MD5: d3e0d7a52b022b043f657ae22d8aba84
SHA1: 3fd52d6685168c5afdc47160ceaaf2f39b2a7f72
SHA256: 3956d851b33900ac6850e7c535e7e5938c1cd85816002952d0b6d8633b139007
SSDeep: 12288:b1OgLdanv50/kxr3uzA qnSbr/KY9RObYJ4nIK ymRo OSZTN2TBxx696O:b1OYdaqNayr/X9sRGymC TTN2Nb6EO
Size: 779744 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Symantec
Created at: 2010-11-18 18:27:35
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:972

The Trojan injects its code into the following process(es):

SymCCISExe.exe:1560
SymInstallStub.exe:1788
nssSetup.exe:704

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SymCCIS.dll (1302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SymCCISExe.exe (9907 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp (0 bytes)

The process SymCCISExe.exe:1560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SCC[1].dll (22747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SCC.dll (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\SCC.config[1].txt (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SymInstallStub.exe (35252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SymInstallStub[1].exe (44299 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SCC.config (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SCC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SCC.config (0 bytes)

The process SymInstallStub.exe:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\IS2.tmp (698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\IS3.tmp (2556018 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\SymInstallStub.state.dat (790 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\IS2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\IS3.tmp (0 bytes)

The process nssSetup.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\InstUI.dll (40137 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\ccSet.dll (3388 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\09\01\InsBrand.loc (11 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\msvcp100.dll (3194 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\09\01\InsMUI.loc (3249 bytes)
%Documents and Settings%\All Users\Application Data\NortonInstaller\Logs\2014-07-05-09h23m10s\NortonInstall-2014-07-05-09h23m10s.log (69780 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\SKU.dll (10 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\ccL120U.dll (6441 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\Engine.dll (22617 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\InstStub.exe (42359 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\ProdCbk.dll (1258 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\Install.mft (1209 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\Images\InsImage.dll (10217 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\fallback.dat (4 bytes)
%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\msvcr100.dll (6854 bytes)

The Trojan deletes the following file(s):

%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28 (0 bytes)

Registry activity

The process %original file name%.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 B2 95 AC BB 1D E3 F9 EC 99 CF 4C CD 7A B5 AC"

The process SymCCISExe.exe:1560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 35 A0 D0 49 E7 70 B9 A4 7C FB 4E 76 6B DB 04"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp]
"SymInstallStub.exe" = "SymInstallStub"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process SymInstallStub.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 88 46 B0 B7 01 70 17 AD 1D 59 C1 E8 69 E6 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Symantec\NPInstaller\AffID\AID_estorecj]
"NSS" = "aff_softonic-e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Symantec\Install_Stub]
"UID" = "01839ae7-8a82-407b-924e-9b7ff1a41474"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Symantec\Install_Stub\estorecj3.6.1.16]
"LaunchCount" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Symantec\Install_Stub\estorecj3.6.1.16]
"InstallDate" = "07/05/2014"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SymInstallStub\estorecj]
"nssSetup.exe" = "Norton Security Scan"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymInstallStub" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\SymInstallStub.exe /partnerid=estorecj /productlist=nss /staging=false /affid=softonic-e /dist=webbanner /delay=5 /launchedby=7 /fallback"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process nssSetup.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD D6 74 62 EC 4C 0F AA C6 FB CF E3 DE 9A 6C 42"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NSS" = "%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\InstStub.exe /RELAUNCH /RUNONCE /PRODID NSS"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSS]
"MEDIA" = "%Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\nssSetup.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Symantec
Product Name: Norton Product Installer
Product Version: 2.1
Legal Copyright: Copyright (c) 2014 Symantec Corporation.
Legal Trademarks:
Original Filename: SymCCIS
Internal Name: SymCCIS
File Version: 2.1
File Description: SymCCIS
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
c4ad635a13cfa197788e87065319409e

URLs

URL	IP
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SCC.dll
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SCC/estorecj/ENG.SCC.config.txt
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SCC/estorecj/SCC.config.txt
hxxp://stats.norton.com/n/p?module=9160&product=SCC&version=4.6.0.11&language=09.01&os=5.1.2600.3.0&y=1033&a=estorecj&b=false&c=nss=install&d=nss=1000&e=0x0&error=0&n=0&j=0&k=0&l=none&m=none&o=none&q=none&t=none&u=-1&v=none	63.245.197.112
hxxp://stats.norton.com/n/p?module=9151&product=SymCCIS&version=2.1.0.20&language=09.01&os=5.1.2600.3.0&y=1033&b=estorecj&a=CallCriteriaChecker&f=10&c=false&d=false&e=0x0&error=0&j=nss=install&k=nss=1000&g=0.954&l=2.726&q=&t=&u=	63.245.197.112
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SymInstallStub.exe
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/IS/estorecj/SymInstallStub.config.txt
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/IS/nss/USEnglish/estorecj/Setup.exe
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SCC/estorecj/ENG.SCC.config.txt	212.30.134.160
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SCC.dll	212.30.134.160
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SymInstallStub.exe	212.30.134.160
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/IS/nss/USEnglish/estorecj/Setup.exe	212.30.134.160
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/IS/estorecj/SymInstallStub.config.txt	212.30.134.160
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SCC/estorecj/SCC.config.txt	212.30.134.160

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Norton Update User-Agent (Install Stub)
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD /upgrade/NSS/SymCCIS/Production/IS/nss/USEnglish/estorecj/Setup.exe HTTP/1.1

User-Agent: SymInstallStub

Host: liveupdate.symantecliveupdate.com

Connection: Close

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "e17c3f4045655cfaeb2137c205748c1e:1398688555"

Last-Modified: Mon, 28 Apr 2014 12:33:08 GMT

Accept-Ranges: bytes

Content-Length: 10679800

Content-Type: application/octet-stream

Cache-Control: max-age=94

Expires: Sat, 05 Jul 2014 06:24:22 GMT

Date: Sat, 05 Jul 2014 06:22:48 GMT

Connection: close

GET /upgrade/NSS/SymCCIS/Production/SCC.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: liveupdate.symantecliveupdate.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "38212789a0f996c9f49d2646446c02f3:1402650668"

Last-Modified: Fri, 13 Jun 2014 09:09:28 GMT

Accept-Ranges: bytes

Content-Length: 167264

Content-Type: application/octet-stream

Cache-Control: max-age=1637

Expires: Sat, 05 Jul 2014 06:50:00 GMT

Date: Sat, 05 Jul 2014 06:22:43 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........r.........
........................E...............................Q.............
......................Rich............PE..L......S...........!........
.>.......z....................................................@....
.....................Ew......tx..{....p..=............t..`........... 
......................................................................
..........text....`.......T......PEC2TO...... ....rsrc.... ...p.......
X.............. ....reloc...............r..............@..............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.........................................................*..U..9k3e..O
.U...-.[O?wV|.........Uk .B..u3g5.I...jUi..c#.d.N.k.....jxf....f.....M
..k./K.>.'S(..8.......Wz.j.....Q.Q.z p...F.....Z...A.n..&...Id.....
..>o...5.1...&?.....cA.!.}L...>..u......D...c.~3.:.M%.d.......BU
.....o4[.$..|..n..$.vL<..~...Jd...uV.}....Q."..e..........Q...z..O.
P..;...R.qlm.z.......4.'..O.._.C..[..C...].._..`r.;[.c.9@2..,6..m1...x
.f=....d...9HR..?...A..?.f........>GUa..Q=^#\....<.e..e@r.)..y.Q
.J...{..<`*....~f.Q......p..V....P.BP...y..=...?.....>O.f.?.
<<< skipped >>>

GET /upgrade/NSS/SymCCIS/Production/SCC/estorecj/ENG.SCC.config.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: liveupdate.symantecliveupdate.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Length: 292

Content-Type: text/html

Expires: Sat, 05 Jul 2014 06:52:31 GMT

Date: Sat, 05 Jul 2014 06:22:44 GMT

Connection: keep-alive

Cache-Control: public,must-revalidate,max-age=1800
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;char
set=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD>.&
lt;H1>Not Found</H1> The requested object does not exist on t
his server. The link you followed is either outdated, inaccurate, or t
he server has been instructed not to let you have it. ....


GET /upgrade/NSS/SymCCIS/Production/SCC/estorecj/ENG.SCC.config.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: liveupdate.symantecliveupdate.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Length: 292

Content-Type: text/html

Expires: Sat, 05 Jul 2014 06:52:31 GMT

Date: Sat, 05 Jul 2014 06:22:44 GMT

Connection: keep-alive

Cache-Control: public,must-revalidate,max-age=1800
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;char
set=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD>.&
lt;H1>Not Found</H1> The requested object does not exist on t
his server. The link you followed is either outdated, inaccurate, or t
he server has been instructed not to let you have it. ....


