=.".1.8.4...1.0.<br>7...3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.e.n.]...P.<br>e.r.c.e.n.t.a.g.e.=.".4.3.".....[.S.c.r.e.e.n.7.5.]...T.i.t.l.e.=.".S.<br>e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.".N.o."...L.a.<br>b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.c.r.e.e.n.7.6.]...T.i.t.<br>l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.<br>o.n.2.=.".C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.<br>h.e. .d.o.w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n.<br>.. .P.l.e.a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.<br>e. .f.o.r. .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.e.l.e.</pre><<< skipped >>></font><br><br

<font color="red">GET /spinstallersettings/2.16.20.192/test/ABTEST_SETTINGS_ID/carrierId/CT3309297 HTTP/1.1<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-settings.spccint.com<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Content-Type: application/json; charset=text/plain<br>

Last-Modified: Sun, 10 Aug 2014 20:06:28 GMT<br>

ETag: "7ace2b0a2d45a9208d14608e8a3fea78"<br>

Server: Microsoft-IIS/7.5<br>

X-AspNet-Version: 4.0.30319<br>

X-Powered-By: ASP.NET<br>

Content-Length: 763<br>

Cache-Control: private, max-age=900<br>

Expires: Fri, 15 Aug 2014 16:24:23 GMT<br>

Date: Fri, 15 Aug 2014 16:09:23 GMT<br>

Connection: keep-alive<br><pre>{"InstallerSettings":{"CHExtension_Id":null,"CHExtension_LandingPage":<br>null,"CHExtension_Name":null,"DEFAULT_CMD":"-carrier_type=CTID -carrie<br>r_id=CT3331172 -Platform=all -startpage=true -defaultsearch=true -inst<br>all_time_revert=true","DUM":"2","InstallSPPDriver":null,"IsAUAllowedno<br>TB":"true","LOST_USERS":"false","PING":"false","SERVICE_LOST_USERS":nu<br>ll,"TbExternalAssetsEnable":"true","UNINSTALL_PING":"false"},"AbTestSe<br>ttings":{"Experiment":"","Variant":"","TestParameter":""},"CarrierSett<br>ings":{"CHExtensionMode":"false","v_env":"true","v_env_10":"true","v_e<br>nv_12":"false"},"signature":"PPJUtVBuf3mq4bSjHfCsPw0GVGgp99IghgIBJ9ghQ<br>yHjTCEGgcsEffb099GrCK7NwFnh16V1V6GO1QUTahcxWN9Saw2WlvY KWSHhWpPzWwBcHS<br>yChLzrmENQcLwfqx00VEJYOFQfuJlUaRc7cOOrUha8SZCLWiPBJ6S2ajhIuA="}..</pre></font><br><br

<font color="red">GET /addons/agup.exe HTTP/1.1<br>

Accept: */*<br>

User-Agent: TixDll<br>

Host: i1.installbox1.info<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: openresty<br>

Date: Fri, 15 Aug 2014 16:10:01 GMT<br>

Content-Type: application/octet-stream<br>

Content-Length: 1082880<br>

Last-Modified: Wed, 30 Jul 2014 00:07:01 GMT<br>

Connection: close<br>

ETag: "53d83725-108600"<br>

Accept-Ranges: bytes<br><pre>MZ......................@.............................................<br>..!..L.!This program cannot be run in DOS mode....$...........G..[G..[<br>G..[!i([D..[.A*[]..[N.c[F..[.A([...[.A)[...[N.d[B..[N.t[H..[G..[...[G.<br>.[E..[!i4[N..[!i.[F..[!i [F..[RichG..[................PE..L......S....<br>.............d..........Cd............................................<br>...K..................................................................<br>.............................................9..@...............D.....<br>.......................text....c.......d.................. ..`.rdata..<br>f".......$...h..............@[email protected]..........................@.<br>...rsrc...............................@..@............................<br>......................................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>.................................................i..C.....&....%......<br>.....U...E..8.u.3.].P..B..Y].U...}..u.3.]..E..u....P.u..JC.....].j... <br>....U.....u..M.... ...E..t.V.X...Y....U.....j... ....U...M..M.... ...v<br>U....J...j...d....U...5.............u..F..t.j..........u.......t.3....<br>/U....M..G ...e...E.$....M..h.K...E.P..T...j...d....U...5.............<br>u..F..t.j....).....u.......t.3.....T....M.......e...E.$....M..h.K...E.<br>P.FT...j...d....T...5.............u..F..t.j..........u.......t.3...._T<br>....M..w....e...E.$....M..h.K...E.P..S...j...d...^T...5...........</pre><<< skipped >>></font><br><br

<font color="red">POST /?report_version=5& HTTP/1.1<br>

Accept: */*<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: TixDll<br>

Host: r2.monitorbox1.info<br>

Content-Length: 547<br>

Cache-Control: no-cache<br>

<br>

data=+pn5yxcBOV6//Ze+xzU6v/x/kjcRd6/D97CRLkpsNfv1PH6oxgzQL5E0nPsxD216/63uxYF7+99yRAvxLg3wryQYfFTG6JGx3Pcw6L+xN7cKCMZDLeJ5PJe+jAeYjUUmMqJqU1MxRUBjK1jbIfv8dd3n12qf0ALMprmcWI9XHmSs7oIFGrjUqqddyPiwioKJr8ckwjCJE9fVBA3lAuCWv1l9Wg+26b6nKBHNaHLyNGVkn6W5EUmVsq303FxUbQd6JEybvfQ6RkHIacrqoGZeCEM1av/Jhjo7Npm97Ydf/ys6g8TkflTW2p5iBG4BPiK04WvgQ/EoO75lpN0+MzxPFRZb3GN+If9Q179MFjfBp6Y/XnX6yJRpZ6Cq9V7hn0J9Oz4DqW9Juf8Kc9wttJAkVQYgsBjh41prwPJKOCZgHAA8C9dmexyBKuA3ZB+iKxeOzdyTRGpiK51j1J8MUpRt2KXkrDfXUhnTO7SthhzUyayG9wWZWUqDXUNkVr8UuK9eAetUD0tCUIHw</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: openresty<br>

Date: Fri, 15 Aug 2014 16:09:21 GMT<br>

Content-Type: application/json; charset=UTF-8<br>

Content-Length: 2<br>

Connection: close<br><pre>{}..</pre></font><br><br

<font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-installer.databssint.com<br>

Content-Length: 429<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"MiniStub_Init", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C","environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true", "EXT_ISID":"false", "carrier_ID":"CT3309297", "machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG", "installer_version":"1.1.2.4", "origin":""}</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:07 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></font>....</pre></font><br><br><font color="red">POST / HTTP/1.1<br>

Content-Type: application/x-www-form-urlencoded<br>

User-Agent: NSIS_Inetc (Mozilla)<br>

Host: sp-installer.databssint.com<br>

Content-Length: 469<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

<br>

{"event_type":"MiniStub_Complete", "installation_session_id":"M1E95D34D-01FE-4869-AA16-13BE9143470C","environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true", "EXT_ISID":"false", "carrier_ID":"CT3309297", "machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG", "installer_version":"1.1.2.4", "origin":"", "result":"success", "reason": "0" }</font><br><font color="blue">HTTP/1.1 202 Accepted<br>

Date: Fri, 15 Aug 2014 16:09:43 GMT<br>

P3P: CP="NOI ADM DEV COM NAV OUR STP"<br>

Server: Apache-Coyote/1.1<br>

Content-Length: 0<br>

Connection: keep-alive<br><pre></pre></font><br><br

The Backdoor connects to the servers at the folowing location(s):

CltMngSvc.exe_1912:

.text

`.rdata

@.data

.rsrc

@.reloc

.EKSWU

\$$;\$0|

DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>

Camellia for x86 by <[email protected]>

AES for Intel AES-NI, CRYPTOGAMS by <[email protected]>

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <[email protected]>

RC4 for x86, CRYPTOGAMS by <[email protected]>

Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>

SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>

SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>

GHASH for x86, CRYPTOGAMS by <[email protected]>

GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>

FtPS

[email protected]

t.JuG

PSSSSSSh

t.VVW

<1%u5

FTPj

tCPQ

,4,56,789

u.hLKe

j.Yf;

_tcPVj@

.PjRW

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

0123456789-

%b %d %H : %M : %S %Y

%m / %d / %y

%I : %M : %S %p

%d / %m / %y

boost thread: trying joining itself

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

operator

GetProcessWindowStation

kernel32.dll

left-curly-bracket

right-curly-bracket

RSA part of OpenSSL 1.0.1e 11 Feb 2013

SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

passed a null parameter

DSO support routines

x509 certificate routines

?456789:;<=

!"#$%&'()* ,-./0123

Big Number part of OpenSSL 1.0.1e 11 Feb 2013

pubkey

PEM part of OpenSSL 1.0.1e 11 Feb 2013

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

NETSCAPE_CERT_SEQUENCE

certs

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

DSA part of OpenSSL 1.0.1e 11 Feb 2013

priv_key

pub_key

.\crypto\ec\ec_key.c

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

Any Extended Key Usage

anyExtendedKeyUsage

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

%'%1%=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

RAND part of OpenSSL 1.0.1e 11 Feb 2013

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

lhash part of OpenSSL 1.0.1e 11 Feb 2013

Stack part of OpenSSL 1.0.1e 11 Feb 2013

Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013

value.single

value.set

EVP part of OpenSSL 1.0.1e 11 Feb 2013

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*s%s:

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

AUTHORITY_KEYID

keyid

cert_info

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

EC part of OpenSSL 1.0.1e 11 Feb 2013

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

.\crypto\dh\dh_key.c

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

SHA1 part of OpenSSL 1.0.1e 11 Feb 2013

SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013

RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013

SHA part of OpenSSL 1.0.1e 11 Feb 2013

MD5 part of OpenSSL 1.0.1e 11 Feb 2013

MD4 part of OpenSSL 1.0.1e 11 Feb 2013

AES part of OpenSSL 1.0.1e 11 Feb 2013

CAST part of OpenSSL 1.0.1e 11 Feb 2013

Blowfish part of OpenSSL 1.0.1e 11 Feb 2013

:RC2 part of OpenSSL 1.0.1e 11 Feb 2013

.pp@0

aEÐ

 (#EÚ

ÚE<<0

IDEA part of OpenSSL 1.0.1e 11 Feb 2013

libdes part of OpenSSL 1.0.1e 11 Feb 2013

DES part of OpenSSL 1.0.1e 11 Feb 2013

\X

ddddddZ

ddddddZ

%d.%d.%d.%d

<unsupported>

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:<unsupported>

X400Name:<unsupported>

othername:<unsupported>

%d.%d.%d.%d/%d.%d.%d.%d

X509_CERT_PAIR

X509_CERT_AUX

X.509 part of OpenSSL 1.0.1e 11 Feb 2013

x%s

%s - d:d:d%.*s %d%s

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

ECDSA part of OpenSSL 1.0.1e 11 Feb 2013

Basis Type: %s

Field Type: %s

ASN1 OID: %s

%s %s%lu (%s0x%lx)

'() ,-./:=?

Verifying - %s

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

CONF part of OpenSSL 1.0.1e 11 Feb 2013

PROXY_CERT_INFO_EXTENSION

hexkey

rsa_keygen_pubexp

rsa_keygen_bits

keylength

keyfunc

len>=0 && len<=(int)sizeof(ctx->key)

j <= (int)sizeof(ctx->key)

.\crypto\pkcs12\p12_key.c

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

CONF_def part of OpenSSL 1.0.1e 11 Feb 2013

[[%s]]

[%s] %s=%s

ECDH part of OpenSSL 1.0.1e 11 Feb 2013

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

%s.dll

!f%f#f

_(_>_6_ _

_ _>_4_:_0_)_:_-_

_:_)_:_1_ _

:_-_-_0_-_

]>]2]3]9](]4])]

]<].].]8])]

]9]4].]>]2] ]8]/]8]9]

F6F4F)F2F#FòF/F)F(F

F%F.F'F(F!F#F

;_:_9_>_*_3_ _

_:_>_-_<_7_

^0^5^0^1^)^0^

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp

{{{$1053}}}

{{{$1056}}}

{{{$1057}}}

{{{$631}}}

{{{$1058}}}

]8]<]/]>]5]}]

]/]2])]8]>])]2]/]}]

]/]<].]5]

{{{$1064}}}

{{{$1067}}}

{{{$1066}}}

{{{$1069}}}

{{{$1068}}}

{{{$1071}}}

{{{$1070}}}

{{{$1073}}}

{{{$1072}}}

{{{$1075}}}

{{{$1074}}}

{{{$1077}}}

{{{$1076}}}

{{{$1079}}}

{{{$1078}}}

{{{$1081}}}

{{{$1080}}}

{{{$1082}}}

{{{$1110}}}

{{{$1111}}}

{{{$1113}}}

{{{$1112}}}

{{{$1115}}}

{{{$1114}}}

{{{$1117}}}

{{{$1116}}}

{{{$1118}}}

{{{$1120}}}

{{{$1119}}}

{{{$1122}}}

{{{$1121}}}

{{{$1125}}}

{{{$1126}}}

{{{$1123}}}

{{{$1124}}}

{{{$1132}}}

{{{$1131}}}

{{{$1134}}}

{{{$1133}}}

{{{$1135}}}

{{{$1137}}}

{{{$1136}}}

{{{$1139}}}

{{{$1138}}}

{{{$1141}}}

{{{$1140}}}

{{{$138}}}

{{{$139}}}

{{{$140}}}

{{{$141}}}

{{{$143}}}

{{{$142}}}

{{{$145}}}

{{{$144}}}

{{{$146}}}

{{{$124}}}

{{{$125}}}

{{{$128}}}

{{{$129}}}

{{{$126}}}

{{{$127}}}

{{{$132}}}

{{{$133}}}

{{{$130}}}

{{{$131}}}

{{{$134}}}

{{{$135}}}

]3].])]<]1]1]8]9]