GET /upgrade/NSS/SymCCIS/Production/SCC/estorecj/SCC.config.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: liveupdate.symantecliveupdate.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "1fdaaca32d5a43947ca17e1f4c2a63b0:1382649161"

Last-Modified: Thu, 24 Oct 2013 21:10:26 GMT

Accept-Ranges: bytes

Content-Length: 1504

Content-Type: text/plain

Cache-Control: max-age=1407

Expires: Sat, 05 Jul 2014 06:46:12 GMT

Date: Sat, 05 Jul 2014 06:22:45 GMT

Connection: keep-alive
[email protected][email protected]....#....jZ..~.3.|..../).... g ..
.v.....V.*,#..\U{...:....b..._h.V.......5........DMMW!.)T.L.....a.$..?
<.@".:n..'..$}..t.e./[.h9..d:.U /.{../5`.&...X.. .(/. g ...vk.s.._3
..../).... g ...v..._h.V.q..W....r..W......._h.V.E.....e.s...3.......*
......_h.V...t;.=...h..._... g ...v...|S....F^....)..z.....4.R.....(..
.....>S;..q...........Q...9....6R..W.......Kj.U..6.T..:%...o.....m&
.Y[.B.......K..N<.o..........XY..Q..X4e..'..6R..W..X.Oh.p#.I_..r.&l
t;..._h.V...._h.V..jD.......f.. 1.....7InV/[.h9..d..._h.V.*.~kt...k..J
6o.$.0..k.O\.d31.N......q..Ql..)..n.pW"...l......./..S..z_.V.0...|M2p.
..$.Z...3^ .p.2...vB\.2)I.M.f.V&!.3..q....79VX.R.n."......q...Bg.-7U..
.SS.A.s.....v.a...Cg.o....T..T.E.q...w.....Y.....J......#..q)..V....]m
s...o.yc.Q.0........*.7r..)....g...B...I.1.~...Jc. [email protected]....|.
]...E>.X...#...8l...... ......&....f.OSl..`....e...9....GN.......y.
.7.p..|. ...L...........S...:s.)TN..T9S........t.~&iWQ.I]...d..;.!....
l...............y..7.p..|. . 1E [email protected]..>L:.s.... .e\.!.D az.<.l.
.....l.$.x...Jpc..dV.y.....D- .^.z.....z3...R..WU...6..2h...5oN#..k..O
#|Q...Q...9..Wg_U....'YO.Q.r....4..n1...e...9.J.X.~...V#CX.u..&.g.na5T
.:.rt.c...)..g .y?....O-HA...5.r_......./R$.L..9{b.....,.1..F..K.5....
....h........;`.....S...,l.......}....S)".."...T...0..7T..].>gQ,..%
!0*P....0..7T..4G...........7z...$.............OB..`.....)..g ...)..g 
.........5oN#..k.@c.:..7biL.<./....7.>....._h.V.bJ..7(p..V\0..7.
.&H.|d...&H.|d...&H.|d...&H.|d...&H.|d...&H.|d...&H.|d...&H.|d..
<<< skipped >>>

GET /upgrade/NSS/SymCCIS/Production/SymInstallStub.exe HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: liveupdate.symantecliveupdate.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "55d95cf2c2164ea7f95c089c1015036f:1403535622"
Last-Modified: Mon, 23 Jun 2014 14:59:33 GMT
Accept-Ranges: bytes
Content-Length: 358752
Content-Type: application/octet-stream
Cache-Control: max-age=1309
Expires: Sat, 05 Jul 2014 06:44:35 GMT
Date: Sat, 05 Jul 2014 06:22:46 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......5x..q...q...
q...j. .k...j.......xa6.w...j.......xa1.p...xa&.j...q..._....o..h....o
/.p....o(.p...Richq...........................PE..L......S............
.........................0....@.................................."....
@.....................................Q....p..8M...........`..`.......
.....7..........................................................`.....
...............text....`..............PEC2TO...... ....rsrc....`...p..
.`.................. ....reloc...............^..............@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............................................t.Q.Pd.5....d.%....3...PE
Compact2.>..!....T..a..........C._.:.K.........r...G............U..
U....N.\>E..D..c........r.XZyAVy....b......n.\R.e.r..N.&.'..o.Uv..)
d..MNF1"|.)e..`g&.4.<'../e.!. w".:.r.7...`s8..a......a.Z;H....m.m..
P....}G1bJ....n)....~..-.._..P...Y.E$8..=...N...<.. L.[/@....F..3..
........B... Q.....[.}y;%...O.n.z*$..U;.}<aeb.9;^u...v.E....Km7..zi
WE...3l..)t.r..uA.......D.~.....[.. ./.Y..........<..6....'..q.,...
..?..6..C...pu.G....M.8.{..0..B...q.....T..j4.!zrZ...[5.e.....x.&j
<<< skipped >>>

HEAD /upgrade/NSS/SymCCIS/Production/IS/estorecj/SymInstallStub.config.txt HTTP/1.1
User-Agent: SymInstallStub
Host: liveupdate.symantecliveupdate.com
Connection: Close
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "00973789929a9f033841dd706229c87d:1357702423"
Last-Modified: Wed, 09 Jan 2013 01:15:20 GMT
Accept-Ranges: bytes
Content-Length: 1864
Content-Type: text/plain
Cache-Control: max-age=1791
Expires: Sat, 05 Jul 2014 06:52:38 GMT
Date: Sat, 05 Jul 2014 06:22:47 GMT
Connection: close


GET /upgrade/NSS/SymCCIS/Production/IS/nss/USEnglish/estorecj/Setup.exe HTTP/1.1
User-Agent: SymInstallStub
Host: liveupdate.symantecliveupdate.com
Connection: Close
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "e17c3f4045655cfaeb2137c205748c1e:1398688555"
Last-Modified: Mon, 28 Apr 2014 12:33:08 GMT
Accept-Ranges: bytes
Content-Length: 10679800
Content-Type: application/octet-stream
Cache-Control: max-age=427
Expires: Sat, 05 Jul 2014 06:29:55 GMT
Date: Sat, 05 Jul 2014 06:22:48 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........'-..I~..I~
..I~.E.~..I~.E.~h.I~.E.~w.I~...~..I~...~..I~...~..I~..H~..I~.E.~..I~.E
.~..I~.E.~..I~Rich..I~........PE..L...J.SR............................
[email protected].....@...............
......................x.......,G..........(........P..\...............
....................`...@...............,....... ....................t
ext............................... ..`.rdata..........................
....@[email protected]... [email protected]...,G.......H....
..............@[email protected][email protected]............
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..V...F3...E..t.V.....Y..
^]........U..Q.e..SV.u.....W..y.hW.........U...tPf.:.tJ...<H.H...H.
E.;.sWRW......<GYY.E.;}.sC.u.W.A...YY...M.PQ.u..T.......9....2.;;O.
}.........M.P....GP..................M.P......E._^[....U...}..V..t&.M.
..x...;H....u...HP.....YY..t. ........^]...VW.....p.V.V....N.QP.q...YY
V........._^.j....H.../.....u..e...F...PQ.E.P...m....v......Y..0...j..
<.H.../.....u..u.......u..e.....E.....u..u...........j0........H...
[email protected][email protected]..`..U..QS3.VW...E.9E.}..E..}.;.}.3....p.W
<<< skipped >>>

HEAD /upgrade/NSS/SymCCIS/Production/IS/nss/USEnglish/estorecj/Setup.exe HTTP/1.1
User-Agent: SymInstallStub
Host: liveupdate.symantecliveupdate.com
Connection: Close
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "e17c3f4045655cfaeb2137c205748c1e:1398688555"
Last-Modified: Mon, 28 Apr 2014 12:33:08 GMT
Accept-Ranges: bytes
Content-Length: 10679800
Content-Type: application/octet-stream
Cache-Control: max-age=94
Expires: Sat, 05 Jul 2014 06:24:22 GMT
Date: Sat, 05 Jul 2014 06:22:48 GMT
Connection: close


GET /upgrade/NSS/SymCCIS/Production/IS/estorecj/SymInstallStub.config.txt HTTP/1.1
User-Agent: SymInstallStub
Host: liveupdate.symantecliveupdate.com
Connection: Close
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "00973789929a9f033841dd706229c87d:1357702423"
Last-Modified: Wed, 09 Jan 2013 01:15:20 GMT
Accept-Ranges: bytes
Content-Length: 1864
Content-Type: text/plain
Cache-Control: max-age=867
Expires: Sat, 05 Jul 2014 06:37:15 GMT
Date: Sat, 05 Jul 2014 06:22:48 GMT
Connection: close
.?J\..Su..e......\Bm...I....C..$...W.....e....J.Cm6.....DX..E..'....p.
..}.<..,.o.9qG.....".....eB@(.,..F.......d.f|^J...........]|.0.D...
...8...:...^[......K...2.,......u........6....#.b\...A22.,........ U..
.....[-.C.".....e."'@..Q..n....>)..6....1.x.gn5...............w.*.&
J.. j.p.b.x*.~d!....~fiq.yn...._.),.].r.K...l......Q..d!....~f..g:....
S.(....^.3Gf.....c.>...@2.,.....t.U.....h...5..&..=....].y.rE.}.d!.
...~f.....4....#u..4........ 2.,...... ...n..2.,.....7.` .F....NA..eI.
....U<.2.,.....2.,......$&.(...,.[...._."l{.].a2.,.....2.,.....Kls.
l,.g'@.:..`.2.,.....2.,........<.(/..xI.M...$y. ...3.".....e2.,....
....N...3...2b......g..R..9...u.@@~.N{r.X#.....%.2.,.....2.,......$&.(
....K..q '.R...\...2.,.....2.,.......;.j..Eod[.[.@g9F$t......@..@....~
.....2.,.....d!....~f"....I?6..?= ..." k8..y.I......p...P.fI^o#2...!@.
.rco..b.9..~y...;r.0.............W://..J@=..Jl<2.,.....2.,.........
.. Z.....\&.,$k.>.D..".....e2.,.......3...=.2.,...../XA}........,).
`.D...)j$....]....Xy....q...:.....c...\rP2.,..........VWR2.,..........
....~..X.....R..\w.......S.2.,.....`.......Uxr.wM(5..l.<G. l.....&g
t;.2.,.............2.,.....2.,.............2.,.....2.,........N...3c.l
lh...2.,.....2.,.....2.,.........p...2.,.....2.,.....:...U9e..6.T.....
[RcN.....~.....2.,.....2.,.....d!....~f..{.Z.8...~.....2.,.....2.,....
.d!....~f...x....2I........~.....2.,.....2.,.....d!....~f.....4..)...%
.....5...-.h.....(\..e.....2.,.....2.,.....2.,.....7.` .F....."..=g.bd
....s.x.gn5..2.,.....2.,.....*.U..K...\S.m...j...I`.-X.........k..
<<< skipped >>>

GET /n/p?module=9160&product=SCC&version=4.6.0.11&language=09.01&os=5.1.2600.3.0&y=1033&a=estorecj&b=false&c=nss=install&d=nss=1000&e=0x0&error=0&n=0&j=0&k=0&l=none&m=none&o=none&q=none&t=none&u=-1&v=none HTTP/1.1
User-Agent: Install Stub
Accept: */*
Host: stats.norton.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 13
Date: Sat, 05 Jul 2014 06:22:45 GMT
1404541365801....