2_:_ _7_0_;_

/[3[)[>[:[?[

^;^,^(^7^=^;^~^;^&^7^-^*^-^~^<^ ^*^~^

^;^,^(^7^=^;^~^,^;^*^ ^,^0^;^:^~^;^,^,^1^,^~^

v%@%W%S%L%F%@%

%l%K%V%Q%D%I%I%

%v%@%W%S%L%F%@%

%f%W%@%D%Q%@%A%

%j%U%@%K%@%A%

\9\.\*\5\?\9\|\

{{{$478}}}

{{{$476}}}

{{{$466}}}

{{{$473}}}

,\0\=\(\:\3\.\1\

\3\3\(\/\(\.\=\,\9\.\|\

\9\;\5\/\(\9\.\

\.\3\ \/\9\.\

\5\:\9\(\5\1\9\

\*\9\2\(\|\>\.\3\ \/\9\.\|\

{{{$488}}}

{{{$489}}}

{{{$490}}}

{{{$491}}}

{{{$492}}}

{{{$493}}}

{{{$494}}}

{{{$501}}}

{{{$502}}}

{{{$499}}}

{{{$500}}}

{{{$503}}}

{{{$505}}}

{{{$504}}}

{{{$508}}}

{{{$509}}}

{{{$506}}}

{{{$507}}}

{{{$511}}}

{{{$512}}}

{{{$510}}}

{{{$513}}}

{{{$514}}}

{{{$515}}}

{{{$518}}}

{{{$516}}}

{{{$517}}}

{{{$519}}}

{{{$520}}}

{{{$521}}}

{{{$522}}}

{{{$523}}}

{{{$524}}}

{{{$525}}}

{{{$526}}}

{{{$527}}}

{{{$528}}}

{{{$616}}}

{{{$617}}}

{{{$614}}}

{{{$615}}}

{{{$618}}}

{{{$619}}}

C,CÇC4C"C1C&C

@/@&@4@7@!@2@%@

@/@:@)@,@,@!@

@/@:@)@,@,@!@`@

@)@2@%@&@/@8@

{{{$409}}}

{{{$407}}}

{{{$408}}}

{{{$410}}}

@%@!@2@#@(@

@(@/@2@4@

{{{$411}}}

{{{$413}}}

{{{$414}}}

{{{$415}}}

v%J%C%Q%R%D%W%@%y%d%U%U%a%D%Q%D%i%J%R%y%v%J%C%Q%R%D%W%@%y%v%H%D%W%Q%g%D%W%y%c%c%

7<.-8;)8><~

{{{$317}}}

{{{$318}}}

{{{$319}}}

{{{$339}}}

KEYWORDS

KEYWORD

{{{$362}}}

{{{$364}}}

{{{$363}}}

{{{$365}}}

]2]3]9](]4])]

]?].])]/]<]>])]4]2]3]

]<]$]8]/]

CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);

insert into ItemTable (key, value) VALUES ('%s', '%s');

4]>]2]3]

\1\=\;\9\

\(\=\(\9\

{{{$636}}}

{{{$635}}}

{{{$634}}}

5|1|=|;|9|#|/|(|=|(|9|#|;|9|2|9|.|=|0|5|&|9|#|.|9|/|9|=|0|#|(|3|#|=|)|8|5|(|

{{{$637}}}

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h

\StringFileInfo\xx\%s

Module %d

%d/%d/%d d:d:d

(more frames truncated from call stack report)

File Size: %-10d File Time: %s

Checksum: 0xx Time Stamp: 0xx

Image Base: 0xx Image Size: 0xx

FileDesc: %s

Product: %s

Company: %s

ProdVer: %d.%d.%d.%d

FileVer: %d.%d.%d.%d

Windows Vista

Windows Server 2008

Windows 8

Windows Server 2012

Windows 7

Windows Server 2008 R2

Windows 9

Web Edition

Windows Server 9

Windows XP

(build %d)

Windows 2000

Error occurred at %s.

This sample does not support this version of Windows.

%d processor(s), type %d.

Operating system: Could not Determine

Operating system: %s

%d MBytes paging file.

%d MBytes physical memory free.

%d%% memory in use.

%d MBytes user address space free.

Windows Storage Server 2003

Windows Server 2003 R2

Web Server Edition

%d MBytes user address space.

Windows Server 2003

Windows XP Professional x64 Edition

a Float Denormal Operand

Windows Home Server

a Float Invalid Operation

%d MBytes paging file free.

%d MBytes physical memory.

0xx:

EDI: 0xx ESI: 0xx EAX: 0xx

%s\CRASH_REPORT_%s.txt

EFlags: 0xx ESP: 0xx SegSs: 0xx

EIP: 0xx EBP: 0xx SegCs: 0xx

EBX: 0xx ECX: 0xx EDX: 0xx

%s caused %s (0xx)

in module %s at x:x.

%s location x caused an access violation.

%s\CRASH_DUMP_%s.dmp

===== [end of %s] =====

Error creating dump file, err=%d

Exception code is 0xX

Crash dump file: %s

Crash report file :%s

P%d_T%d_Dld_ld_ld_Tld_ld_ld

code: %x

code: %x, addr: %x, module: %s

00:00:00.

NtQueryKey

{{{$621}}}

{{{$620}}}

{{{$623}}}

{{{$622}}}

{{{$629}}}

{{{$628}}}

{{{$697}}}

{{{$696}}}

{{{$695}}}

{{{$698}}}

%s 0x%I64x %s [file:%s(%u)]

PTF://

hXXps://

hXXp://

[%u, 0xx] %s

wininet.dll

https

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

request HttpSendRequestA failed...

Content-Length: %u

response failed...last error %d

1.1.3

gen_codes: max_code %d

code %d bits %d->%d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

{{{$722}}}

{{{$723}}}

{{{$724}}}

{{{$725}}}

{{{$728}}}

{{{$727}}}

{{{$726}}}

{{{$729}}}

{{{$730}}}

{{{$732}}}

{{{$731}}}

{{{$734}}}

{{{$733}}}

{{{$735}}}

{{{$738}}}

{{{$737}}}

{{{$736}}}

{{{$739}}}

{{{$740}}}

{{{$748}}}

{{{$747}}}

{{{$749}}}

{{{$752}}}

{{{$751}}}

%{{{$674}}}

{{{$673}}}

{{{$672}}}

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY_\

CREATE TABLE sqlite_master(

sql text

3.7.16

CREATE TEMP TABLE sqlite_temp_master(

{{{$102}}}

{{{$101}}}

{{{$103}}}

{{{$109}}}

{{{$108}}}

{{{$111}}}

{{{$110}}}

{{{$105}}}

{{{$104}}}

{{{$107}}}

{{{$106}}}

{{{$113}}}

{{{$112}}}

{{{$114}}}

{{{$117}}}

{{{$118}}}

{{{$115}}}

{{{$116}}}

{{{$121}}}

{{{$122}}}

{{{$119}}}

{{{$120}}}

{{{$123}}}

{{{$100}}}

{{{$691}}}

{{{$690}}}

{{{$693}}}

{{{$692}}}

{{{$687}}}

{{{$686}}}

{{{$689}}}

{{{$688}}}

boost::too_few_args: format-string referred to more arguments than were passed

boost::too_many_args: format-string referred to less arguments than were passed

{{{$137}}}

Content-Disposition: form-data; name="%s"

Content-Disposition: form-data; name="%s"; filename="%s"

_0_9_ _(_>_-_:_

_-_0_ _:_<_ _

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

RowKey

GetProcessHeap

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

OsError 0x%x (%u)

%s-shm

%s\etilqs_

%s\%s

cannot limit WAL size: %s

Recovered %d frames from WAL file %s

invalid page number %d

2nd reference to page %d

%d of %d pages missing from overflow list starting at %d

failed to get page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

unable to get the page. error code=%d

btreeInitPage() returns error code %d

freelist leaf count too big on page %d

Page %d:

On page %d at right child:

On tree page %d cell %d:

Fragmentation of %d bytes reported as %d on page %d

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

Page %d is never used

unknown database %s

keyinfo(%d

%s(%d)

MJ collide: %s

-mjX9X

%s-mjXXXXXX9XXz

MJ delete: %s

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

cannot open savepoint - SQL statements in progress

no such savepoint: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

statement aborts at %d: [%s] %s

cannot change %s wal mode from within a transaction

database table is locked: %s

cannot open value of type %s

no such column: "%s"

foreign key

cannot open virtual table: %s

cannot open view: %s

indexed

cannot open %s column for writing

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

%s: %s.%s

%s: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many SQL variables

too many columns in %s

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

sqlite_rename_parent

sqlite_rename_table

sqlite_rename_trigger

sqlite_

%s OR name=%Q

type='trigger' AND (%s)

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

table %s may not be altered

there is already another table or index with this name: %s

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

CREATE TABLE %Q.%s(%s)

sqlite_altertab_%s

sqlite_stat1

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

database %s is already in use

too many attached databases - max %d

no such database: %s

cannot detach database %s

unable to open database: %s

sqlite_detach

sqlite_attach

database %s is locked

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

%s %T cannot reference objects in database %s

object name reserved for internal use: %s

duplicate column name: %s

default value of column [%s] is not constant

there is already an index named %s

too many columns on %s

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

CREATE %s %.*s

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

table %s may not be dropped

use DROP TABLE to delete table %s

indexed columns are not unique

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

views may not be indexed

virtual tables may not be indexed

table %s may not be indexed

sqlite_autoindex_%s_%d

table %s has no column named %s

there is already a table named %s

index %s already exists

CREATE%s INDEX %.*s

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

a JOIN clause is required before %s

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

no such collation sequence: %s

table %s may not be modified

unable to identify the object to be reindexed

cannot modify %s because it is a view

sqlite_source_id

sqlite_log

sqlite_version

sqlite_compileoption_used

sqlite_compileoption_get

foreign key mismatch - "%w" referencing "%w"

table %S has no column named %s

table %S has %d columns but %d values were supplied

%d values for %d columns

PRIMARY KEY must be unique

%s.%s may not be NULL

constraint %s failed

no entry point [%s] in shared library [%s]

error during initialization: %s

sqlite3_extension_init

unable to open shared library [%s]

automatic extension loading failed: %s

foreign_keys

foreign_key_list

foreign_key_check

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unsupported file format

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

%s:%d

ORDER BY clause should come after %s not before

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

LIMIT clause should come after %s not before

%s.%s.%s

no such table: %s

sqlite_subquery_%p_

too many references to "%s": max 65535

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

cannot create %s trigger on view: %S

-- TRIGGER %s

no such column: %s

no such trigger: %S

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

vtable constructor failed: %s

vtable constructor did not declare schema: %s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

no such module: %s

table %s: xBestIndex returned an invalid plan

%s AS %s

%s SUBQUERY %d

%s TABLE %s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s USING %s%sINDEX%s%s%s

%s (rowid<?)

%s VIRTUAL TABLE INDEX %d:%s

%s (rowid>? AND rowid<?)