GET /n/p?module=9151&product=SymCCIS&version=2.1.0.20&language=09.01&os=5.1.2600.3.0&y=1033&b=estorecj&a=CallCriteriaChecker&f=10&c=false&d=false&e=0x0&error=0&j=nss=install&k=nss=1000&g=0.954&l=2.726&q=&t=&u= HTTP/1.1

User-Agent: Install Stub
Accept: */*
Host: stats.norton.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 13
Date: Sat, 05 Jul 2014 06:22:45 GMT
1404541365936HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Cache-Control
: no-cache..Pragma: no-cache..Content-Type: text/plain;charset=ISO-885
9-1..Content-Length: 13..Date: Sat, 05 Jul 2014 06:22:45 GMT..14045413
65936..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.sxdata

.rsrc

__MSVCRT_HEAP_SELECT
user32.dll
OLEAUT32.dll
USER32.dll
ShellExecuteExA
SHELL32.dll
GetWindowsDirectoryA
GetCPInfo
KERNEL32.dll
c:\%original file name%.exe
--YY})
-p%uG
(c,%sZ
J.VEe
Can not find setup.exe
setup.exe
BUnsupported Method

SymCCISExe.exe_1560:


.text
`.rdata
@.data
.rsrc
@.reloc
RPQSShd
8%u:j
QSSSSSSh
t%SWh4rI
xSSSh
FTPjKS
FtPj;S
C.PjRV
NRTN_OfferEngine_CheckCriteria_Web
2.1.0.20
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
1.3.6.1.4.1.311.10.3.5
1.3.6.1.4.1.311.10.3.6
1.3.6.1.5.5.7.3.3
2.5.4.6
2.5.4.8
2.5.4.7
2.5.4.10
2.5.4.11
2.5.4.3
WINTRUST.dll
CRYPT32.dll
{X-X-X-XX-XXXXXX}
operator
portuguese-brazilian
GetProcessWindowStation
C:\bld_area\SymCCIS_r2.1.0_20\bin\bin.iru\SymCCISExe.pdb
CryptCATCatalogInfoFromContext
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertFindCertificateInStore
CryptMsgGetParam
CertGetEnhancedKeyUsage
CertNameToStrW
CertGetNameStringW
KERNEL32.dll
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
GdiplusShutdown
gdiplus.dll
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
USERENV.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
MsgWaitForMultipleObjectsEx
SHDeleteKeyW
SHDeleteEmptyKeyW
.?AV?$_Ref_count@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@tr1@std@@
zcÁ
xmlns:xmp="http://ns.adobe.com/xap/1.0/">
xmlns:dc="http://purl.org/dc/elements/1.1/">
:9876543210/.-, *)('&%$#"!
--YY})
-p%uG
(c,%sZ
J.VEe
PA
8"83888=8
:};*=7=?=
2,2w2
7%7X7o7
7&7 7>7\7
= =%=8=[=
1&111^1|1
5*6064686<6
0 0$0(0,0
3!3%3)3-3135393
8œ9
8!8,80858
PartnerID passed as genericnss --> Changed it to --> symantecnss
%s\SymCCIS.dll
Launch browser URL:
Help URL:
Base URL:
&staging=%s
&partnerid=%s
&localeID=%d
&os=%u.%u.%u.%u.%u
&langID=X.X
&version=%s
&product=%s
msgid=%s
symccis::Controller::formatMessageURL
symccis::Controller::showErrorMsg
symccis::Controller::launchURL
Inside DoWord - Worker thread exit code b4 ping = %d
Inside DoWord - Worker thread exit code b4 post msg =
ICHttpRequest::CHttpRequest
CHttpRequest::~CHttpRequest
CHttpRequest::GetResponse
https
CHttpRequest::ParseURLW
CHttpRequest::RequestPage
[s d, d - d:d:d:d]
%s %ld
%s %s
%s 0x%x
Advapi32.dll
BACKGROUND.PNG
http://www.norton.com
CMainDlg::OnLaunchURL
Link URL =
CMainDlg::UrlCmdHandler
Link URL = %s
&linkurl=
Command = %s
URL =
Unable to get SDK path registry key
Unable to open SDK registry key
I&y=%d
&language=X.X
module=%s
http://stats.norton.com/n/p?
Ping URL =
&o=%s
&n=%d
&m=%s
&f=%d
&d=%s
&b=%s
&a=%s
SymCCISExe
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
SymCCISExe.txt
GetCmdLineOpt
http://liveupdate.symantecliveupdate.com
IsCmdlineSwitchPassed
GetCmdArgValue
GetExePath
OpenURL
%SymEFA%
EFACli.dll
0xX
..\Source\ccVerifyTrustStatic.cpp
FCLSID\%s\LocalServer32
CLSID\%s\InprocServer32
BNTDLL.DLL
..\Source\ccVerifyTrustImpl.cpp
..\Source\FileCache.cpp
B..\Source\VerifyFile.cpp
..\Source\ccVerifyTrustPolicy.cpp
..\Source\CatalogIterator.cpp
..\Source\CatalogFileHash.cpp
WinTrust.dll
..\Source\CatalogContext.cpp
..\Source\ccSymModuleLifetimeMgrImpl.cpp
C%s, %s, %s, %s(%ld)
C..\Source\ccModule.cpp
C..\Source\ccSystemInfo.cpp
C..\Source\ccRegistry.cpp
..\Source\ccStringConvert.cpp
CSIDL_WINDOWS
SOFTWARE\Microsoft\Windows\CurrentVersion
..\Source\ccPathExpansion.cpp
\\?\UNC
C..\Source\ccSplitPath.cpp
C..\Source\ccOSInfo.cpp
\wpeutil.dll
\FACTORY.exe
\wpeinit.exe
C..\Source\ccMemory.cpp
C..\Source\ccFile.cpp
..\Source\ccWow64FsRedirection.cpp
%s\%s
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_FILE_NOT_FOUND
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_ACCESS_DENIED
isolate.ini
%COMMON_SILO_DATA%
D..\Source\ccEncryptedString.cpp
D..\Source\ccSymDllLifetimeMgr.cpp
F..\Source\ccSynchronize.cpp
t..\Source\ccMessageLock.cpp
kernel32.dll
KERNEL32.DLL
DPSAPI.DLL
..\Source\ccPEBReader.cpp
D..\Source\ccPrivilege.cpp
..\Source\ccSymIndexValueCollectionImpl.cpp
AWTSAPI32.DLL
B..\Source\ccSymDllLifetimeMgrLocal.cpp
..\Source\ccSymIndexValueCollection.cpp
..\Source\ccSymValueCollection.cpp
EÌROOT%
rcPFRes.dll
rcPxyEvt.dll
rcProxy.dll
rcSvcHst.dll
rcEmlPxy.dll
rcLgView.dll
rcErrDsp.dll
rcAlert.dll
rcApp.dll
ccEmlPxy.dll
ccGLog.dll
ccJobMgr.dll
ccGEvt.dll
ccIPC.dll
ccRkSn.dll
PFPriv.dll
ccPxyIns.dll
ccPxyEvt.dll
ccInst64.dll
ccEvtCli.dll
ccTrstPc.dll
ccSvc.dll
ccEraser.dll
OEHeur.dll
ccCharCv.dll
ccInst.dll
DefUtDCD.dll
ccScanw.dll
ccScan.dll
dec_abi.dll
ccDec.dll
ccALEng.dll
ccErrDsp.dll
ccProSub.dll
ccVrTrst.dll
ccSetEvt.dll
ccSet.dll
ccAlert.dll
F..\Source\ccArchive.cpp
E..\Source\ccDummyArchive.cpp
..\Source\ccInstanceFactory.cpp
..\Source\ccSymValueCollectionConvert.cpp
E..\Source\ccSymStreamArchive.cpp
Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
JÌROOT%\
ÌDATA%\
..\Source\ccSymInstalledApps.cpp
E..\Source\ccSymDigest.cpp
..\Source\ccSymKeyValueCollectionImpl.cpp
..\Source\ccSymMemoryImpl.cpp
Archive.Write(CMemoryImpl::CSerializeImpl::Version) == FALSE
Archive.Read(nVersion) == FALSE
..\Source\ccSymStringImpl.cpp
Archive.Write(CStringImpl::Version) == FALSE
..\Source\ccSymInstanceFactoryImpl.cpp
..\Source\ccSymKeyValueCollection.cpp
..\Source\ccSymPersist.cpp
ÌROOT%\ccSet.dll
F..\Source\ccSymObjectRepository.cpp
CommonClient\OBJID\%s
F..\Source\ccMemoryArchive.cpp
F..\Source\ccSymMemoryStreamImpl.cpp
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\SymCCISExe.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
Exit.Norton Product Installer encountered an error.
Install Complete!]Norton Safe Web Lite will provide website safety information next time you open your browser.
We cannot download this product because your system did not meet the installation requirements or you are not logged in as an Administrator.CNorton Product Installer could not start your default web browser.
You already have %s on your computer. This protection exceeds that provided by Norton Security Scan. Please continue to use your %s_We cannot download this product because your system did not meet the installation requirements.

SymCCISExe.exe_1560_rwx_09E10000_00002000:


The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

SymCCISExe.exe_1560_rwx_0A4E0000_00002000:


The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

SymInstallStub.exe_1788:


.text
`.rsrc
.reloc
8%u,j
QSSSSSSh
t.HuX
t%SWh
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
3.6.1.16
1.3.6.1.4.1.311.10.3.5
1.3.6.1.4.1.311.10.3.6
1.3.6.1.5.5.7.3.3
2.5.4.6
2.5.4.8
2.5.4.7
2.5.4.10
2.5.4.11
2.5.4.3
WINTRUST.dll
CRYPT32.dll
{X-X-X-XX-XXXXXX}
Visual C   CRT: Not enough memory to complete call to strerror.
GetProcessWindowStation
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
CryptCATCatalogInfoFromContext
CertFreeCertificateContext
CertCompareIntegerBlob
CryptHashCertificate
CryptMsgClose
CertCloseStore
CertFindCertificateInStore
CryptMsgGetParam
CertGetEnhancedKeyUsage
CertNameToStrW
CertGetNameStringW
RPCRT4.dll
Secur32.dll
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteExW
SHFileOperationW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
GdiplusShutdown
gdiplus.dll
WinHttpConnect
WinHttpSetOption
WinHttpOpen
WinHttpQueryOption
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpWriteData
WinHttpCloseHandle
WinHttpSetStatusCallback
WinHttpSetCredentials
WinHttpGetProxyForUrl
WinHttpSendRequest
WinHttpOpenRequest
WinHttpCrackUrl
WINHTTP.dll
USERENV.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
MsgWaitForMultipleObjectsEx
SHDeleteKeyW
SHDeleteEmptyKeyW
.?AUWinHTTPProgressCallback@DING@@
.?AVCWinHTTPClient@installstub@@
.?AVCWinHTTPClient@DING@@
.?AUProgressCallback@CWinHTTPEngine@installstub@@
zcÁ
kernel32.dll
SymInstallStub.config.txt
SymInstallStub.state.dat
MSOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/IS/
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Staging/IS/
http://cps.qalabs.symantec.com/teams/ISP/SymCCIS/IS/
Connections\Proxy\HTTP
Connections\Proxy\HTTPS
Connections\Proxy\FTP
Manual_Proxy_Port
Password
Auto_Config_URL
Proxy_Bypass
Advapi32.dll
C:\bld_area\NSSInstallStub_r3.6.1\SDK\CC\include\SymInterface.h
&y=%d
&q=%s
&m=%s
&j=%s
&i=%s
&g=%d
&f=%s
&e=%d
&b=%s
&a=%s
&MID=%s
&language=X.X
&os=%u.%u.%u.%u.%u
&version=%s
&product=%s
?module=%s
http://stats.norton.com/n/p
pVerifyTrust->VerifyFile failed, error = %d
pVerifyTrust->Create failed, error = %d
Failed to open AFF_ID reg key
strProductID = %s ; strRegAffID=%s
Affiliate ID was not passed
Not able to open SWL root key : SOFTWARE\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}
NSSInstall key created, Not able to set NSSInstall=1
Create NSSInstall key for SWL
installstub::Controller::setSWLBundledWithNSSRegKey
NSSInstall key already exists!
SOFTWARE\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}
Failed to open reg key
installstub::Controller::getProductListFromCmdLine
PartnerID passed as generic. Updating it to be symantec
installstub::Controller::getPartnerIDFromCmdLine
rinstallstub::PINGPACKET::ReportProductInstallResults
Sending Product Install Ping Event for, Product ID = %s, Ping URL = %s
&d=%s
&t=%s
&l=%s
&h=%d
&o=0xx
&n=0xx
&k=%s
&error=%d
&v=%d
&z=%d
installstub::PINGPACKET::ReportInstallstubResult
Sending InstallStub Exit Ping Event, Ping URL = %s
Source URL is empty
/%s=%s
/%s=%d
Delay = %d minutes
Could not open affid partner registry key: %s.
Could not open affid registry key: %s.
Failed to delete partners affid subkey: %s.
Failed to delete affid product: %s.
Sucessfully built Source URL
installstub::Controller::buildSourceURL
Sucessfully built Dest URL
Product ID = %s, State = %d
Failed to get Product object = %s
Command line passed in =
safeweblite
Install was successful for Product ID= %s. Updating Product Install Count registry entry.
Succcessfully downloaded %s from %s
Failed to delete unsigned File, hr = 0xx, GetLastError() = %ld
File already downloaded, not Symantec signed, Path : %s
File already downloaded, Symantec signed, Path %s
installstub::Controller::ValidateCmdLineForProduct
There were no products to download - vecProducts.size() = 0
Failed to download product: %s, hr = 0xx
Third attempt : Error downloading Product ID = %s from Default folder, hr = 0xx
Second attempt : Error downloading Product ID = %s, hr = 0xx
First attempt : Error downloading Product ID = %s, hr = 0xx
Downloading Product ID = %s
There were no products to install - vecProducts.size() = 0
Successfully installed product: %s, dwResult = %lu
Failed to install product: %s, return code = %lu
Failed to install product: %s, HRESULT = 0xx
Installing, Product ID = %s
Skipping Delete. FileExists returned false: %s
FileExists returned true. Deleting file: %s
Attempting to Delete: %s
Runonce key not present
Run once key deleted
Failed to delete run once key
FATAL error occurred, installStubErrorCode = %d
Delay download by = %d minutes
Recoverable error occurred, installStubErrorCode = %d
SymInstallStub exe
SymInstallStubIdle exe
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Fallback key successfully deleted.
Failed to delete Fallback key.
Fallback key present. Deleting.
Run once key already exists.
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Cookie: %s
Mozilla\Firefox\%s
Mozilla\Firefox\Profiles.ini
%s:%lu
%s://%s%s
https
0xX
DING_WinHttpClient.cpp
http=
AutoConfigURL
X-Symc-Local-User-Id: %s
X-Symc-Machine-Id: %s
network.proxy.autoconfig_url
network.proxy.http_port
network.proxy.http
network.proxy.type
network.proxy
prefs.js
user.js
FIREFOX
http\shell\open\command
CDownloadManager.DownloadFile returned
Starting HTTP engine
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
IbPortuguese
BrPortuguese
GUID set to: %s
Not able to create install count for %s
Not able to set install count for %s
First time, create the key and write the value for %s
%s -- Not able to set install count for %s
Not able to open install date. Either it does not exist or regkey open failed.
Getting install date from: %s
First time, create the key and write the value
Unable to read retry count key.
Unable to delete file: %s =
%m/%d/%Y
Cc:\bld_area\nssinstallstub_r3.6.1\sdk\cc\include\SymInterface.h
installstub::HTTPDownloadData::CloseFileStream
installstub::HTTPDownloadData::Initialize
WinHttpReadData failed
WinHttpQueryDataAvailable failed
installstub::CWinHTTPClient::GetResponse
Destroying CWinHTTPEngine
installstub::CWinHTTPEngine::~CWinHTTPEngine
installstub::CWinHTTPEngine::Initialize
DeleteFile failed to delete %s, dwResult = %lu
installstub::CWinHTTPEngine::getTempFilePath
Server supports partial download resuming download
Error Unexpected http response status %d
Received HTTP STATUS = %d while expecting partial response
installstub::CWinHTTPEngine::prepareResponseData
Creating CWinHTTPEngine...
installstub::CWinHTTPEngine::CWinHTTPEngine
Failed to move %s to %s, hr=0xX
File Name %s[size %I64u]
Remaining download content - %I64u, downloaded - %I64u for file %s
Download for %s was already started, bytes - %I64u
installstub::CWinHTTPEngine::Download
SymInstallStub.txt
C%s%s
[ %s ] ... %s
[s d, d - d:d:d:d]
%s = %s
%s , HR = 0xX
%s , dwResult = %lu
%s , HR = 0xX, dwResult = %lu
%s = %s, HR = 0xX, dwResult = %lu
installstub::ProcessLauncher::launchProcessWithShellExecute
Scheduled Task File: %s
Total nodes validated : %d
Succeeded nodes : %d
Failed nodes : %d
%s[%d]->
..\..\SDK\JSONCPP\src\json_reader.cpp
Line %d, Column %d
..\..\SDK\JSONCPP\src\json_value.cpp
(*it).type() == Json::stringValue
int(indentString_.size()) >= indentSize_
..\..\SDK\JSONCPP\src\json_writer.cpp
childValues_.size() == size
%SymEFA%
EFACli.dll
..\Source\ccVerifyTrustStatic.cpp
ICLSID\%s\LocalServer32
CLSID\%s\InprocServer32
ENTDLL.DLL
..\Source\ccVerifyTrustImpl.cpp
..\Source\FileCache.cpp
E..\Source\VerifyFile.cpp
..\Source\ccVerifyTrustPolicy.cpp
..\Source\CatalogIterator.cpp
..\Source\CatalogFileHash.cpp
WinTrust.dll
..\Source\CatalogContext.cpp
..\Source\ccSymModuleLifetimeMgrImpl.cpp
E..\Source\ccMemory.cpp
E..\Source\ccFile.cpp
EÌROOT%
rcPFRes.dll
rcPxyEvt.dll
rcProxy.dll
rcSvcHst.dll
rcEmlPxy.dll
rcLgView.dll
rcErrDsp.dll
rcAlert.dll
rcApp.dll
ccEmlPxy.dll
ccGLog.dll
ccJobMgr.dll
ccGEvt.dll
ccIPC.dll
ccRkSn.dll
PFPriv.dll
ccPxyIns.dll
ccPxyEvt.dll
ccInst64.dll
ccEvtCli.dll
ccTrstPc.dll
ccSvc.dll
ccEraser.dll
OEHeur.dll
ccCharCv.dll
ccInst.dll
DefUtDCD.dll
ccScanw.dll
ccScan.dll
dec_abi.dll
ccDec.dll
ccALEng.dll
ccErrDsp.dll
ccProSub.dll
ccVrTrst.dll
ccSetEvt.dll
ccSet.dll
ccAlert.dll
..\Source\ccStringConvert.cpp
..\Source\ccSymMemoryStreamImpl.cpp
F%s, %s, %s, %s(%ld)
F..\Source\ccRegistry.cpp
%s\%s
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_FILE_NOT_FOUND
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_ACCESS_DENIED
isolate.ini
%COMMON_SILO_DATA%
F..\Source\ccOSInfo.cpp
\wpeutil.dll
\FACTORY.exe
\wpeinit.exe
\\?\UNC
F..\Source\ccSplitPath.cpp
F..\Source\ccSymFileStreamImpl.cpp
F..\Source\ccModule.cpp
F..\Source\ccSystemInfo.cpp
CSIDL_WINDOWS
SOFTWARE\Microsoft\Windows\CurrentVersion
..\Source\ccPathExpansion.cpp
..\Source\ccWow64FsRedirection.cpp
..\Source\ccEncryptedString.cpp
G..\Source\ccSymDllLifetimeMgr.cpp
I..\Source\ccSynchronize.cpp
Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
NÌROOT%\
ÌDATA%\
..\Source\ccSymInstalledApps.cpp
t..\Source\ccMessageLock.cpp
..\Source\ccSymIndexValueCollectionImpl.cpp
AWTSAPI32.DLL
KERNEL32.DLL
GPSAPI.DLL
..\Source\ccPEBReader.cpp
G..\Source\ccPrivilege.cpp
E..\Source\ccSymDllLifetimeMgrLocal.cpp
..\Source\ccSymIndexValueCollection.cpp
..\Source\ccSymValueCollection.cpp
I..\Source\ccArchive.cpp
H..\Source\ccDummyArchive.cpp
..\Source\ccInstanceFactory.cpp
..\Source\ccSymValueCollectionConvert.cpp
H..\Source\ccSymStreamArchive.cpp
H..\Source\ccSymDigest.cpp
..\Source\ccSymKeyValueCollectionImpl.cpp
..\Source\ccSymMemoryImpl.cpp
Archive.Write(CMemoryImpl::CSerializeImpl::Version) == FALSE
Archive.Read(nVersion) == FALSE
..\Source\ccSymStringImpl.cpp
Archive.Write(CStringImpl::Version) == FALSE
..\Source\ccSymInstanceFactoryImpl.cpp
..\Source\ccSymKeyValueCollection.cpp
..\Source\ccSymPersist.cpp
ÌROOT%\ccSet.dll
I..\Source\ccSymObjectRepository.cpp
CommonClient\OBJID\%s
I..\Source\ccMemoryArchive.cpp
mscoree.dll
WUSER32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
Assertion failed: %s, file %s, line %d
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\SymInstallStub.exe
/* Symantec Watermark: CB70-2826-1157-06-15-1 */
(0-3-000082
9VfL6qO3;J8HB.hwJ?l