%s (rowid>?)

cannot use index: %s

%s (~%lld rows)

at most %d tables in a join

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

SQL logic error or missing database

unknown operation

large file support is disabled

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

database corruption at line %d of [%.10s]

no such vfs: %s

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

{{{$709}}}

{{{$710}}}

{{{$708}}}

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\SearchProtector\Dev\2.16.20\Output\Release_32\CltMngSvc.pdb

WTSAPI32.dll

USERENV.dll

KERNEL32.dll

USER32.dll

ReportEventW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

I_RpcBindingInqTransportType

RPCRT4.dll

PSAPI.DLL

VERSION.dll

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestW

HttpSendRequestA

HttpSendRequestExW

HttpEndRequestW

HttpQueryInfoA

WININET.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

dbghelp.dll

GetCPInfo

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegNotifyChangeKeyValue

ReportEventA

zcÁ

C:\PROGRA~1\SearchProtect\

;74/, (%#

~{xrpfa\ZSM@;3-%U

function k(a) { return a < 10 ? "0"   a : a } function o(a) { p.lastIndex = 0; return p.test(a) ? '"'   a.replace(p, function (a) { var c = r[a]; return typeof c === "string" ? c : "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })   '"' : '"'   a   '"' } function l(a, j) {

var c, d, h, m, g = e, f, b = j[a]; b && typeof b === "object" && typeof b.toJSON === "function" && (b = b.toJSON(a)); typeof i === "function" && (b = i.call(j, a, b)); switch (typeof b) {

e  = n; f = []; if (Object.prototype.toString.apply(b) === "[object Array]") { m = b.length; for (c = 0; c < m; c  = 1) f[c] = l(c, b) || "null"; h = f.length === 0 ? "[]" : e ? "[\n"   e   f.join(",\n"   e)   "\n"   g   "]" : "["   f.join(",")   "]"; e = g; return h } if (i && typeof i === "object") { m = i.length; for (c = 0; c < m; c  = 1) typeof i[c] === "string" && (d = i[c], (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h)) } else for (d in b) Object.prototype.hasOwnProperty.call(b, d) && (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h); h = f.length === 0 ? "{}" : e ? "{\n"   e   f.join(",\n"   e)   "\n"   g   "}" : "{"   f.join(",")

} if (typeof Date.prototype.toJSON !== "function") Date.prototype.toJSON = function () { return isFinite(this.valueOf()) ? this.getUTCFullYear()   "-"   k(this.getUTCMonth()   1)   "-"   k(this.getUTCDate())   "T"   k(this.getUTCHours())   ":"   k(this.getUTCMinutes())   ":"   k(this.getUTCSeconds())   "Z" : null }, String.prototype.toJSON = Number.prototype.toJSON = Boolean.prototype.toJSON = function () { return this.valueOf() }; var q = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,

p = /[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g, e, n, r = { "\u0008": "\\b", "\t": "\\t", "\n": "\\n", "\u000c": "\\f", "\r": "\\r", '"': '\\"', "\\": "\\\\" }, i; if (typeof JSON.stringify !== "function") JSON.stringify = function (a, j, c) {

var d; n = e = ""; if (typeof c === "number") for (d = 0; d < c; d  = 1) n  = " "; else typeof c === "string" && (n = c); if ((i = j) && typeof j !== "function" && (typeof j !== "object" || typeof j.length !== "number")) throw Error("JSON.stringify"); return l("",

}; if (typeof JSON.parse !== "function") JSON.parse = function (a, e) {

function c(a, d) { var g, f, b = a[d]; if (b && typeof b === "object") for (g in b) Object.prototype.hasOwnProperty.call(b, g) && (f = c(b, g), f !== void 0 ? b[g] = f : delete b[g]); return e.call(a, d, b) } var d, a = String(a); q.lastIndex = 0; q.test(a) && (a = a.replace(q, function (a) { return "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })); if (/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,

"]").replace(/(?:^|:|,)(?:\s*\[) /g, ""))) return d = eval("("   a   ")"), typeof e === "function" ? c({ "": d }, "") : d; throw new SyntaxError("JSON.parse");

ws.api = ws.api || {};

ws.api.FunctionsEnum = {

SET_KEY: 1,

GET_KEY: 2,

REMOVE_KEY: 3,

ws.api.StatusEnum = {

SP_RESULT_KEY_DOES_NOT_EXIST: -2,

ws.api.RESULT_TIMOUET = 3000;

ws.api.storage = ws.api.storage || {};

ws.api.storage.setKey =

function (pluginId, key, value, callback, options) {

if (typeof (pluginId) !== 'string' || pluginId === "" || typeof (key) !== 'string' || key === "" || typeof (callback) !== 'function') {

callback(ws.api.StatusEnum.SP_RESULT_INVALID_PARAMS);

// Construct an object which will be passed to the VC holding all the parameters

data.funcId = ws.api.FunctionsEnum.SET_KEY;

data.pluginId = pluginId;

data.key = key;

data.value = value;

data.options = options; // Currently not used - this is for future use, if we will want to add more parameters we will

var resultObj = JSON.parse(result);

callback(resultObj.status);

callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE);

}, ws.api.RESULT_TIMOUET);

ws.internal.SendStringToVC(JSON.stringify(data), myCallback);

ws.api.storage.getKey =

function (pluginId, key, callback, options) {

data.funcId = ws.api.FunctionsEnum.GET_KEY;

var value = resultObj.value;

if (resultObj.status != ws.api.StatusEnum.SP_RESULT_SUCCESS) {

callback(resultObj.status, value);

callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE, "");

ws.api.storage.removeKey =

data.funcId = ws.api.FunctionsEnum.REMOVE_KEY;

ws.api.system = ws.api.system || {};

ws.api.system.remove =

data.funcId = ws.api.FunctionsEnum.REMOVE;

data.shouldCallUninstaller = shouldCallUninstaller;

ws.internal = ws.internal || {};

if (ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID === undefined) {

ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID = true;

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

; ;$;(;,;0;4;8;<;

; ;$;(;,;0;4;

; <'<0<9<

11C1R1a1p1

7t7C7R7a7p7

<!=&=8=}=

5l6

7 8/8=8#9;9

5,5:5"6|6

1 1$1(1,1014181<1

2x3-4c6k6q6}6

223F3i3~3

;*</<9<|<

<"<&<*<5<

3"3&3*3.32363

6(7-737:7

1%2s2

7 7$7(7,7|7

4(5,5\5`5

4 4$4(4,404

?$?(?@?\?

>$>(>@>\>`>|>

14181\1`1

5 5$5(5,5054585<5

? ?$?(?,?0?4?8?<?@?

7$70787|7

2 2$2(2,20242

6$6,646<6

hmscoree.dll

Vkernel32.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

8.0.0.0-11.999.999.999

33.0.0.0-36.999.999.999

16.0.0.0-31.999.999.999

Failed to execute installer :

SPSetup.exe

}{{{$668}}}

{{{$669}}}

{{{$670}}}

}{{{$671}}}

{{{$668}}}

{{{$671}}}

%s (Error: %d)

{{{SP#Conduit::SearchProtector::Service::ServiceBase::ReportEventW#SP}}}

*.dmp

{{{$1062}}}

}{{{$670}}}

{{{$1129}}}

{{{$1130}}}

WindowsSessionManagerThread

}{{{$669}}}

J16.0.0.0-31.999.999.999

2.16.20.192

UserRepository.dat

SystemRepository.dat

UIRepository.dat

{{{$612}}}

 {{{$669}}}

36.0.0.0

32.0.0.0

{{{$296}}}

{{{$295}}}

{{{$299}}}

{{{$298}}}

{{{$301}}}

{{{$302}}}

Failed to set Url

{{{$309}}}

{{{$308}}}

{{{$310}}}

{{{$312}}}

{{{$311}}}

{{{$314}}}

{{{$315}}}

{{{$321}}}

{{{$322}}}

{{{$326}}}

{{{$330}}}

{{{$334}}}

{{{$335}}}

{{{$338}}}

{{{$337}}}

{{{$350}}}

{{{$349}}}

{{{$356}}}

{{{$355}}}

{{{$360}}}

{{{$359}}}

;chrome-extension_

_0.localstorage

{{{$257}}}

{{{$256}}}

{{{$260}}}

{{{$259}}}

{{{$385}}}

{{{$386}}}

{{{$383}}}

{{{$371}}}

{{{$372}}}

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_USER_LOCAL_SETTINGS

{{{$712}}}

Yuser32.dll

ieframe.dll

Windows Server 2008

Windows Vista

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

Windows 8.1

%x %x[%s] %I64x %x %x

{{{$703}}}

{{{$702}}}

SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'

SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'

ntdll.dll

%s%s%s

Correct password required

{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}

{{{$720}}}

888816666554443

6666554443

!6666554443

O16.0.0.0-31.999.999.999

{{{$373}}}

{{{$375}}}

{{{$374}}}

{{{$630}}}

HIDispatch error #%d

IWindowsSessionManagerException

01234567

JRpcTransportException

N8.0.0.0-11.999.999.999

Kernel32.dll

C:\PROGRA~1\SearchProtect\Main\bin\CltMngSvc.exe

cltmng.exe_660:

.text

`.rdata

@.data

.rsrc

@.reloc

.EKSWU

\$$;\$0|

DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>

Camellia for x86 by <[email protected]>

AES for Intel AES-NI, CRYPTOGAMS by <[email protected]>

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <[email protected]>

RC4 for x86, CRYPTOGAMS by <[email protected]>

Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>

SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>

SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>

GHASH for x86, CRYPTOGAMS by <[email protected]>

GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>

FtPS

[email protected]

t;j.Yf

j.Xf9

!\$0!\$4

<1%u5

FTPj

tCPQ

,4,56,789

hCRt

PSSSSSSh

 FTPj

F\ FTP

j.Yf;

_tcPVj@

.PjRW

r%f;M

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

0123456789-

%b %d %H : %M : %S %Y

%m / %d / %y

%I : %M : %S %p

%d / %m / %y

kernel32.dll

boost::filesystem::directory_iterator::operator

The repeat operator "*" cannot start a regular expression.

The repeat operator "?" cannot start a regular expression.

The repeat operator " " cannot start a regular expression.

Found a closing repetition operator } with no corresponding {.

Can't terminate a sub-expression with an alternation operator |.

The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.

A regular expression can start with the alternation operator |.

Invalid alternation operators within (?...) block.

More than one alternation operator | was encountered inside a conditional expression.

Alternation operators are not allowed inside a DEFINE block.

A repetition operator cannot be applied to a zero-width assertion.

left-curly-bracket

right-curly-bracket

0123456789

Unmatched quantified repeat operator { or \{.

Invalid preceding regular expression prior to repetition operator.

boost thread: trying joining itself

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

operator

GetProcessWindowStation

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

CERTIFICATE

PUBLIC KEY

RSA part of OpenSSL 1.0.1e 11 Feb 2013

SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

?456789:;<=

!"#$%&'()* ,-./0123

Big Number part of OpenSSL 1.0.1e 11 Feb 2013

pubkey

PEM part of OpenSSL 1.0.1e 11 Feb 2013

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

TRUSTED CERTIFICATE

X509 CERTIFICATE

PRIVATE KEY

ENCRYPTED PRIVATE KEY

ANY PRIVATE KEY

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

NETSCAPE_CERT_SEQUENCE

certs

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

DSA part of OpenSSL 1.0.1e 11 Feb 2013

priv_key

pub_key

.\crypto\ec\ec_key.c

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

Any Extended Key Usage

anyExtendedKeyUsage

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

%'%1%=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

RAND part of OpenSSL 1.0.1e 11 Feb 2013

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

lhash part of OpenSSL 1.0.1e 11 Feb 2013

Stack part of OpenSSL 1.0.1e 11 Feb 2013

Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013

value.single

value.set

.\crypto\evp\evp_key.c

nkey <= EVP_MAX_KEY_LENGTH

EVP part of OpenSSL 1.0.1e 11 Feb 2013

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*s%s:

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

AUTHORITY_KEYID

keyid

cert_info

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

EC part of OpenSSL 1.0.1e 11 Feb 2013

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

.\crypto\dh\dh_key.c

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

SHA1 part of OpenSSL 1.0.1e 11 Feb 2013

SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013

RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013

SHA part of OpenSSL 1.0.1e 11 Feb 2013

MD5 part of OpenSSL 1.0.1e 11 Feb 2013

MD4 part of OpenSSL 1.0.1e 11 Feb 2013

AES part of OpenSSL 1.0.1e 11 Feb 2013

CAST part of OpenSSL 1.0.1e 11 Feb 2013

Blowfish part of OpenSSL 1.0.1e 11 Feb 2013

:RC2 part of OpenSSL 1.0.1e 11 Feb 2013

.pp@0

aEÐ

 (#EÚ

ÚE<<0

IDEA part of OpenSSL 1.0.1e 11 Feb 2013

libdes part of OpenSSL 1.0.1e 11 Feb 2013

DES part of OpenSSL 1.0.1e 11 Feb 2013

\X

ddddddZ

ddddddZ

%d.%d.%d.%d

<unsupported>

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:<unsupported>

X400Name:<unsupported>

othername:<unsupported>

%d.%d.%d.%d/%d.%d.%d.%d

X509_CERT_PAIR

X509_CERT_AUX

X.509 part of OpenSSL 1.0.1e 11 Feb 2013

x%s

%s - d:d:d%.*s %d%s

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

ECDSA part of OpenSSL 1.0.1e 11 Feb 2013

Basis Type: %s

Field Type: %s

ASN1 OID: %s

%s %s%lu (%s0x%lx)

'() ,-./:=?

%lu:%s:%s:%d:%s

Verifying - %s

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

CONF part of OpenSSL 1.0.1e 11 Feb 2013

PROXY_CERT_INFO_EXTENSION

hexkey

rsa_keygen_pubexp

rsa_keygen_bits

keylength

keyfunc

len>=0 && len<=(int)sizeof(ctx->key)

j <= (int)sizeof(ctx->key)

.\crypto\pkcs12\p12_key.c

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

CONF_def part of OpenSSL 1.0.1e 11 Feb 2013

[[%s]]

[%s] %s=%s

ECDH part of OpenSSL 1.0.1e 11 Feb 2013

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

%s.dll

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp

^0^5^0^1^)^0^

{{{$631}}}

{{{$764}}}

{{{$765}}}

{{{$766}}}

{{{$767}}}

{{{$770}}}

{{{$771}}}

!f%f#f

_(_>_6_ _

_ _>_4_:_0_)_:_-_

_:_)_:_1_ _

:_-_-_0_-_

]>]2]3]9](]4])]

]<].].]8])]

]9]4].]>]2] ]8]/]8]9]

F6F4F)F2F#FòF/F)F(F

F%F.F'F(F!F#F

;_:_9_>_*_3_ _

_:_>_-_<_7_

]3].])]<]1]1]8]9]

2_:_ _7_0_;_

/[3[)[>[:[?[

{{{$466}}}

{{{$473}}}

{{{$476}}}

{{{$478}}}

C,CÇC4C"C1C&C

@/@&@4@7@!@2@%@

@/@:@)@,@,@!@

@/@:@)@,@,@!@`@

@)@2@%@&@/@8@

{{{$407}}}

{{{$408}}}

{{{$409}}}

{{{$410}}}

@%@!@2@#@(@

@(@/@2@4@

{{{$411}}}

{{{$413}}}

{{{$414}}}

{{{$415}}}

v%J%C%Q%R%D%W%@%y%d%U%U%a%D%Q%D%i%J%R%y%v%J%C%Q%R%D%W%@%y%v%H%D%W%Q%g%D%W%y%c%c%

insert into ItemTable (key, value) VALUES ('%s', '%s');

CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);

7<.-8;)8><~

{{{$317}}}

{{{$318}}}

{{{$319}}}

{{{$339}}}

KEYWORDS

KEYWORD

{{{$362}}}

{{{$364}}}

{{{$363}}}

{{{$365}}}

]2]3]9](]4])]

]?].])]/]<]>])]4]2]3]

]<]$]8]/]

4]>]2]3]

(more frames truncated from call stack report)

\StringFileInfo\xx\%s

%d/%d/%d d:d:d

Module %d

Checksum: 0xx Time Stamp: 0xx

Image Base: 0xx Image Size: 0xx

File Size: %-10d File Time: %s

Product: %s

Company: %s

FileVer: %d.%d.%d.%d

FileDesc: %s

ProdVer: %d.%d.%d.%d

Windows Vista

Windows 7

Windows 8

Windows Server 2008

Windows 9

Windows Server 2008 R2

Web Edition

Windows XP

Windows Server 2012

Windows Server 9

Windows 2000

(build %d)

Error occurred at %s.