SymCCISExe.exe_1560_rwx_10001000_00082000:


SSSSh
tcPW
QSSSSSSh
t%SWh
1.3.6.1.4.1.311.10.3.5
1.3.6.1.4.1.311.10.3.6
1.3.6.1.5.5.7.3.3
2.5.4.6
2.5.4.8
2.5.4.7
2.5.4.10
2.5.4.11
2.5.4.3
WINTRUST.dll
CRYPT32.dll
{X-X-X-XX-XXXXXX}
operator
GetProcessWindowStation
SCC_CheckCriteria_Web
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
2.1.0.20
CryptCATCatalogInfoFromContext
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertFindCertificateInStore
CryptMsgGetParam
CertGetEnhancedKeyUsage
CertNameToStrW
CertGetNameStringW
URLOpenStreamW
urlmon.dll
DeleteUrlCacheEntryW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
WININET.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
SHLWAPI.dll
USERENV.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
MsgWaitForMultipleObjectsEx
RegEnumKeyExW
RegQueryInfoKeyW
OLEAUT32.dll
SHDeleteKeyW
SHDeleteEmptyKeyW
SYMCCIS.dll
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\SymCCISExe.exe
0xX
..\Source\ccVerifyTrustStatic.cpp
%SymEFA%
EFACli.dll
CLSID\%s\LocalServer32
CLSID\%s\InprocServer32
NTDLL.DLL
..\Source\ccVerifyTrustImpl.cpp
..\Source\FileCache.cpp
g..\Source\VerifyFile.cpp
..\Source\ccVerifyTrustPolicy.cpp
..\Source\CatalogIterator.cpp
..\Source\CatalogFileHash.cpp
WinTrust.dll
..\Source\CatalogContext.cpp
..\Source\ccSymModuleLifetimeMgrImpl.cpp
%s, %s, %s, %s(%ld)
..\Source\ccModule.cpp
..\Source\ccSystemInfo.cpp
..\Source\ccRegistry.cpp
..\Source\ccStringConvert.cpp
CSIDL_WINDOWS
SOFTWARE\Microsoft\Windows\CurrentVersion
..\Source\ccPathExpansion.cpp
\\?\UNC
..\Source\ccSplitPath.cpp
..\Source\ccOSInfo.cpp
\wpeutil.dll
\FACTORY.exe
\wpeinit.exe
..\Source\ccMemory.cpp
..\Source\ccFile.cpp
..\Source\ccWow64FsRedirection.cpp
%s\%s
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_FILE_NOT_FOUND
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_ACCESS_DENIED
isolate.ini
%COMMON_SILO_DATA%
..\Source\ccEncryptedString.cpp
..\Source\ccSynchronize.cpp
..\Source\ccSymDllLifetimeMgr.cpp
kernel32.dll
KERNEL32.DLL
PSAPI.DLL
..\Source\ccPEBReader.cpp
..\Source\ccPrivilege.cpp
..\Source\ccSymIndexValueCollectionImpl.cpp
AWTSAPI32.DLL
..\Source\ccSymDllLifetimeMgrLocal.cpp
..\Source\ccSymIndexValueCollection.cpp
..\Source\ccSymValueCollection.cpp
ÌROOT%
rcPFRes.dll
rcPxyEvt.dll
rcProxy.dll
rcSvcHst.dll
rcEmlPxy.dll
rcLgView.dll
rcErrDsp.dll
rcAlert.dll
rcApp.dll
ccEmlPxy.dll
ccGLog.dll
ccJobMgr.dll
ccGEvt.dll
ccIPC.dll
ccRkSn.dll
PFPriv.dll
ccPxyIns.dll
ccPxyEvt.dll
ccInst64.dll
ccEvtCli.dll
ccTrstPc.dll
ccSvc.dll
ccEraser.dll
OEHeur.dll
ccCharCv.dll
ccInst.dll
DefUtDCD.dll
ccScanw.dll
ccScan.dll
dec_abi.dll
ccDec.dll
ccALEng.dll
ccErrDsp.dll
ccProSub.dll
ccVrTrst.dll
ccSetEvt.dll
ccSet.dll
ccAlert.dll
..\Source\ccArchive.cpp
..\Source\ccDummyArchive.cpp
..\Source\ccInstanceFactory.cpp
..\Source\ccSymValueCollectionConvert.cpp
..\Source\ccSymStreamArchive.cpp
Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
ÌROOT%\
ÌDATA%\
..\Source\ccSymInstalledApps.cpp
..\Source\ccSymDigest.cpp
..\Source\ccSymKeyValueCollectionImpl.cpp
..\Source\ccSymMemoryImpl.cpp
Archive.Write(CMemoryImpl::CSerializeImpl::Version) == FALSE
Archive.Read(nVersion) == FALSE
..\Source\ccSymStringImpl.cpp
Archive.Write(CStringImpl::Version) == FALSE
..\Source\ccSymInstanceFactoryImpl.cpp
t..\Source\ccMessageLock.cpp
..\Source\ccSymKeyValueCollection.cpp
..\Source\ccSymPersist.cpp
ÌROOT%\ccSet.dll
..\Source\ccSymObjectRepository.cpp
CommonClient\OBJID\%s
..\Source\ccMemoryArchive.cpp
..\Source\ccSymMemoryStreamImpl.cpp
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
FileDownloader::callURLOpenStream
CHttpRequest::CHttpRequest
CHttpRequest::~CHttpRequest
CHttpRequest::RequestPage
CHttpRequest::ParseURLW
https
[s d, d - d:d:d:d]
%s %ld
%s %s
%s 0x%x
http://cps.qalabs.symantec.com/teams/isp/symccis
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Staging
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production
SymCCIS.dll
SCC.dll
OfferUI.dll
SymInstallStub.exe
SymCCISDll.txt
Total CheckCriteria execution time in seconds =
NortonOfferEngineImpl::CheckCriteria_Web
downloadStubInstallerExe() failed, HR =
Failed to delete downloaded SCC.dll, GetLastError =
Failed to delete existing SCC.dll, GetLastError =
NortonOfferEngineImpl::downloadStubInstallerExe
Failed to delete existing SymInstallStub.exe, GetLastError =
NortonOfferEngineImpl::buildComponentDownloadURL
NortonOfferEngineImpl::getTestEnvironmentRootURL
NortonOfferEngineImpl::getISExeDestPath
getISExeDestPath() returned =
NortonOfferEngineImpl::sendPingForCheckCriteriaWeb
NortonOfferEngineImpl::getCheckCriteriaPingDataWeb
NortonOfferEngineImpl::getStubInstallerCmdLine
getStubInstallerCmdLine() returned =
NortonOfferEngineImpl::deleteDeclineCountRegKeyForThisProduct
NortonOfferEngineImpl::deleteDeclineCountParentKeyIfNoMoreProductsExist
Deleting DeclineCount subkey for partner =
Failed to create/open DECLINE_COUNT_REG_KEY
Advapi32.dll
http://stats.norton.com/n/p?
PingData::SendCheckCriteriaWebPing
PingData::createBaseURL
PingData::getCheckCriteriaPingURL
PingData::getCheckCriteriaWebPingURL
PingData::getInstallProductsPingURL
PingData::getOfferAcceptancePingURL
pingURL =
X.X
%u.%u.%u.%u.%u
Utility::LaunchProcessWithShellExecute
ShellExecuteEx failed, GetLastError =
---8#-8-@

SymCCISExe.exe_1560_rwx_10084000_00002000:


NRTN_OfferEngine_CheckCriteria_Web
kernel32.dll
urlmon.dll
URLOpenStreamW
WININET.dll
USER32.dll
MsgWaitForMultipleObjectsEx
ADVAPI32.dll
SHELL32.dll
ole32.dll
SHLWAPI.dll
USERENV.dll
OLEAUT32.dll
2.1.0.20

SymInstallStub.exe_1788_rwx_00401000_00116000:


8%u,j
QSSSSSSh
t.HuX
t%SWh
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
3.6.1.16
1.3.6.1.4.1.311.10.3.5
1.3.6.1.4.1.311.10.3.6
1.3.6.1.5.5.7.3.3
2.5.4.6
2.5.4.8
2.5.4.7
2.5.4.10
2.5.4.11
2.5.4.3
WINTRUST.dll
CRYPT32.dll
{X-X-X-XX-XXXXXX}
Visual C   CRT: Not enough memory to complete call to strerror.
GetProcessWindowStation
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
CryptCATCatalogInfoFromContext
CertFreeCertificateContext
CertCompareIntegerBlob
CryptHashCertificate
CryptMsgClose
CertCloseStore
CertFindCertificateInStore
CryptMsgGetParam
CertGetEnhancedKeyUsage
CertNameToStrW
CertGetNameStringW
RPCRT4.dll
Secur32.dll
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteExW
SHFileOperationW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
GdiplusShutdown
gdiplus.dll
WinHttpConnect
WinHttpSetOption
WinHttpOpen
WinHttpQueryOption
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpWriteData
WinHttpCloseHandle
WinHttpSetStatusCallback
WinHttpSetCredentials
WinHttpGetProxyForUrl
WinHttpSendRequest
WinHttpOpenRequest
WinHttpCrackUrl
WINHTTP.dll
USERENV.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
MsgWaitForMultipleObjectsEx
SHDeleteKeyW
SHDeleteEmptyKeyW
.?AUWinHTTPProgressCallback@DING@@
.?AVCWinHTTPClient@installstub@@
.?AVCWinHTTPClient@DING@@
.?AUProgressCallback@CWinHTTPEngine@installstub@@
zcÁ
SymInstallStub.config.txt
SymInstallStub.state.dat
MSOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/IS/
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Staging/IS/
http://cps.qalabs.symantec.com/teams/ISP/SymCCIS/IS/
Connections\Proxy\HTTP
Connections\Proxy\HTTPS
Connections\Proxy\FTP
Manual_Proxy_Port
Password
Auto_Config_URL
Proxy_Bypass
Advapi32.dll
C:\bld_area\NSSInstallStub_r3.6.1\SDK\CC\include\SymInterface.h
&y=%d
&q=%s
&m=%s
&j=%s
&i=%s
&g=%d
&f=%s
&e=%d
&b=%s
&a=%s
&MID=%s
&language=X.X
&os=%u.%u.%u.%u.%u
&version=%s
&product=%s
?module=%s
http://stats.norton.com/n/p
pVerifyTrust->VerifyFile failed, error = %d
pVerifyTrust->Create failed, error = %d
Failed to open AFF_ID reg key
strProductID = %s ; strRegAffID=%s
Affiliate ID was not passed
Not able to open SWL root key : SOFTWARE\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}
NSSInstall key created, Not able to set NSSInstall=1
Create NSSInstall key for SWL
installstub::Controller::setSWLBundledWithNSSRegKey
NSSInstall key already exists!
SOFTWARE\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}
Failed to open reg key
installstub::Controller::getProductListFromCmdLine
PartnerID passed as generic. Updating it to be symantec
installstub::Controller::getPartnerIDFromCmdLine
rinstallstub::PINGPACKET::ReportProductInstallResults
Sending Product Install Ping Event for, Product ID = %s, Ping URL = %s
&d=%s
&t=%s
&l=%s
&h=%d
&o=0xx
&n=0xx
&k=%s
&error=%d
&v=%d
&z=%d
installstub::PINGPACKET::ReportInstallstubResult
Sending InstallStub Exit Ping Event, Ping URL = %s
Source URL is empty
/%s=%s
/%s=%d
Delay = %d minutes
Could not open affid partner registry key: %s.
Could not open affid registry key: %s.
Failed to delete partners affid subkey: %s.
Failed to delete affid product: %s.
Sucessfully built Source URL
installstub::Controller::buildSourceURL
Sucessfully built Dest URL
Product ID = %s, State = %d
Failed to get Product object = %s
Command line passed in =
safeweblite
Install was successful for Product ID= %s. Updating Product Install Count registry entry.
Succcessfully downloaded %s from %s
Failed to delete unsigned File, hr = 0xx, GetLastError() = %ld
File already downloaded, not Symantec signed, Path : %s
File already downloaded, Symantec signed, Path %s
installstub::Controller::ValidateCmdLineForProduct
There were no products to download - vecProducts.size() = 0
Failed to download product: %s, hr = 0xx
Third attempt : Error downloading Product ID = %s from Default folder, hr = 0xx
Second attempt : Error downloading Product ID = %s, hr = 0xx
First attempt : Error downloading Product ID = %s, hr = 0xx
Downloading Product ID = %s
There were no products to install - vecProducts.size() = 0
Successfully installed product: %s, dwResult = %lu
Failed to install product: %s, return code = %lu
Failed to install product: %s, HRESULT = 0xx
Installing, Product ID = %s
Skipping Delete. FileExists returned false: %s
FileExists returned true. Deleting file: %s
Attempting to Delete: %s
Runonce key not present
Run once key deleted
Failed to delete run once key
FATAL error occurred, installStubErrorCode = %d
Delay download by = %d minutes
Recoverable error occurred, installStubErrorCode = %d
SymInstallStub exe
SymInstallStubIdle exe
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Fallback key successfully deleted.
Failed to delete Fallback key.
Fallback key present. Deleting.
Run once key already exists.
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Cookie: %s
Mozilla\Firefox\%s
Mozilla\Firefox\Profiles.ini
%s:%lu
%s://%s%s
https
0xX
DING_WinHttpClient.cpp
http=
AutoConfigURL
X-Symc-Local-User-Id: %s
X-Symc-Machine-Id: %s
network.proxy.autoconfig_url
network.proxy.http_port
network.proxy.http
network.proxy.type
network.proxy
prefs.js
user.js
FIREFOX
http\shell\open\command
CDownloadManager.DownloadFile returned
Starting HTTP engine
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
IbPortuguese
BrPortuguese
GUID set to: %s
Not able to create install count for %s
Not able to set install count for %s
First time, create the key and write the value for %s
%s -- Not able to set install count for %s
Not able to open install date. Either it does not exist or regkey open failed.
Getting install date from: %s
First time, create the key and write the value
Unable to read retry count key.
Unable to delete file: %s =
%m/%d/%Y
Cc:\bld_area\nssinstallstub_r3.6.1\sdk\cc\include\SymInterface.h
installstub::HTTPDownloadData::CloseFileStream
installstub::HTTPDownloadData::Initialize
WinHttpReadData failed
WinHttpQueryDataAvailable failed
installstub::CWinHTTPClient::GetResponse
Destroying CWinHTTPEngine
installstub::CWinHTTPEngine::~CWinHTTPEngine
installstub::CWinHTTPEngine::Initialize
DeleteFile failed to delete %s, dwResult = %lu
installstub::CWinHTTPEngine::getTempFilePath
Server supports partial download resuming download
Error Unexpected http response status %d
Received HTTP STATUS = %d while expecting partial response
installstub::CWinHTTPEngine::prepareResponseData
Creating CWinHTTPEngine...
installstub::CWinHTTPEngine::CWinHTTPEngine
Failed to move %s to %s, hr=0xX
File Name %s[size %I64u]
Remaining download content - %I64u, downloaded - %I64u for file %s
Download for %s was already started, bytes - %I64u
installstub::CWinHTTPEngine::Download
SymInstallStub.txt
C%s%s
[ %s ] ... %s
[s d, d - d:d:d:d]
%s = %s
%s , HR = 0xX
%s , dwResult = %lu
%s , HR = 0xX, dwResult = %lu
%s = %s, HR = 0xX, dwResult = %lu
installstub::ProcessLauncher::launchProcessWithShellExecute
Scheduled Task File: %s
Total nodes validated : %d
Succeeded nodes : %d
Failed nodes : %d
%s[%d]->
..\..\SDK\JSONCPP\src\json_reader.cpp
Line %d, Column %d
..\..\SDK\JSONCPP\src\json_value.cpp
(*it).type() == Json::stringValue
int(indentString_.size()) >= indentSize_
..\..\SDK\JSONCPP\src\json_writer.cpp
childValues_.size() == size
%SymEFA%
EFACli.dll
..\Source\ccVerifyTrustStatic.cpp
ICLSID\%s\LocalServer32
CLSID\%s\InprocServer32
ENTDLL.DLL
..\Source\ccVerifyTrustImpl.cpp
..\Source\FileCache.cpp
E..\Source\VerifyFile.cpp
..\Source\ccVerifyTrustPolicy.cpp
..\Source\CatalogIterator.cpp
..\Source\CatalogFileHash.cpp
WinTrust.dll
..\Source\CatalogContext.cpp
..\Source\ccSymModuleLifetimeMgrImpl.cpp
E..\Source\ccMemory.cpp
E..\Source\ccFile.cpp
EÌROOT%
rcPFRes.dll
rcPxyEvt.dll
rcProxy.dll
rcSvcHst.dll
rcEmlPxy.dll
rcLgView.dll
rcErrDsp.dll
rcAlert.dll
rcApp.dll
ccEmlPxy.dll
ccGLog.dll
ccJobMgr.dll
ccGEvt.dll
ccIPC.dll
ccRkSn.dll
PFPriv.dll
ccPxyIns.dll
ccPxyEvt.dll
ccInst64.dll
ccEvtCli.dll
ccTrstPc.dll
ccSvc.dll
ccEraser.dll
OEHeur.dll
ccCharCv.dll
ccInst.dll
DefUtDCD.dll
ccScanw.dll
ccScan.dll
dec_abi.dll
ccDec.dll
ccALEng.dll
ccErrDsp.dll
ccProSub.dll
ccVrTrst.dll
ccSetEvt.dll
ccSet.dll
ccAlert.dll
..\Source\ccStringConvert.cpp
..\Source\ccSymMemoryStreamImpl.cpp
F%s, %s, %s, %s(%ld)
F..\Source\ccRegistry.cpp
%s\%s
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_FILE_NOT_FOUND
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_ACCESS_DENIED
isolate.ini
%COMMON_SILO_DATA%
F..\Source\ccOSInfo.cpp
\wpeutil.dll
\FACTORY.exe
\wpeinit.exe
\\?\UNC
F..\Source\ccSplitPath.cpp
F..\Source\ccSymFileStreamImpl.cpp
F..\Source\ccModule.cpp
F..\Source\ccSystemInfo.cpp
CSIDL_WINDOWS
SOFTWARE\Microsoft\Windows\CurrentVersion
..\Source\ccPathExpansion.cpp
..\Source\ccWow64FsRedirection.cpp
..\Source\ccEncryptedString.cpp
G..\Source\ccSymDllLifetimeMgr.cpp
I..\Source\ccSynchronize.cpp
Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
NÌROOT%\
ÌDATA%\
..\Source\ccSymInstalledApps.cpp
t..\Source\ccMessageLock.cpp
..\Source\ccSymIndexValueCollectionImpl.cpp
AWTSAPI32.DLL
kernel32.dll
KERNEL32.DLL
GPSAPI.DLL
..\Source\ccPEBReader.cpp
G..\Source\ccPrivilege.cpp
E..\Source\ccSymDllLifetimeMgrLocal.cpp
..\Source\ccSymIndexValueCollection.cpp
..\Source\ccSymValueCollection.cpp
I..\Source\ccArchive.cpp
H..\Source\ccDummyArchive.cpp
..\Source\ccInstanceFactory.cpp
..\Source\ccSymValueCollectionConvert.cpp
H..\Source\ccSymStreamArchive.cpp
H..\Source\ccSymDigest.cpp
..\Source\ccSymKeyValueCollectionImpl.cpp
..\Source\ccSymMemoryImpl.cpp
Archive.Write(CMemoryImpl::CSerializeImpl::Version) == FALSE
Archive.Read(nVersion) == FALSE
..\Source\ccSymStringImpl.cpp
Archive.Write(CStringImpl::Version) == FALSE
..\Source\ccSymInstanceFactoryImpl.cpp
..\Source\ccSymKeyValueCollection.cpp
..\Source\ccSymPersist.cpp
ÌROOT%\ccSet.dll
I..\Source\ccSymObjectRepository.cpp
CommonClient\OBJID\%s
I..\Source\ccMemoryArchive.cpp
mscoree.dll
WUSER32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
Assertion failed: %s, file %s, line %d
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\SymInstallStub.exe
/* Symantec Watermark: CB70-2826-1157-06-15-1 */
(0-3-000082
9VfL6qO3;J8HB.hwJ?l