This sample does not support this version of Windows.

Operating system: Could not Determine

Operating system: %s

%d%% memory in use.

%d processor(s), type %d.

%d MBytes physical memory free.

%d MBytes paging file.

%d MBytes paging file free.

%d MBytes user address space free.

%d MBytes user address space.

Windows Server 2003 R2

Web Server Edition

a Float Denormal Operand

Windows Home Server

Windows Storage Server 2003

Windows Server 2003

Windows XP Professional x64 Edition

a Float Invalid Operation

0xx:

%s\CRASH_REPORT_%s.txt

%d MBytes physical memory.

EBX: 0xx ECX: 0xx EDX: 0xx

EDI: 0xx ESI: 0xx EAX: 0xx

EFlags: 0xx ESP: 0xx SegSs: 0xx

EIP: 0xx EBP: 0xx SegCs: 0xx

%s caused %s (0xx)

in module %s at x:x.

%s location x caused an access violation.

===== [end of %s] =====

Exception code is 0xX

Crash dump file: %s

Crash report file :%s

%s\CRASH_DUMP_%s.dmp

Error creating dump file, err=%d

P%d_T%d_Dld_ld_ld_Tld_ld_ld

code: %x, addr: %x, module: %s

code: %x

\1\=\;\9\

\(\=\(\9\

5|1|=|;|9|#|/|(|=|(|9|#|;|9|2|9|.|=|0|5|&|9|#|.|9|/|9|=|0|#|(|3|#|=|)|8|5|(|

{{{$635}}}

{{{$634}}}

{{{$636}}}

{{{$637}}}

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h

NtQueryKey

{{{$620}}}

{{{$622}}}

{{{$621}}}

{{{$623}}}

{{{$628}}}

{{{$629}}}

{{{$696}}}

{{{$695}}}

{{{$698}}}

{{{$697}}}

%s 0x%I64x %s [file:%s(%u)]

PTF://

hXXp://

hXXps://

wininet.dll

[%u, 0xx] %s

https

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

request HttpSendRequestA failed...

Content-Length: %u

response failed...last error %d

{{{$674}}}

{{{$672}}}

{{{$673}}}

{{{$773}}}

{{{$776}}}

{{{$774}}}

{{{$775}}}

{{{$936}}}

{{{$935}}}

{={={/{9{){

{{{$867}}}

{{{$868}}}

0c3c.cCc

C"C3CcC%C"C*C/C&C'CcC%C,C1CcC

]/]/]2]/]

]<]4]1]8]9]}]/]8])]/]4]8] ]4]3]:]}]>](]/]/]8]3])]}]<].].]8])]}]9]<])]<]}];]2]/]}]

{{{$779}}}

{{{$780}}}

_/_;_>_ _:_

_0_(_1_3_0_>_;_

{{{$966}}}

{{{$967}}}

D(DÐD"D D6D)D

s]sSs%s

[([:[<[>[

{{{$761}}}

{{{$760}}}

{{{$763}}}

{{{$762}}}

--4,5=,8'>.

--=,=,8'>"

##:" 3"6)0

##3"6)0,

##3!'3"55

::#;%4*;/0)9

::*;,0)5

((1) 8)=";

((8)>";'

9 %2?,52? 6

22 3:"3'8!1

22"3$8!=

>>'?6.? 4-=

>>.? 4-1

>>.<:.?((

22 3-<"3'8!1

''>&7&1-4(

%/6%%<$=5$0/6&

44-5 :$5!>'7

4>'44$5$5">';

voc}XXs^VY_HnSSH||e}tl}ivo

//6.'?.:%<,

//?- ?.99

##3"3"6)0,

##:"3"5)00

#)0###)0###9

99 81)8,3*:

99)8,3*6

11(0.?!0$;"2

ovza@CLK@uWJU@WQ\ee|dmudpovfJKQ@]QeeudsovjGO@FQeeugassDIP@eoveeu

_3_*_8_6_1_

_ _>_ _:_

C&C%C"C6C/C7CcC

C"C1C1C*C&C1CcC%C,C1CcC

spx.params

spx.assets

0_ _7_:_-_

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

CREATE TABLE sqlite_master(

sql text

3.7.16

CREATE TEMP TABLE sqlite_temp_master(

{{{$101}}}

{{{$105}}}

{{{$106}}}

{{{$107}}}

{{{$108}}}

{{{$102}}}

{{{$103}}}

{{{$104}}}

{{{$113}}}

{{{$109}}}

{{{$110}}}

{{{$111}}}

{{{$112}}}

{{{$100}}}

{{{$114}}}

{{{$115}}}

{{{$118}}}

{{{$119}}}

{{{$116}}}

{{{$117}}}

{{{$122}}}

{{{$123}}}

{{{$120}}}

{{{$121}}}

{{{$542}}}

{{{$543}}}

{{{$529}}}

{{{$530}}}

{{{$531}}}

{{{$532}}}

{{{$533}}}

{{{$538}}}

{{{$539}}}

\3\3\(\/\(\.\=\,\9\.\|\

\9\;\5\/\(\9\.\

\.\3\ \/\9\.\

\5\:\9\(\5\1\9\

\*\9\2\(\|\>\.\3\ \/\9\.\|\

{{{$541}}}

{{{$534}}}

{{{$535}}}

{{{$536}}}

{{{$537}}}

{{{$242}}}

{{{$243}}}

{{{$566}}}

{{{$565}}}

{{{$569}}}

{{{$570}}}

{{{$571}}}

{{{$567}}}

{{{$568}}}

{{{$573}}}

{{{$574}}}

{{{$575}}}

{{{$576}}}

{{{$572}}}

{{{$578}}}

{{{$579}}}

{{{$580}}}

{{{$577}}}

{{{$582}}}

{{{$583}}}

{{{$581}}}

{{{$585}}}

{{{$584}}}

{{{$588}}}

{{{$586}}}

{{{$587}}}

{{{$591}}}

{{{$592}}}

{{{$589}}}

{{{$595}}}

{{{$594}}}

{{{$598}}}

{{{$596}}}

{{{$597}}}

{{{$600}}}

{{{$601}}}

{{{$599}}}

{{{$603}}}

{{{$602}}}

{{{$606}}}

{{{$604}}}

{{{$605}}}

{{{$608}}}

{{{$609}}}

{{{$607}}}

{{{$611}}}

{{{$610}}}

,\0\=\(\:\3\.\1\

u%W%@%S%d%V%V%@%Q%a%D%Q%D%

{{{$510}}}

{{{$514}}}

{{{$511}}}

{{{$512}}}

{{{$513}}}

{{{$515}}}

{{{$518}}}

{{{$516}}}

{{{$517}}}

{{{$519}}}

{{{$520}}}

{{{$521}}}

{{{$522}}}

{{{$523}}}

{{{$524}}}

{{{$525}}}

{{{$526}}}

{{{$527}}}

{{{$528}}}

{{{$618}}}

{{{$619}}}

{{{$614}}}

{{{$615}}}

{{{$616}}}

{{{$617}}}

{{{$722}}}

{{{$724}}}

{{{$723}}}

{{{$725}}}

{{{$729}}}

{{{$727}}}

{{{$726}}}

{{{$728}}}

{{{$730}}}

{{{$731}}}

{{{$733}}}

{{{$732}}}

{{{$735}}}

{{{$734}}}

{{{$736}}}

{{{$740}}}

{{{$739}}}

{{{$738}}}

{{{$737}}}

{{{$747}}}

{{{$749}}}

{{{$748}}}

{{{$751}}}

{{{$752}}}

{{{$643}}}

{{{$648}}}

{{{$645}}}

{{{$644}}}

{{{$647}}}

{{{$646}}}

00:00:00.

1.1.3

gen_codes: max_code %d

code %d bits %d->%d

bl code -

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

{{{$139}}}

{{{$138}}}

{{{$141}}}

{{{$140}}}

{{{$142}}}

{{{$144}}}

{{{$143}}}

{{{$146}}}

{{{$145}}}

{{{$124}}}

{{{$126}}}

{{{$125}}}

{{{$132}}}

{{{$131}}}

{{{$134}}}

{{{$133}}}

{{{$128}}}

{{{$127}}}

{{{$130}}}

{{{$129}}}

{{{$135}}}

boost::too_many_args: format-string referred to less arguments than were passed

boost::too_few_args: format-string referred to more arguments than were passed

Union operator has to be applied to node sets

Content-Disposition: form-data; name="%s"; filename="%s"

Content-Disposition: form-data; name="%s"

Conduit::SearchProtector::Utils::Singleton<class Conduit::SearchProtector::SPM::Services::LoginManager>::GetInstance

invalid map<K, T> key

%s[%d]: %s

SQLITE_ERROR

SQLITE_OK

SQLITE_PERM

SQLITE_INTERNAL

SQLITE_BUSY

SQLITE_ABORT

SQLITE_NOMEM

SQLITE_LOCKED

SQLITE_INTERRUPT

SQLITE_READONLY

SQLITE_CORRUPT

SQLITE_IOERR

SQLITE_FULL

SQLITE_NOTFOUND

SQLITE_PROTOCOL

SQLITE_CANTOPEN

SQLITE_SCHEMA

SQLITE_EMPTY

SQLITE_CONSTRAINT

SQLITE_TOOBIG

SQLITE_MISUSE

SQLITE_MISMATCH

SQLITE_AUTH

SQLITE_NOLFS

SQLITE_RANGE

SQLITE_FORMAT

SQLITE_DONE

SQLITE_ROW

CPPSQLITE_ERROR

SQLITE_

d-d-d d:d:d

d-d-d

d:d:d

failed memory resize %u to %u bytes

failed to allocate %u bytes of memory

922337203685477580

API call with %s database connection pointer

RowKey

GetProcessHeap

os_win.c:%d: (%d) %s(%s) - %s

OsError 0x%x (%u)

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

%s\%s

cannot limit WAL size: %s

Recovered %d frames from WAL file %s

invalid page number %d

Failed to read ptrmap key=%d

2nd reference to page %d

%d of %d pages missing from overflow list starting at %d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

freelist leaf count too big on page %d

failed to get page %d

unable to get the page. error code=%d

Page %d:

On tree page %d cell %d:

btreeInitPage() returns error code %d

On page %d at right child:

Corruption detected in cell %d on page %d

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Pointer map page %d is referenced

Page %d is never used

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjXXXXXX9XXz

MJ collide: %s

MJ delete: %s

foreign key constraint failed

-mjX9X

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

cannot open savepoint - SQL statements in progress

constraint failed at %d in [%s]

cannot release savepoint - SQL statements in progress

no such savepoint: %s

cannot commit transaction - SQL statements in progress

sqlite_temp_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

sqlite_master

cannot change %s wal mode from within a transaction

statement aborts at %d: [%s] %s

database table is locked: %s

cannot open value of type %s

cannot open virtual table: %s

no such column: "%s"

cannot open view: %s

indexed

foreign key

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s

%s: %s.%s.%s

not authorized to use function: %s

%s: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

sqlite_rename_table

%s%.*s"%w"

sqlite_rename_parent

sqlite_rename_trigger

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

view %s may not be altered

there is already another table or index with this name: %s

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

sqlite_sequence

Cannot add a PRIMARY KEY column

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_stat1

DELETE FROM %Q.%s WHERE %s=%Q

CREATE TABLE %Q.%s(%s)

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

too many attached databases - max %d

invalid name: "%s"

database %s is already in use

no such database: %s

unable to open database: %s

cannot detach database %s

sqlite_detach

database %s is locked

%s %T cannot reference objects in database %s

sqlite_attach

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

duplicate column name: %s

too many columns on %s

table "%s" has more than one primary key

default value of column [%s] is not constant

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

sqlite_stat%d

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

table %s may not be dropped

sqlite_stat

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

indexed columns are not unique

unknown column "%s" in foreign key definition

views may not be indexed

table %s may not be indexed

there is already a table named %s

virtual tables may not be indexed

sqlite_autoindex_%s_%d

index %s already exists

table %s has no column named %s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

no such index: %S

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

a JOIN clause is required before %s

no such collation sequence: %s

unable to identify the object to be reindexed

cannot modify %s because it is a view

table %s may not be modified

sqlite_source_id

sqlite_version

sqlite_compileoption_used

sqlite_log

sqlite_compileoption_get

foreign key mismatch - "%w" referencing "%w"

table %S has %d columns but %d values were supplied

table %S has no column named %s

%d values for %d columns

%s.%s may not be NULL

PRIMARY KEY must be unique

constraint %s failed

sqlite3_extension_init

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

automatic extension loading failed: %s

error during initialization: %s

foreign_keys

foreign_key_list

foreign_key_check

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

a NATURAL join may not have an ON or USING clause

RIGHT and FULL OUTER JOINs are not currently supported

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

%s.%s

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

sqlite_subquery_%p_

no such index: %s

%s.%s.%s

too many references to "%s": max 65535

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

-- TRIGGER %s

no such trigger: %S

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s AS %s

%s TABLE %s

%s USING INTEGER PRIMARY KEY

%s USING %s%sINDEX%s%s%s

%s (rowid>? AND rowid<?)

%s (rowid=?)

%s (rowid<?)

%s (rowid>?)

%s (~%lld rows)

%s VIRTUAL TABLE INDEX %d:%s

cannot use index: %s

at most %d tables in a join

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

SQL logic error or missing database

unknown operation

large file support is disabled

unknown database: %s

no such %s mode: %s

no such vfs: %s

%s mode not allowed: %s

misuse at line %d of [%.10s]

database corruption at line %d of [%.10s]

cannot open file at line %d of [%.10s]

$@!@4@!@

K.K?K?K"K%K,KkK8K.K9K=K"K(K.KkK-K*K"K'K.K/KeKkK

6S%S6S=S'S

{{{$710}}}

{{{$708}}}

{{{$709}}}

{{{$137}}}

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\SearchProtector\Dev\2.16.20\Output\Release_32\cltmng.pdb

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

VERSION.dll

PSAPI.DLL

InternetCrackUrlW

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestW

HttpSendRequestA

HttpSendRequestExW

HttpEndRequestW

HttpQueryInfoA

WININET.dll

dbghelp.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

UrlUnescapeW

SHLWAPI.dll

CreateIoCompletionPort

GetCPInfo

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegNotifyChangeKeyValue

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

ReportEventA

I_RpcBindingInqTransportType

RPCRT4.dll

zcÁ

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect

function k(a) { return a < 10 ? "0"   a : a } function o(a) { p.lastIndex = 0; return p.test(a) ? '"'   a.replace(p, function (a) { var c = r[a]; return typeof c === "string" ? c : "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })   '"' : '"'   a   '"' } function l(a, j) {

var c, d, h, m, g = e, f, b = j[a]; b && typeof b === "object" && typeof b.toJSON === "function" && (b = b.toJSON(a)); typeof i === "function" && (b = i.call(j, a, b)); switch (typeof b) {

e  = n; f = []; if (Object.prototype.toString.apply(b) === "[object Array]") { m = b.length; for (c = 0; c < m; c  = 1) f[c] = l(c, b) || "null"; h = f.length === 0 ? "[]" : e ? "[\n"   e   f.join(",\n"   e)   "\n"   g   "]" : "["   f.join(",")   "]"; e = g; return h } if (i && typeof i === "object") { m = i.length; for (c = 0; c < m; c  = 1) typeof i[c] === "string" && (d = i[c], (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h)) } else for (d in b) Object.prototype.hasOwnProperty.call(b, d) && (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h); h = f.length === 0 ? "{}" : e ? "{\n"   e   f.join(",\n"   e)   "\n"   g   "}" : "{"   f.join(",")

} if (typeof Date.prototype.toJSON !== "function") Date.prototype.toJSON = function () { return isFinite(this.valueOf()) ? this.getUTCFullYear()   "-"   k(this.getUTCMonth()   1)   "-"   k(this.getUTCDate())   "T"   k(this.getUTCHours())   ":"   k(this.getUTCMinutes())   ":"   k(this.getUTCSeconds())   "Z" : null }, String.prototype.toJSON = Number.prototype.toJSON = Boolean.prototype.toJSON = function () { return this.valueOf() }; var q = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,

p = /[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g, e, n, r = { "\u0008": "\\b", "\t": "\\t", "\n": "\\n", "\u000c": "\\f", "\r": "\\r", '"': '\\"', "\\": "\\\\" }, i; if (typeof JSON.stringify !== "function") JSON.stringify = function (a, j, c) {

var d; n = e = ""; if (typeof c === "number") for (d = 0; d < c; d  = 1) n  = " "; else typeof c === "string" && (n = c); if ((i = j) && typeof j !== "function" && (typeof j !== "object" || typeof j.length !== "number")) throw Error("JSON.stringify"); return l("",

}; if (typeof JSON.parse !== "function") JSON.parse = function (a, e) {

function c(a, d) { var g, f, b = a[d]; if (b && typeof b === "object") for (g in b) Object.prototype.hasOwnProperty.call(b, g) && (f = c(b, g), f !== void 0 ? b[g] = f : delete b[g]); return e.call(a, d, b) } var d, a = String(a); q.lastIndex = 0; q.test(a) && (a = a.replace(q, function (a) { return "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })); if (/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,

"]").replace(/(?:^|:|,)(?:\s*\[) /g, ""))) return d = eval("("   a   ")"), typeof e === "function" ? c({ "": d }, "") : d; throw new SyntaxError("JSON.parse");

ws.api = ws.api || {};

ws.api.FunctionsEnum = {

SET_KEY: 1,

GET_KEY: 2,

REMOVE_KEY: 3,

ws.api.StatusEnum = {

SP_RESULT_KEY_DOES_NOT_EXIST: -2,

ws.api.RESULT_TIMOUET = 3000;

ws.api.storage = ws.api.storage || {};

ws.api.storage.setKey =

function (pluginId, key, value, callback, options) {

if (typeof (pluginId) !== 'string' || pluginId === "" || typeof (key) !== 'string' || key === "" || typeof (callback) !== 'function') {

callback(ws.api.StatusEnum.SP_RESULT_INVALID_PARAMS);

// Construct an object which will be passed to the VC holding all the parameters

data.funcId = ws.api.FunctionsEnum.SET_KEY;

data.pluginId = pluginId;

data.key = key;

data.value = value;

data.options = options; // Currently not used - this is for future use, if we will want to add more parameters we will

var resultObj = JSON.parse(result);

callback(resultObj.status);

callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE);

}, ws.api.RESULT_TIMOUET);

ws.internal.SendStringToVC(JSON.stringify(data), myCallback);

ws.api.storage.getKey =

function (pluginId, key, callback, options) {

data.funcId = ws.api.FunctionsEnum.GET_KEY;

var value = resultObj.value;

if (resultObj.status != ws.api.StatusEnum.SP_RESULT_SUCCESS) {

callback(resultObj.status, value);

callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE, "");

ws.api.storage.removeKey =

data.funcId = ws.api.FunctionsEnum.REMOVE_KEY;

ws.api.system = ws.api.system || {};

ws.api.system.remove =

data.funcId = ws.api.FunctionsEnum.REMOVE;

data.shouldCallUninstaller = shouldCallUninstaller;

ws.internal = ws.internal || {};

if (ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID === undefined) {

ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID = true;

;74/, (%#

~{xrpfa\ZSM@;3-%U

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

; ;$;(;,;0;4;8;<;

7 7$7(7,707

1%2s2

14282<2@2

<1=3>=>??}?

: ;';0;9;

2-242g2n2}2

9”9C9R9a9p9

2$2C2R2a2p2

9%:1:7:<:[:

;"<@<^<|<

7"7)73787|7

;";&;*;.;5;

5#5'5 5/53575>5

; ;$;(;,;0;4;3=

:#<0< >->

<$<*<3<9<

; <3<]<|<

1-1A1U1i1}1

3 3$3(3,303

7084888<8@8

0 0$0(0,000

5#525?5`5

= =$=(=,=0=

626?6[6|6

9%9S9b9o9

9Ÿ9

1"2F2i2~2

: :$:#>3>

6d6C6N6X6b6l6v6

9 9$9(949

7 7$707@7

= =(=\=`=

0$1(1,1014181<1

2 2$2(2,2024282<2@2

; ;$;(;,;|=

4,484@4`4|4

7,787\7|7

=,=8=@=`=

1$1,181`1

=(=4=<=\=

mmscoree.dll

nkernel32.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

8.0.0.0-11.999.999.999

33.0.0.0-36.999.999.999

16.0.0.0-31.999.999.999

{{{$668}}}

{{{$669}}}

{{{$670}}}

{{{$671}}}

2.16.20.192

UserRepository.dat

SystemRepository.dat

UIRepository.dat

chrome-extension_

_0.localstorage

{{{$257}}}

;{{{$668}}}

{{{$256}}}

{{{$260}}}

{{{$259}}}

36.0.0.0

32.0.0.0

{{{$296}}}

{{{$295}}}

{{{$298}}}

{{{$299}}}

{{{$301}}}

{{{$302}}}

Failed to set Url

{{{$309}}}

{{{$312}}}

{{{$308}}}

{{{$311}}}

{{{$310}}}

{{{$314}}}

{{{$315}}}

{{{$321}}}

{{{$322}}}

{{{$327}}}

{{{$330}}}

{{{$334}}}

{{{$335}}}

{{{$337}}}

{{{$338}}}

{{{$349}}}

{{{$350}}}

{{{$356}}}

{{{$355}}}

{{{$360}}}

{{{$359}}}

{{{$383}}}

{{{$385}}}

{{{$386}}}

{{{$371}}}

{{{$372}}}

user32.dll

ieframe.dll

Windows Vista

Windows 7

Windows Server 2008

Windows 8

Windows Server 2008 R2

Windows 8.1

Windows Server 2012

%x %x[%s] %I64x %x %x

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_NLSTEXT

HKEY_DYN_DATA

HKEY_CURRENT_USER_LOCAL_SETTINGS

ntdll.dll

{{{$702}}}

{{{$703}}}

{{{$877}}}

{{{SP#Conduit::SearchProtector::SPM::SPMAssetsManager::MapAssets#SP}}}

{{{$897}}}

{{{SP#Conduit::SearchProtector::SPM::SPMAssetsManager::ExecuteAssetChangeAttemptDecision#SP}}}

SPSetup.exe

{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::CheckForCompetitors#SP}}}

{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::RequestService#SP}}}

{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::RequestServiceByBrowser#SP}}}

{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::HttpAsyncCallBack#SP}}}

hXXp://VVV.mozilla.org/keymaster/gatekeeper/there.is.only.xul

Plugin Id: %s, Plugin Name: %s, Plugin version: %s

chrome.exe

%s\script_%d.dat

888816666554443

6666554443

!6666554443

{{{$540}}}

{{{$376}}}

{{{$377}}}

{{{$378}}}

{{{$373}}}

{{{$374}}}

{{{$375}}}

{{{$379}}}

{{{$612}}}

{{{$553}}}

{{{$554}}}

{{{$712}}}

{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}

{{{$720}}}

SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'

SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'

%s%s%s

Correct password required

IDispatch error #%d

{{{$630}}}

\%s\%s.exe

01234567

{{{SP#Conduit::SearchProtector::Application::Services::ServiceManager::HttpAsyncCallBack#SP}}}

UserSettings.dat

{{{SP#Conduit::SearchProtector::Application::Services::ServiceHandler::HttpAsyncCallBack#SP}}}

e33.0.0.0-36.999.999.999

{{{$77}}}

{{{SP#Conduit::SearchProtector::Application::Services::TimerBasedServiceHandler::HttpAsyncCallBack#SP}}}

iRpcTransportException

C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe

cltmngui.exe_1540:

.text

`.rdata

@.data

.rsrc

@.reloc

.EKSWU

\$$;\$0|

DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>

Camellia for x86 by <[email protected]>

AES for Intel AES-NI, CRYPTOGAMS by <[email protected]>

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <[email protected]>

RC4 for x86, CRYPTOGAMS by <[email protected]>

Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>

SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>

SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>

GHASH for x86, CRYPTOGAMS by <[email protected]>

GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>

FtPS

[email protected]

tcPVWQ

<1%u5

FTPj

tCPQ

,4,56,789

PSSSSSSh

j.Yf;

_tcPVj@

.PjRW

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

0123456789-

%b %d %H : %M : %S %Y

%m / %d / %y

%I : %M : %S %p

%d / %m / %y

kernel32.dll

left-curly-bracket

right-curly-bracket

boost thread: trying joining itself

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

GetProcessWindowStation

operator

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

CERTIFICATE

PUBLIC KEY

RSA part of OpenSSL 1.0.1e 11 Feb 2013

SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

?456789:;<=

!"#$%&'()* ,-./0123

Big Number part of OpenSSL 1.0.1e 11 Feb 2013

pubkey

PEM part of OpenSSL 1.0.1e 11 Feb 2013

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

TRUSTED CERTIFICATE

X509 CERTIFICATE

PRIVATE KEY

ENCRYPTED PRIVATE KEY

ANY PRIVATE KEY

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

NETSCAPE_CERT_SEQUENCE

certs

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

DSA part of OpenSSL 1.0.1e 11 Feb 2013

priv_key

pub_key

.\crypto\ec\ec_key.c

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

Any Extended Key Usage

anyExtendedKeyUsage

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

%'%1%=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

RAND part of OpenSSL 1.0.1e 11 Feb 2013

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

lhash part of OpenSSL 1.0.1e 11 Feb 2013

Stack part of OpenSSL 1.0.1e 11 Feb 2013

Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013

value.single

value.set

.\crypto\evp\evp_key.c

nkey <= EVP_MAX_KEY_LENGTH

EVP part of OpenSSL 1.0.1e 11 Feb 2013

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*s%s:

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

AUTHORITY_KEYID

keyid

cert_info

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

EC part of OpenSSL 1.0.1e 11 Feb 2013

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

.\crypto\dh\dh_key.c

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

SHA1 part of OpenSSL 1.0.1e 11 Feb 2013

SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013

RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013

SHA part of OpenSSL 1.0.1e 11 Feb 2013

MD5 part of OpenSSL 1.0.1e 11 Feb 2013

MD4 part of OpenSSL 1.0.1e 11 Feb 2013

AES part of OpenSSL 1.0.1e 11 Feb 2013

CAST part of OpenSSL 1.0.1e 11 Feb 2013

Blowfish part of OpenSSL 1.0.1e 11 Feb 2013

:RC2 part of OpenSSL 1.0.1e 11 Feb 2013

.pp@0

aEÐ

 (#EÚ

ÚE<<0

IDEA part of OpenSSL 1.0.1e 11 Feb 2013

libdes part of OpenSSL 1.0.1e 11 Feb 2013

DES part of OpenSSL 1.0.1e 11 Feb 2013

\X

ddddddZ

ddddddZ

%d.%d.%d.%d

<unsupported>

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:<unsupported>

X400Name:<unsupported>

othername:<unsupported>

%d.%d.%d.%d/%d.%d.%d.%d

X509_CERT_PAIR

X509_CERT_AUX

X.509 part of OpenSSL 1.0.1e 11 Feb 2013

x%s

%s - d:d:d%.*s %d%s

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

ECDSA part of OpenSSL 1.0.1e 11 Feb 2013

Basis Type: %s

Field Type: %s

ASN1 OID: %s

%s %s%lu (%s0x%lx)

'() ,-./:=?

%lu:%s:%s:%d:%s

Verifying - %s

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

CONF part of OpenSSL 1.0.1e 11 Feb 2013

PROXY_CERT_INFO_EXTENSION

hexkey

rsa_keygen_pubexp

rsa_keygen_bits

keylength

keyfunc

len>=0 && len<=(int)sizeof(ctx->key)

j <= (int)sizeof(ctx->key)

.\crypto\pkcs12\p12_key.c

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

CONF_def part of OpenSSL 1.0.1e 11 Feb 2013

[[%s]]

[%s] %s=%s

ECDH part of OpenSSL 1.0.1e 11 Feb 2013

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

%s.dll

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

:_-_-_0_-_

]>]2]3]9](]4])]

]<].].]8])]

]9]4].]>]2] ]8]/]8]9]

F6F4F)F2F#FòF/F)F(F

F%F.F'F(F!F#F

\2\7\2\3\ \2\

<_3_0_,_:_

*_1_6_1_,_ _>_3_3_

{{{$1283}}}

{{{$631}}}

{{{$1284}}}

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp

]3].])]<]1]1]8]9]

!f%f#f

_(_>_6_ _

_ _>_4_:_0_)_:_-_

_:_)_:_1_ _

;_:_9_>_*_3_ _

_:_>_-_<_7_

^0^5^0^1^)^0^

{{{$466}}}

{{{$473}}}

{{{$476}}}

{{{$478}}}

\StringFileInfo\xx\%s

(more frames truncated from call stack report)

%d/%d/%d d:d:d

Module %d

Image Base: 0xx Image Size: 0xx

Checksum: 0xx Time Stamp: 0xx

File Size: %-10d File Time: %s

Company: %s

Product: %s

FileDesc: %s

FileVer: %d.%d.%d.%d

ProdVer: %d.%d.%d.%d

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows 9

Windows Server 2012

Web Edition

Windows Server 9

Windows XP

Windows 2000

(build %d)

This sample does not support this version of Windows.

Error occurred at %s.

Operating system: %s

Operating system: Could not Determine

%d processor(s), type %d.

%d%% memory in use.

%d MBytes physical memory free.

%d MBytes paging file.

%d MBytes paging file free.

%d MBytes user address space.

%d MBytes user address space free.

Web Server Edition

Windows Server 2003 R2

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003

a Float Denormal Operand

a Float Invalid Operation

%d MBytes physical memory.

0xx:

EDI: 0xx ESI: 0xx EAX: 0xx

EBX: 0xx ECX: 0xx EDX: 0xx

EIP: 0xx EBP: 0xx SegCs: 0xx

EFlags: 0xx ESP: 0xx SegSs: 0xx

%s\CRASH_REPORT_%s.txt

%s caused %s (0xx)

in module %s at x:x.

%s location x caused an access violation.

===== [end of %s] =====

%s\CRASH_DUMP_%s.dmp

Error creating dump file, err=%d

Exception code is 0xX

Crash dump file: %s

Crash report file :%s

P%d_T%d_Dld_ld_ld_Tld_ld_ld

code: %x

code: %x, addr: %x, module: %s

\1\=\;\9\

\(\=\(\9\

5|1|=|;|9|#|/|(|=|(|9|#|;|9|2|9|.|=|0|5|&|9|#|.|9|/|9|=|0|#|(|3|#|=|)|8|5|(|

{{{$635}}}

{{{$634}}}

{{{$636}}}

{{{$637}}}

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h

%s 0x%I64x %s [file:%s(%u)]

{{{$104}}}

{{{$102}}}

{{{$103}}}

{{{$101}}}

{{{$111}}}

{{{$112}}}

{{{$109}}}

{{{$110}}}

{{{$107}}}

{{{$108}}}

{{{$105}}}

{{{$106}}}

{{{$113}}}

{{{$100}}}

{{{$117}}}

{{{$116}}}

{{{$115}}}

{{{$114}}}

{{{$121}}}

{{{$120}}}

{{{$119}}}

{{{$118}}}

{{{$123}}}

{{{$122}}}

{{{$530}}}

{{{$529}}}

{{{$531}}}

{{{$536}}}

{{{$535}}}

{{{$534}}}

{{{$533}}}

{{{$532}}}

{{{$541}}}

{{{$539}}}

{{{$538}}}

{{{$537}}}

{{{$543}}}

{{{$542}}}

{{{$488}}}

{{{$491}}}

{{{$490}}}

{{{$489}}}

{{{$494}}}

{{{$493}}}

{{{$492}}}

{{{$499}}}

{{{$503}}}

{{{$502}}}

{{{$501}}}

{{{$500}}}

{{{$509}}}

{{{$508}}}

{{{$507}}}

{{{$506}}}

{{{$505}}}

{{{$504}}}

{{{$565}}}

{{{$568}}}

{{{$567}}}

{{{$566}}}

{{{$572}}}

{{{$571}}}

{{{$570}}}

{{{$569}}}

{{{$577}}}

{{{$576}}}

{{{$575}}}

{{{$574}}}

{{{$573}}}

{{{$581}}}

{{{$580}}}

{{{$579}}}

{{{$578}}}

{{{$584}}}

{{{$583}}}

{{{$582}}}

{{{$587}}}

{{{$586}}}

{{{$585}}}

{{{$589}}}

{{{$588}}}

{{{$594}}}

{{{$592}}}

{{{$591}}}

{{{$597}}}

{{{$596}}}

{{{$595}}}

{{{$599}}}

{{{$598}}}

{{{$602}}}

{{{$601}}}

{{{$600}}}

{{{$605}}}

{{{$604}}}

{{{$603}}}

{{{$607}}}

{{{$606}}}

{{{$610}}}

{{{$609}}}

{{{$608}}}

{{{$611}}}

{{{$243}}}

{{{$242}}}

\3\3\(\/\(\.\=\,\9\.\|\

\9\;\5\/\(\9\.\

\.\3\ \/\9\.\

\5\:\9\(\5\1\9\

\*\9\2\(\|\>\.\3\ \/\9\.\|\

,\0\=\(\:\3\.\1\

4]>]2]3]

2_:_ _7_0_;_

/[3[)[>[:[?[

{{{$511}}}

{{{$510}}}

{{{$514}}}

{{{$513}}}

{{{$512}}}

{{{$515}}}

{{{$518}}}

{{{$517}}}

{{{$516}}}

{{{$520}}}

{{{$519}}}

{{{$524}}}

{{{$523}}}

{{{$522}}}

{{{$521}}}

{{{$526}}}

{{{$525}}}

{{{$528}}}

{{{$527}}}

{{{$618}}}

{{{$617}}}

{{{$616}}}

{{{$615}}}

{{{$614}}}

{{{$619}}}

C,CÇC4C"C1C&C

@/@&@4@7@!@2@%@

@/@:@)@,@,@!@

@/@:@)@,@,@!@`@

@)@2@%@&@/@8@

{{{$409}}}

{{{$408}}}

{{{$407}}}

{{{$410}}}

@%@!@2@#@(@

@(@/@2@4@

{{{$411}}}

{{{$413}}}

{{{$414}}}

{{{$415}}}

v%J%C%Q%R%D%W%@%y%d%U%U%a%D%Q%D%i%J%R%y%v%J%C%Q%R%D%W%@%y%v%H%D%W%Q%g%D%W%y%c%c%

CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);

insert into ItemTable (key, value) VALUES ('%s', '%s');

7<.-8;)8><~

{{{$318}}}

{{{$317}}}

{{{$319}}}

{{{$339}}}

KEYWORDS

KEYWORD

{{{$363}}}

{{{$362}}}

{{{$364}}}

{{{$365}}}

]2]3]9](]4])]

]?].])]/]<]>])]4]2]3]

]<]$]8]/]

u%W%@%S%d%V%V%@%Q%a%D%Q%D%

00:00:00.

NtQueryKey

{{{$621}}}

{{{$620}}}

{{{$623}}}

{{{$622}}}

{{{$629}}}

{{{$628}}}

{{{$698}}}

{{{$697}}}

{{{$696}}}

{{{$695}}}

1.1.3

gen_codes: max_code %d

code %d bits %d->%d

bl code -

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

hXXps://

hXXp://

wininet.dll

PTF://

[%u, 0xx] %s

https

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

request HttpSendRequestA failed...

Content-Length: %u

response failed...last error %d

{{{$723}}}

{{{$722}}}

{{{$725}}}

{{{$724}}}

{{{$728}}}

{{{$727}}}

{{{$726}}}

{{{$729}}}

{{{$730}}}

{{{$734}}}

{{{$733}}}

{{{$732}}}

{{{$731}}}

{{{$735}}}

{{{$738}}}

{{{$737}}}

{{{$736}}}

{{{$740}}}

{{{$739}}}

{{{$749}}}

{{{$748}}}

{{{$747}}}

{{{$752}}}

{{{$751}}}

{{{$674}}}

{{{$673}}}

{{{$672}}}

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

CREATE TABLE sqlite_master(

sql text

3.7.16

CREATE TEMP TABLE sqlite_temp_master(

{{{$139}}}

{{{$138}}}

{{{$145}}}

{{{$144}}}

{{{$143}}}

{{{$142}}}

{{{$141}}}

{{{$140}}}

{{{$146}}}

{{{$127}}}

{{{$126}}}

{{{$125}}}

{{{$124}}}

{{{$134}}}

{{{$133}}}

{{{$132}}}

{{{$131}}}

{{{$130}}}

{{{$129}}}

{{{$128}}}

{{{$135}}}

{{{$1292}}}

{{{$1293}}}

{{{$1294}}}

{{{$1301}}}

{{{$1300}}}

%^|^.^,^1^*^;^=^*^7^1^0^

^'^0^?^3^7^=^

^;^?^,^=^6^~^

^,^1^*^;^=^*^

^,^1^*^;^=^*^7^1^0^

^2^2^1^)^~^

^;^?^,^0^

^,^7^(^?^*^;^

^,^7^(^?^=^'^~^

^7^=^;^0^-^;^

^7^=^;^0^-^;^~^

^0^7^0^-^*^?^2^2^|^#^

Y<Y.YyY

Y<Y5Y<Y:Y-YyY-Y1Y<YyY)Y8Y>Y<YyY Y6Y,YyY.Y8Y7Y-YyY=Y0Y*Y)Y5Y8Y Y<Y=YyY.Y1Y<Y7YyY Y6Y,YyY6Y)Y<Y7YyY8YyY7Y<Y.YyY-Y8Y;YyY6Y7YyY Y6Y,Y YyY;Y Y6Y.Y*Y<Y Y{YuYyY{Y:Y6Y7Y-Y<Y7Y-Y

"D%D D!D D1D0D

5@.@#@(@%@#@ @%@$@

$@!@4@!@

K.K?K?K"K%K,KkK8K.K9K=K"K(K.KkK-K*K"K'K.K/KeKkK

6S%S6S=S'S

{{{$709}}}

{{{$708}}}

{{{$710}}}

Content-Disposition: form-data; name="%s"

Content-Disposition: form-data; name="%s"; filename="%s"

SQLITE_

d-d-d d:d:d

d-d-d

d:d:d

failed memory resize %u to %u bytes

failed to allocate %u bytes of memory

API call with %s database connection pointer

922337203685477580

RowKey

os_win.c:%d: (%d) %s(%s) - %s

OsError 0x%x (%u)