nssSetup.exe_704:


.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
9>t.hD
t%SWh
FTPh
FtPh
\$,9^0~9
WTSAPI32.dll
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
{X-X-X-XX-XXXXXX}
operator
GetProcessWindowStation
USERENV.dll
VERSION.dll
WINHTTP.dll
9.1.0.26
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
C:\bld_area\InstallToolBox_r9.1_26\VS10\Bin\Win32\Release\MiniStub.pdb
ExitWindowsEx
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
ShellExecuteExW
UrlCanonicalizeW
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpCrackUrl
WinHttpOpen
WinHttpSetOption
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpSetStatusCallback
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpGetProxyForUrl
WinHttpSetCredentials
MsgWaitForMultipleObjectsEx
SHDeleteKeyW
SHDeleteEmptyKeyW
Secur32.dll
KERNEL32.dll
ole32.dll
OLEAUT32.dll
imagehlp.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
zcÁ
.PA_W
("(,%%)|#"'
18%U<%
.nN\I
q:\ssF
Oÿ2
l7cmD
P%xiZ
.'#)/"&0
r.IOOO
bh.kn@
CDQ.Ef
<(.bp9Fe
R.OFd
Symantec MiniStub application.true
<%=*===~=
0 1%1X1
6%7X7~7
> >$>(>,>0>4>8><>@>
4 4$4(4,4044484
6 6$6(6,60646
9,989@9\9|9
@..\Source\ccOSInfo.cpp
\wpeutil.dll
\FACTORY.exe
\wpeinit.exe
@..\Source\ccMemory.cpp
..\Source\ccStringConvert.cpp
A..\Source\ccRegistry.cpp
A%s, %s, %s, %s(%ld)
ANTDLL.DLL
A..\Source\ccSystemInfo.cpp
A..\Source\ccThread.cpp
t..\Source\ccMessageLock.cpp
E..\Source\ccSynchronize.cpp
..\Source\ccSymFileStreamImpl.cpp
A..\Source\ccFile.cpp
..\Source\ccSymKeyValueCollectionImpl.cpp
A..\Source\ccSymMemoryStreamImpl.cpp
..\Source\ccSymValueCollectionConvert.cpp
A..\Source\ccMemoryArchive.cpp
\\?\UNC
A..\Source\ccSplitPath.cpp
E..\Source\ccArchive.cpp
B..\Source\ccSingleInstance.cpp
0xX :
d-d-d-d-d-d-d :
-0xX
fallback.dat
maplngid.dat
Langver.map
%s\%s\%s
..\Source\ccSymResourceModuleLocatorBase.cpp
%s\*.*
B..\Source\ccModule.cpp
B..\Source\ccPrivilege.cpp
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_FILE_NOT_FOUND
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_ACCESS_DENIED
isolate.ini
%COMMON_SILO_DATA%
rcPFRes.dll
rcPxyEvt.dll
rcProxy.dll
rcSvcHst.dll
rcEmlPxy.dll
rcLgView.dll
rcErrDsp.dll
rcAlert.dll
rcApp.dll
ccEmlPxy.dll
ccGLog.dll
ccJobMgr.dll
ccGEvt.dll
ccIPC.dll
ccRkSn.dll
PFPriv.dll
ccPxyIns.dll
ccPxyEvt.dll
ccInst64.dll
ccEvtCli.dll
ccTrstPc.dll
ccSvc.dll
ccEraser.dll
OEHeur.dll
ccCharCv.dll
ccInst.dll
DefUtDCD.dll
ccScanw.dll
ccScan.dll
dec_abi.dll
ccDec.dll
ccALEng.dll
ccErrDsp.dll
ccProSub.dll
ccVrTrst.dll
ccSetEvt.dll
ccSet.dll
ccAlert.dll
HÌROOT%
CSIDL_WINDOWS
..\Source\ccPathExpansion.cpp
B..\Source\ccCommandLine.cpp
..\Source\ccSymDebugOptions.cpp
\%s.dmp
Cx86\DbgHelp.dll
DbgHelp.dll
B..\Source\ccVersionInfo.cpp
\StringFileInfo\xx\%s
..\Source\ccSymIndexValueCollectionImpl.cpp
A..\Source\ccSymModuleLifetimeMgrImpl.cpp
AWTSAPI32.DLL
KERNEL32.DLL
CPSAPI.DLL
..\Source\ccPEBReader.cpp
..\Source\ccSymKeyValueCollection.cpp
..\Source\ccSymValueCollection.cpp
C..\Source\ccDummyArchive.cpp
..\Source\ccDACL.cpp
Software\Microsoft\Windows\CurrentVersion
IÌROOT%\
ÌDATA%\
..\Source\ccSymInstalledApps.cpp
I..\Source\ccSymLanguageInfoBase.cpp
C%s%s.dmp
C..\Source\ccCrashHandler.cpp
%s %u
"%s" %s %u
%sSE_GROUP_RESOURCE
%sSE_GROUP_LOGON_ID
%sSE_GROUP_USE_FOR_DENY_ONLY
%sSE_GROUP_OWNER
%sSE_GROUP_ENABLED
%sSE_GROUP_ENABLED_BY_DEFAULT
%sSE_GROUP_MANDATORY
%sSE_PRIVILEGE_USED_FOR_ACCESSR
%sSE_PRIVILEGE_REMOVED
%sSE_PRIVILEGE_ENABLED
%sSE_PRIVILEGE_ENABLED_BY_DEFAULT
-d-d-d-d-d-d-d
DBGHELP.DLL
IMM32.DLL
..\Source\ccSymIndexValueCollection.cpp
..\Source\ccSymDllLifetimeMgr.cpp
D..\Source\ccSymStreamArchive.cpp
..\Source\ccInstanceFactory.cpp
..\Source\ccSymDllLifetimeMgrLocal.cpp
A..\Source\ccSymDigest.cpp
..\Source\ccSymMemoryImpl.cpp
Archive.Write(CMemoryImpl::CSerializeImpl::Version) == FALSE
Archive.Read(nVersion) == FALSE
..\Source\ccSymStringImpl.cpp
Archive.Write(CStringImpl::Version) == FALSE
A..\Source\ccSymInstanceFactoryImpl.cpp
..\Source\ccSymPersist.cpp
ÌROOT%\ccSet.dll
@..\Source\ccSymObjectRepository.cpp
CommonClient\OBJID\%s
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
CUserLaunch::IsValidSession(86) : WTSEnumerateSessions Failed : (%d)
CUserLaunch::Initialize(98) : session id: %lu, elevated: %d
CUserLaunch::Initialize(131) : WTSQueryUserToken failed for User: %s error: %d
CUserLaunch::Initialize(197) : GetTokenInformation() == FALSE, 0xx
CUserLaunch::Initialize(206) : mem.NewAlloc() == NULL
CUserLaunch::Initialize(213) : GetTokenInformation() == FALSE, 0xx
CUserLaunch::Initialize(280) : Initialized... session id: %lu, elevated: %d
CUserLaunch::LaunchProcess(319) : Launching CreateProcessAsUser(%s), attempt %d (timeout: %lu)
Process returned: 0xx
winlogon.exe
FindProcess for winlogon.exe failed: 0xx
FindShellProcessForSession failed: 0xx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
..\include\UserLaunch.cpp
0xX
explorer.exe
Tokenizing shell failed (%s)
FindShellProcess failed for %s 0xx
%s - %s
@IDispatch error #%d
DING::CSecurityDescriptorParser::Parse(236) : CSecurityDescriptorParser parsing security DACL[%ls] for - non-DACL elements are not supported!
DING::CSecurityDescriptorParser::Parse(239) : CSecurityDescriptorParser parsing security DACL[%ls] for - unsupported access right!
DING::CSecurityDescriptorParser::Parse(240) : CSecurityDescriptorParser parsing security DACL[%ls] for - unsupported user!
DING::CServiceSecurityProcessor::ApplyAccessRights(92) : ConvertStringSidToSid() for user SID: %ls failed. GetLastError() reports: %d
DING::CServiceSecurityProcessor::ApplyAccessRights(122) : SetSecurityInfo() for service: %ls failed with return value: %d
DING::CServiceSecurityProcessor::ApplyAccessRights(128) : SetEntriesInAcl() for service: %ls failed with return value: %d
DING::CServiceSecurityProcessor::ApplyAccessRights(140) : GetSecurityInfo() for service: %ls failed with return value: %d
BB::CProcessPrioritySetterMgr::CNativeProcessInfo::Initialize(188) : Unable to retrieve NTDLL module handle, last error 0xx
BB::CProcessPrioritySetterMgr::CNativeProcessInfo::Initialize(199) : Unable to retrieve ZwQueryInformationProcess function pointer, error returned 0xx
BB::CProcessPrioritySetterMgr::CNativeProcessInfo::Initialize(211) : Unable to retrieve ZwSetInformationProcess function pointer, error returned 0xx
BB::CProcessPrioritySetterMgr::CPrioritySetter_CPU::Apply(289) : Unable to get process priority class, last error 0xx
BB::CProcessPrioritySetterMgr::CPrioritySetter_CPU::Apply(294) : Priority class for process 0xx
BB::CProcessPrioritySetterMgr::CPrioritySetter_CPU::Apply(312) : Unable to set process priority class, last error 0xx
BB::CProcessPrioritySetterMgr::CPrioritySetter_CPU::Apply(321) : Successfully set process priority class to 0xx, but retrieved value 0xx differs!!!
BB::CProcessPrioritySetterMgr::CPrioritySetter_CPU::Apply(326) : Successfully set process 0xx priority class to 0xx
BB::CProcessPrioritySetterMgr::CPrioritySetter_CPU::IsUpdateRequired(374) : Current process priority class 0xx, Requested process priority class 0xx