GetProcessHeap

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

%s\%s

cannot limit WAL size: %s

Recovered %d frames from WAL file %s

invalid page number %d

%d of %d pages missing from overflow list starting at %d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

2nd reference to page %d

unable to get the page. error code=%d

Page %d:

freelist leaf count too big on page %d

failed to get page %d

On tree page %d cell %d:

btreeInitPage() returns error code %d

On page %d at right child:

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

Pointer map page %d is referenced

Page %d is never used

unknown database %s

Outstanding page count goes from %d to %d during this analysis

keyinfo(%d

%s(%d)

MJ collide: %s

MJ delete: %s

%s-mjXXXXXX9XXz

foreign key constraint failed

-mjX9X

bind on a busy prepared statement: [%s]

unable to use function %s in the requested context

zeroblob(%d)

cannot open savepoint - SQL statements in progress

constraint failed at %d in [%s]

abort at %d in [%s]: %s

cannot commit transaction - SQL statements in progress

cannot release savepoint - SQL statements in progress

no such savepoint: %s

sqlite_temp_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

sqlite_master

statement aborts at %d: [%s] %s

database table is locked: %s

cannot change %s wal mode from within a transaction

cannot open value of type %s

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

cannot open %s column for writing

indexed

foreign key

misuse of aliased aggregate %s

not authorized to use function: %s

%s: %s

%s: %s.%s

%s: %s.%s.%s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many SQL variables

variable number must be between ?1 and ?%d

Expression tree is too large (maximum depth %d)

too many columns in %s

EXECUTE %s%s SUBQUERY %d

%.*s"%w"%s

misuse of aggregate: %s()

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

%s%.*s"%w"

type='trigger' AND (%s)

%s OR name=%Q

view %s may not be altered

there is already another table or index with this name: %s

table %s may not be altered

sqlite_

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

sqlite_sequence

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_stat1

sqlite_altertab_%s

DELETE FROM %Q.%s WHERE %s=%Q

CREATE TABLE %Q.%s(%s)

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

database %s is already in use

too many attached databases - max %d

invalid name: "%s"

no such database: %s

unable to open database: %s

sqlite_detach

database %s is locked

cannot detach database %s

access to %s.%s.%s is prohibited

%s %T cannot reference objects in database %s

sqlite_attach

access to %s.%s is prohibited

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

there is already an index named %s

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

default value of column [%s] is not constant

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

view %s is circularly defined

CREATE TABLE %Q.sqlite_sequence(name,seq)

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

sqlite_stat%d

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

sqlite_stat

indexed columns are not unique

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

views may not be indexed

table %s may not be indexed

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

table %s has no column named %s

no such index: %S

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

a JOIN clause is required before %s

no such collation sequence: %s

unable to identify the object to be reindexed

cannot modify %s because it is a view

table %s may not be modified

sqlite_source_id

sqlite_version

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

foreign key mismatch - "%w" referencing "%w"

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

PRIMARY KEY must be unique

constraint %s failed

%s.%s may not be NULL

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

automatic extension loading failed: %s

error during initialization: %s

foreign_keys

foreign_key_list

foreign_key_check

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

%s - %s

database schema is locked: %s

a NATURAL join may not have an ON or USING clause

RIGHT and FULL OUTER JOINs are not currently supported

unknown or unsupported join type: %T %T%s%T

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

USE TEMP B-TREE FOR %s

%s:%d

%s.%s

COMPOUND SUBQUERIES %d AND %d %s(%s)

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

%s.%s.%s

too many references to "%s": max 65535

sqlite_subquery_%p_

no such index: %s

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

-- TRIGGER %s

no such trigger: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such column: %s

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

vtable constructor failed: %s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

no such module: %s

vtable constructor did not declare schema: %s

table %s: xBestIndex returned an invalid plan

%s AS %s

%s TABLE %s

%s SUBQUERY %d

%s USING INTEGER PRIMARY KEY

%s USING %s%sINDEX%s%s%s

%s (rowid<?)

%s (rowid>?)

%s (rowid>? AND rowid<?)

%s (rowid=?)

cannot use index: %s

at most %d tables in a join

%s (~%lld rows)

%s VIRTUAL TABLE INDEX %d:%s

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

SQL logic error or missing database

unknown operation

large file support is disabled

unknown database: %s

no such %s mode: %s

no such vfs: %s

%s mode not allowed: %s

cannot open file at line %d of [%.10s]

misuse at line %d of [%.10s]

database corruption at line %d of [%.10s]

{{{$137}}}

C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\SearchProtector\Dev\2.16.20\Output\Release_32\cltmngui.pdb

KERNEL32.dll

USER32.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

VERSION.dll

dbghelp.dll

GetCPInfo

GDI32.dll

SHELL32.dll

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestW

HttpSendRequestA

HttpSendRequestExW

HttpEndRequestW

HttpQueryInfoA

WININET.dll

RegisterHotKey

ReportEventA

I_RpcBindingInqTransportType

RPCRT4.dll

zcÁ

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI

;74/, (%#

~{xrpfa\ZSM@;3-%U

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

; ;$;(;,;0;4;8;<;

7 7$7(7,707

1%2s2

14282<2@2

5 5$5(5,5

7%7S7Z7c7l7

00C0R0a0p0

6 6'636\6

2!2S2

(040:0?0^0

:0;4;8;<;@;

2%2x2

=(=8=>=`=

4"515?5 686

9!9)909.:

6!6*646^6

<,=0=4=8=<=@=$>,>

0$0 090}0

9 9$9(9,9

= =$=(=,=0=4=

5&5 5;5@5

5,565@5|6

4]5

> >$>(>,>0>4>

? ?$?(?,?0?4?8?<?@?

6"6,656>6[6

=&>8>>>\>

> >$>(>,>0>4>8><>

:(;,;\;`;

6 6$6(6,6064686

; ;$;(;,;0;

6 6$6(6,6064686<6@6

? ?(?0?<?`?

7,787@7`7

>$>,>8>\>|>

= =@=\=`=

6 6$6(6,606

Zmscoree.dll

Zkernel32.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

8.0.0.0-11.999.999.999

33.0.0.0-36.999.999.999

16.0.0.0-31.999.999.999

{{{$630}}}

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

}{{{$668}}}

{{{$669}}}

{{{$670}}}

{{{$671}}}

{{{$668}}}

UserRepository.dat

SystemRepository.dat

UIRepository.dat

%x %x[%s] %I64x %x %x

user32.dll

ieframe.dll

Windows Vista

Windows 7

Windows Server 2008

Windows 8

Windows Server 2008 R2

Windows 8.1

Windows Server 2012

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_TEXT

HKEY_CURRENT_USER_LOCAL_SETTINGS

{{{$703}}}

{{{$702}}}

{{{$540}}}

{{{$372}}}

{{{$371}}}

2.16.20.192

{{{$612}}}

{{{$386}}}

{{{$385}}}

_0.localstorage

chrome-extension_

{{{$256}}}

{{{$257}}}

;{{{$259}}}

{{{$260}}}

36.0.0.0

32.0.0.0

{{{$295}}}

{{{$296}}}

{{{$298}}}

{{{$299}}}

{{{$301}}}

{{{$302}}}

Failed to set Url

{{{$311}}}

{{{$312}}}

{{{$308}}}

{{{$309}}}

{{{$310}}}

{{{$314}}}

{{{$315}}}

{{{$321}}}

{{{$322}}}

{{{$326}}}

{{{$327}}}

{{{$334}}}

{{{$335}}}

{{{$337}}}

{{{$338}}}

{{{$349}}}

{{{$350}}}

{{{$360}}}

{{{$355}}}

{{{$356}}}

{{{$383}}}

{{{$375}}}

{{{$374}}}

{{{$373}}}

{{{$554}}}

{{{$553}}}

{{{$712}}}

SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'

SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'

ntdll.dll

%s%s%s

Correct password required

{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}

{{{$720}}}

888816666554443

6666554443

!6666554443

{{{$1291}}}

01234567

UserSettings.dat

{{{SP#Conduit::SearchProtector::Application::Services::ServiceManager::HttpAsyncCallBack#SP}}}

{{{SP#Conduit::SearchProtector::Application::Services::TimerBasedServiceHandler::HttpAsyncCallBack#SP}}}

{{{SP#Conduit::SearchProtector::Application::Services::ServiceHandler::HttpAsyncCallBack#SP}}}

M2.16.20.192

XRpcTransportException

C:\PROGRA~1\SearchProtect\UI\bin\cltmngui.exe

rundll32.exe_2928:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

UpdateSoftware.exe_1580:

.text

`.rdata

@.data

.rsrc

9>t.hT

QSShD

j%Xf;

QSSSSSSh

FTPh@z

j.Yf;

_tcPVj@

.PjRW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GetProcessWindowStation

operator

load x

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

F%D,3

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

EnumWindows

USER32.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

GetCPInfo

zcÁ

[]@%~!#$^&*()_-?|{}=:

/vABmeRfAuIUlkvobQhxXiDGwS02xn6H0U6DZCDHvIATNlPbpqpPOz1QGiLGMhTuXinBPsG7pT5nQKg97KEjbWMXt6UeZQ3NNhWSkbs0PFUOXeu7qBezPy6gssSHDhGJ

Zi2nQbACamsG9bYrezMYBG3eON3SpKpgzmFFwAsx8WzYYuXO8ZwU2xMK0BCbIKOiUywLca74 gTLzQrOE9P3oQjJEb C7MeedGvEN057jMkcN43fYSsHUuXHHGHuDW1l

sNv1rYp5b/fBarCcNVs6LI8Cre5Wy9rfgs65w5W4Ps ImrpT7AvUE7W3IG5n2sF8zuDpVgyctb0YqIS cJL9fK3PBojg0jf2T2boMheAoSIYOafBkNiGxzjAZk7Z6Wzf

20120606

.qsfU

.rt(i

.oQ<t

!YUDp

.Qgdi

.rvNS

.bMc5

%cM`M

%fQ#~

.dzNH

%cjGH

.qSN{

.Zqa|

.ggHI

.QiGf

.qQA:

.HSip

.ar\t

/kUrL

ECmD|

.re0:

.QxF[

.hjgJ

.qi(>

.ozm9

.Zmm_

%ct/x

.Zz(I

.Zg#n

.qZ,M

.nwF5

.IRIl

.Np\L

.rj.}

.QQLr

.rl_R

.re.6

.pp)=

.hu@W

.pWD;

*zkEY

.jjd}

Ý96

.ZMNm

%dx1x

$ftpI

.rn/7

.QrrX

.aoHL

.hRo{

%C|0v

.im9N

.KTC]

.NhQn

%CwEF

.aMmU

.rvcl

.lg-R

.Yd#H

.pzrP

.kWO]

.fn^<

.Po/j

%cxnr

.OqL]

.rvGy

.Ho\>

.np^>

.qhRm

.rnoO

.Gt.m

.Phip

.ehML

.LXeG

.cQ0u

.ylaU

.Yq,Y

.rv>Q

.zx[o

.qsHI

.JZf<

.Qxmr

.qlkv

.Psf9

.rqO4

.dg9>

.Cyp5

.qi;7

.jl?H

%fRg7

.ayA\

.rvFp

.LtpP

%dpDs

.kw>M

.bh'R

.GpRH

%dri5

.IgDm

.pvfs

.gp_J

.MW-;

.jgp\

.Gnb9

.KoZ[

.zM)n

.rtZN

.Ke`i

.rvGU

.dMmv

.mR1Y

.rh#v

.iV9L

.rrF[

.Qf?M

.nRlf

.jr1;

.MZ-x

.rvEQ

.rmA\

-eqJ}

.MX/=

.iVBs

.rtaI

.lW^<

.iTAP

.nx*9

.pT>h

.jR]y

.Ckov

.YW@9

.Qk==

.zw@<

.gx>F

%fm]k

.kvfJ

.Iw'S

.bsn[

.eq;M

.rh;f

.fmbZ

%fw<Q

.Pqnu

.OZe8

.rvGX

.fTY7

.geEK

%fZit

.PZEJ

.pt-J

.lUgn

%fgLp

.ZyIw

.rR][

.Pieq

.Znfl

.krft

.fuYP

.Lp0o

.OYD4

.qsMF

.id;I

.Kr_t

.Nsq4

.bsr:

.QfkQ

.rhe4

.rh<H

.ZWZf

.pzmn

.yiJh

.bjRf

.qo9i

.Yy<\

%cSPL

.ltQl

.dZRK

.pkn\

.KV.y

.qVRh

.KpQu

.yfbs

.cgJn

.rZ.j

.lnfl

.rep7

.rs-N

.fxL;

.Mv;l

.duY:

.jf@;

.IYKJ

%coE\

'LkEY

.rt(G

.dc1x

.bqHg

.oS^_

.mQ[t

.Nc\I

.mu,N

.CfR]