BB::CProcessPrioritySetterMgr::CPrioritySetter_CPU_Native::Apply(429) : Successfully set process priority class for current process to %s, %lu
BB::CProcessPrioritySetterMgr::CPrioritySetterFactory::operator ()(618) : Created PRIMITIVE CPrioritySetter_CPU
BB::CProcessPrioritySetterMgr::CPrioritySetterFactory::operator ()(625) : Created PRIMITIVE CPrioritySetter_CPU_Native
BB::CProcessPrioritySetterMgr::CPrioritySetterFactory::operator ()(632) : Created PRIMITIVE CPrioritySetter_CPU_Native
BB::CProcessPrioritySetterMgr::CPrioritySetterFactory::operator ()(639) : Created PRIMITIVE CPrioritySetter_IO
BB::CProcessPrioritySetterMgr::CPrioritySetterFactory::operator ()(646) : Created PRIMITIVE CPrioritySetter_Page
BB::CProcessPrioritySetterMgr::CPrioritySetterFactory::operator ()(652) : switch(info.eType == %lu) default
BB::CProcessPrioritySetterMgr::CPrioritySetterFactory::operator ()(656) : Create the primitive based on identifier DONE
bbProcessStartupPriorityMgr.cpp
BB::CProcessPrioritySetterMgr::Start(765) : DuplicateHandle(...) == FALSE, last error 0xx
BB::CProcessPrioritySetterMgr::Run(859) : !m_hProcess.IsHandle()
BB::CProcessPrioritySetterMgr::Run(954) : Result updated to 0xx
BB::CProcessPrioritySetterMgr::Run(957) : Closing process handle 0xx
BB::CProcessPrioritySetterMgr::start(1088) : Create(NULL, 0, 0) == FALSE, last error 0xx
BB::CProcessStartupPriorityMgr::AddPrioritySetter(1144) : !m_cfg.GetEnabled()
BB::CProcessStartupPriorityMgr::Start(1163) : !m_cfg.GetEnabled()
BB::CProcessStartupPriorityMgr::Stop(1211) : !m_cfg.GetEnabled()
DING::CArchivingFileStreamImpl::~CArchivingFileStreamImpl(58) : DeleteFile failed %s (%lu)
DING::CArchivingFileStreamImpl::SetFileNameFormat(142) : failed to create file: %s (%lu)
..\include\DING_ArchivingFileStreamImpl.cpp
DING::CFileDataExtender::Initialize(124) : SetFileAttributes Failed on %s.
DING::CFileDataExtender::Initialize(167) : file is larger than 4GB, which is not supported by this tool
DING::CFileDataExtender::Export(467) : invalid pointer... need to initialize...
DING::CFileDataExtender::Export(476) : out of memory
DING::CFileDataExtender::Export(484) : failed to open: %ls (%lu)
DING::CFileDataExtender::Export(492) : failed to QI for ISerialize
DING::CFileDataExtender::Export(498) : failed to save kvc to stream
DING::CFileDataExtender::Import(519) : out of memory
DING::CFileDataExtender::Import(535) : out of memory
DING::CFileDataExtender::Import(543) : failed to QI for ISerialize
DING::CFileDataExtender::Import(554) : failed to QI for IClone
DING::CFileDataExtender::Import(576) : failed to QI for IClone
DING::CFileDataExtender::GetCollection(990) : invalid parameter - must pass a valid kvc
AddFile: %s %s %d
DING::CFilePacker::AddFile(417) : failed to open: %s (0xx)
..\include\DING_FilePacker.cpp
Index added: %s (eFileType_Extract)
adding file: %s as %s (0xx)
DING::CFilePacker::ContainsPackage(553) : packed file does not exist: %s
End of EXE module: %lu
REAL End of EXE module: %lu
DING::CFilePacker::Extract(633) : packed file does not exist: %s
DING::CFilePacker::Extract(855) : invalid extract type: %d
DING::CFilePacker::WriteStreamToDisk(889) : failed to create directory: %s (%lu)
DING::CFilePacker::WriteStreamToDisk(933) : failed attempting to extract: %s
DING::CFilePacker::WriteStreamToDisk(942) : failed attempting to extract: %s
..\include\DING_FileStreamImpl.cpp
DING::CPEFileHelper::ReadHeaders(95) : CSignedPEFile::ReadHeaders() : buffer.Alloc() == NULL
DING::CPEFileHelper::ReadHeaders(160) : CSignedPEFile::ReadHeaders() : m_dwWinCertificateLength > m_dwMaxCertificateSize
OpenService(%s, 0x%x)
OpenService failed: %s (%lu)
..\include\DING_servicewrapper.cpp
Waiting for %s service to start.
DING::CService::RemediateService(684) : EnsureAccess %s threw an exception: %d
DING::CService::RemediateService(689) : EnsureAccess %s threw an exception: (0xx)
SYSTEM\CurrentControlSet\Services\%s
failed to open: %s (%lu)
RegistryEnsureAccess %s threw an exception: %d
RegistryEnsureAccess %s threw an exception: (0xx)
SetNamedSecurityInfo(%s) != ERROR_SUCCESS: %lu
%s-d-d-d-dhdmds
SOFTWARE\Microsoft\Windows\CurrentVersion
..\include\DING_Utils.cpp
%s %s
Launching: %s
DING::CUtils::ExecuteProgramEx(304) : GetExitCodeProcess failed: 0xx
DING::CUtils::ExecuteProgramEx(314) : failed to launch: 0xx
DING::CUtils::DeleteFolder(325) : invalid path: %s
delete on reboot: %s
DING::CUtils::DeleteFolder(347) : MoveFileEx failed to delete folder: %s (%lu)
DING::CUtils::DeleteFolder(361) : failed to delete folder: %s (%lu)
DING::CUtils::DeleteFolderOnReboot(380) : invalid path: %s
DING::CUtils::CopyFiles(472) : invalid path: %s
DING::CUtils::CopyFiles(497) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::CopyFiles(501) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::CopyFiles(505) : CreateDirectory failed: %s (%lu)
DING::CUtils::DeleteEmptyFolders(600) : invalid path: %s
DING::CUtils::DeleteEmptyFolders(618) : MoveFileEx failed to delete folder: %s (%lu)
DING::CUtils::DeleteHandler(668) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::DeleteHandler(672) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::DeleteHandler(681) : MoveFileEx failed to delete folder: %s (%lu)
DeleteFile: %s
DING::CUtils::DeleteHandler(719) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::DeleteHandler(723) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::DeleteHandler(729) : MoveFileEx failed to delete file: %s (%lu)
DING::CUtils::DeleteHandler(750) : failed to delete file: %s (%lu)
DING::CUtils::DeleteEmptyFolderHandler(832) : MoveFileEx failed to delete folder: %s (%lu)
DING::CUtils::DeleteFileW(953) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::DeleteFileW(957) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::DeleteFileW(964) : MoveFileEx failed to delete file: %s (%lu)
DING::CUtils::DeleteFileW(992) : failed to delete file: %s (%lu)
DING::CUtils::DeleteFileW(1004) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::DeleteFileW(1008) : FileEnsureAccess %s threw an exception: (0xx)
SDDL: %s (%s)
LoadResourceModule(): %s, X
DING::CUtils::LoadResourceModule(1101) : Error: %d, Unable to load resource module: %s
%s created for %s
DING::CUtils::SetRebootFlag(1193) : failed to create reboot key (%lu)
DING::CUtils::SetRebootFlag(1200) : failed to open Norton key (%lu)
DING::CUtils::SetRebootFlag(1208) : failed to create reboot key (%lu)
reboot key found (need to reboot before running install)
DING::CUtils::CopySubFolderHandler(1290) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::CopySubFolderHandler(1294) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::CopySubFolderHandler(1298) : CreateDirectory failed: %s (%lu)
DING::CUtils::CopyFolderHandler(1360) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::CopyFolderHandler(1364) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::CopyFolderHandler(1369) : CreateDirectory failed: %s (%lu)
DING::CUtils::CopyFolderHandler(1418) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::CopyFolderHandler