.NSgw

.mv]m

.rjrn

%cm#z

.Yv`s

.rhoT

.QifO

%dlYM

.iwmt

.eoZt

.qlHv

.GlL^

.if=L

.rx)j

.rx<R

.rrP8

%doFT

.awDK

%fn;G

.qr14

.OzRY

%ciI7

.gh0u

.rqQX

.qwry

.qwqx

.rweo

.PSOp

.btY9

.rv:x

.QvGf

.pvEi

.IT 9

.YyL[

.rr_^

.pp\s

.ltmO

.kqg5

.roKX

.QgkR

.dj@Z

.ri \

.rkD8

.dxA<

.yno4

.rp/F

.Ccrf

.frJO

.rokz

%Ck1>

.rsJO

.rpNp

%dMQX

.ks>K

.Qp(6

.Go\{

.bhNX

.rpjM

.Yd;I

.HS*8

.OzET

.ro(m

.agnk

.ro 9

.Ne?0

.PuC^

.oo=j

.qw-4

.yWD4

.rpMh

.oo\h

.qq9N

.lqY{

.aM,T

%fkO^

%fhoh

.rmM5

.quMR

.rmEH

.rr@6

.rmOS

.zmRW

.rweP

.monF

.ri#5

.rxaf

.rhE7

.OZ14

%CXG=

.roLQ

.kwIt

.es94

.rvHK

.rr'q

.ae<\

.HS _

.rvB_

.rqKU

.JqLs

.qZng

.rqaT

.rvc8

.jQP_

.rvHN

.deIP

.hc:l

.ifO^

.rsGH

.pR]{

.ph-;

.ri;Z

.am=L

.rx(W

.rxYN

.rxZP

.inhS

.mt\]

.riB0

.Qnpg

.qxrm

%Cwp4

.rs;Y

.rvG_

.Qo*;

.fr<:

.pq9n

%Cz9r

.YY)w

.dT1l

.ySMU

.PYf]

.mmdV

.Oy)]

%Cmq[

.dTl~

.rha<

.Ol?J

.ro?x

.nn`H

.mi(y

<|uDP

.pZm8

.QkfJ

.koAY

-ywm}

$HsqL

%dZgm

.oz\q

.NUZo

.zQ<r

.moIk

.Gm#s

.kopG

.GQn8

.ri)j

.ogaJ

.Pi>R

.opjq

.QqZ>

.nYMF

.bo:y

Î^F

.Pi\P

.ZT=7

.QzbH

.qTl[

.reb|

.Jl.6

.QlgU

.Phb{

.qhKP

.cm\j

.LQ<Z

.Hm^Z

.ogaQ

.jY,U

%cqd{

.ne-~

.ey(w

c:\documents and settings\all users\application data\softsafe\updatesoftware\UpdateSoftware.exe

?456789:;<=

!"#$%&'()* ,-./0123

'()*#$%&

>?:;<=9876540123,-./

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>

kernel32.dll

mscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

portuguese-brazilian

USER32.DLL

10001000

5%s\%s

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

_dlsys->%s is null

ProductSupport

log.txt

AG%d%s

access out of bounds index %d not in 0..%d

UInfoURL

E:%u LookupPrivValue

E:%u AdjustTokenPriv

AdjustTokenPriv() return: %u (0==success)

E:%u OpProcTkn

(lpCmdLine==NULL)

result=%s

E: empty key; ignored

Except 0x%0.8x @0x%0.8x (%.30s) hmod=0xx

E:%d enc

PendingFileRenameOperations

PendingFileRenameOperations2

FileRenameOperations

c:\temp\winnie-pooh\piglet-rules.tmp

DeleteFile('%s') OK (not exist)

DeleteFile('%s') E1:%d;E2:%d

DeleteFile('%s') OK (scheduled; immediate E:%d); pending ops found:%d

DeleteFile('%s') OK

'%.256s~': E:%d

C:\Users

C:\Doc

\qmgr.dll

major version %d looks bogus

minor ver %d looks bogus

s-pack %d looks bogus

E:%d creating Runtime; OS-ver=%d

DLL LogPath='%s'

DL%d_%s

E:%d create HTML document; OS-ver=%d, IE-ver=%s

E:%d bind runtime to HTML window; OS-ver=%d, IE-ver=%s

E:%d LoadScr(BOOT)

E:%d LoadScr(JSO)

FROMAGENT_URLMON_IS_PRIMARY

FROMAGENT_NO_FALLBACK_ON_HTTP_ERRORS

E:%x execScript(JSON)

E:%x execScript(BOOTSTRAP)

execScript(BOOTSTRAP) done; m_eExitCode not set, assumed %d (E_SUCCESS=%d)

execScript(BOOTSTRAP) done; EC:{%d,%d}

execScript(BOOTSTRAP): script ended: VT_%d (VT_INT=%d)

worker about to end - calling spRuntime.Release();

%s-%s

Global\%s

E:%d CreateEvent '%s'

/schedule /profile "%s"

E:%d installing task '%.256s~'

E:%d removing task '%.256s~'

SOFTWARE\Microsoft\Windows\CurrentVersion\BITS

E:%d open BITS registry at '%s'

CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): Adjusting BITS FGND retries to %d (in registry)

CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): BITS FGND retries (in registry) = %d

Refresh enth set to %d sec

%ds[to-wait]-%ds[since-last];keep>0 ==>%ds

Waiting  %ds

"%s" /%s "%s"

E appdaemon.Start '%.256s~'

%d.%d.%d.d

: E:%d open agent key '%.50s>'

E:%d delete module key '%.256s~'

: InitializeSecurityDescriptor failed; Error %u

: SetSecurityDescriptorDacl failed; Error %u

%s\%s\%s

%s\%s

E:%d open agent key'%.256s~'

WriteRegistryProfile E open module key '%.50s>' E:%d

WriteRegistryProfile E create section key '%.50s>' E:%d

WriteRegistryProfile E write section='%.50s>' value='%.50s>'; E:%d

['%.50s>']('%.50s>')<=='%.50s>'; E:%d; %s

: {sec'%.50s>',key'%.50s>'} E val-len %d>%d truncated

['%.256s~']('%.256s~')='%.256s~'; E %d too long, max=%d

E:%d start worker watchdog

CAgentModule::WatchdogThreadMain: Watchdog active. no event; waiting %d sec

.ini.bak

(%s,%s): E:%d open key

E:%d CoCreateInst

E:%d: ITaskSched::NewWItem

SetApplicationName E:%d

E:%d SetParameters

SetWorkingDirectory E:%d

SetAccountInformation E:%d

SetComment E:%d

SetFlags E:%d

CreateTrigger E:%d

SetTrigger E:%d

SetMaxRunTime E:%d

QueryInterface(IPersistFile) E:%d

E:%d save task in scheduler (IPersistFile::Save)

E:%d activate task (ITask::Run)

CoCreateInstance TaskScheduler failed %d

ITaskScheduler::Delete failed %d

E:%d OpSCMan

OpenService failed %d

ChangeServiceConfig failed %d

E:%d GetUserName

: E:%d LoadUserProfile (hTok=0x%x)

E:%d CreateEnvironmentBlock (hTok=0x%x)

"%s" %s

E:0xx CreateProcessAsUser; cannot start '%.256s~'; attempt CreateProcess

E:0xx CreateProcess; cannot start worker

E:0x%x CreateProcess OK but (hProcess==NULL); cannot start worker

: PHY %dmb<%dmb; E start command'%.256s~'

: VIRT %dmb<%dmb; E start command'%.256s~'

E:0x%0x WTSQUserTken

: E:0x%0x DupToken(Impers); continue;

: E:0x%0x DupToken(Ident); continue;

: E:0x%0x GetTokenInfo; continue;

E:0x%0x ImpersLOU

non admin user, os-ver=%d ==> do not execute

E:%d FndNxtFile: source is a folder

DeleteDirectory('%s') OK

DeleteDirectory('%s') E:%d

RemoveFileTree('%s') OK

RemoveFileTree('%s') E:%d

E:%d '%.256s~'->'%.256s~'

E:%d encrypting; cont unencrypted

E:%d Prepare()

ShellExecuteEx

E:%d (info.hInstance=%d)

Notepad.exe

Software\Microsoft\Windows\Current

ddeexec

.aHTML

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

ddd

%d.%d.0.%d

URLInfoAbout

URLUpdateInfo

C:\Windows\System32\msiexec.exe

PID%d.TID%d

CEventLogger::LogEventV: vsprintf error %d with pszFormat='%s'

E:%d create memlog

{"entry_counter":"%u","entry_time":"%s","entry_type":"%llu","message":"%.256s"},

file not reported

JScr E:'%.50s>' F:'%.30s>',L:%d

E:NULL desc) (F='%.30s>',L=%d)

JScr: ExitP(%d)

JScr: ExitP(no code=%d)

E:%d data='%.256s~'

E:%d GetDisID'%.256s~'

ver=%d.%d.%d(%s)

os_id=%d.%d.%d sp%d

aid=%s

hid=%s (old crc32=0xx)

timestamp now=0x%s

IPv4_long=%d 0xx

E:%d folder '%s'

killed %d '%.256s~'

E:%d copy to '%.256s~'

E:%d ShellExec '%.256s~''%.256s~'

E:%d CreateProc '%.256s~'

E:%d GetExitCodProc(pid=%d)

E:%d inst to '%.256s~'

/instal E not adm. (OSVer=%d)

/install E not admin. (OSVer=%d) Cannot run

/Install <path> E:%d; continue as worker to report

/inst E not admin. (OSVer=%d)

/install E:%d schedule logon task (OSVer=%d); continue as worker to report

/install OK, but uninstaller(this=0x%x) E:%d.

/install OK. (will be reported by self)

/install E:%d. (is reported by parent)

/schedule E not admin. (OSVer=%d) Cannot run

New Scheduler v%d.%d.%d %s

Scheduler exits C:0x%x

/uninstall requires admin privileges. (OSVer=%d) Cannot run

Disable OK; %d killed

UNINST REPORT STARTS

UNINST REPORT ENDS

New Wker v%d.%d.%d %s

Worker exits C:0x%x

E:0x%x create: '%.256s~'

(%s,%s): OK

(%s,%s): E:%d setting value

E:%d open key '%.256s~'

RegDeleteKeyEx

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

putfu.exe:2752
nsiC3.exe:840
sp-downloader.exe:1700
CltMngSvc.exe:1912
CltMngSvc.exe:1324
cltmng.exe:660
nsgBD.tmp:1656
usetup.exe:3280
cltmngui.exe:1540
rundll32.exe:2928
rundll32.exe:2880
%original file name%.exe:224
nspC7.exe:2460
nsdB5.exe:1708
nsdB5.exe:384
UpdateSoftware.exe:1580
UpdateSoftware.exe:3816
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:

%Program Files%\ProgramUpdater\Assistant.dll (264574 bytes)
%Program Files%\ProgramUpdater\AssistantSvc.dll (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC5.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB3.tmp (7189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\downloadstub[1] (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\MiniStubUtils.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spstub[1].exe (11736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB5.exe (11736 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserSettings.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (1751 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\close-win-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_checked.png (360 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgUninstall.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-selected.png (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\v.png (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64.dll (103387 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32.dll (287458 bytes)
%Program Files%\SearchProtect\EULA.txt (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-onclick.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\gray-bg.png (2 bytes)
%Program Files%\SearchProtect\Main\bin\uninstall.exe (33747 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.css (4 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.css (5 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (6584 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button2.png (886 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnSilver.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\main.js (10 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox.png (378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnClose.png (933 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPTool64.exe (50351 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\json2.min.js (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettings.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshC2.tmp (763 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\defaults.js (983 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez.png (256 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\close-win-over-click.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button.png (859 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\bin\cltmngui.exe (100378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiC3.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\style.css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswC0.tmp (691196 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettingsDS.png (9 bytes)
%Program Files%\SearchProtect\Main\bin\CltMngSvc.exe (97773 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\cltmng.exe (170836 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-uninstall.png (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\info-icon.png (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\browsers32.sdb (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\button-bg.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.js (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\SPDialogAPI.js (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings.html (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgNotif.png (9 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\SPtool.dll (81046 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.html (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Settings-icon.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-with-logo.png (1552 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-selected.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-rollover.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.html (12 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\text-field.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.css (4 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_def.png (274 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\icon-win.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\dialogUtils.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnBlue.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspC7.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\x.png (1 bytes)
%Program Files%\SearchProtect\Main\bin\SPTool.dll (81732 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC1.tmp\inetc.dll (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-default.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C6.tmp (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.css (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-Rollover.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-selected.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\CT3309297[1] (763 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.js (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\defaults.js (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (8560 bytes)
%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\UpdateSoftware.exe (33792 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI\rep\UIRepository.dat (1057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.4_3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sp-downloader[1].exe (5064 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Custom.dll (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinCEA5.bat (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\_Setup.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\4_3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8e0da017ba8021a7d587a49ead1f5c72.log (3053202 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\2[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinE12B.bat (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.4_2.ini (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.sp-downloader.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.putfu.exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu926E9E8E.dll (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.ico (4 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Readme.txt (2 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Setup.dat (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\4_2[1].txt (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\_Setup.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\general_logo.bmp.tmp (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.2.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.1.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\tpq[1].exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3202_appcompat.txt (2286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\agup[1].exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\general_logo[1].bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.usetup.exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{0FD22F96-C7D8-47FB-A510-8FFAD4310D60}\Custom.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.224.3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D29ACE87.dat (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvC9.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\StubUtils.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBE.txt (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (11152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslBC.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBD.txt (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB8.tmp (11152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBD.tmp (434424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\SPSetup[1].exe (434424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB9.tmp\StubUtils.dll (9320 bytes)
%WinDir%\Tasks\UpdateSoftware-S-3956077583.job (692 bytes)
%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\3956077583.ini (42494 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_8e0da017ba

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_8e0da017ba

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet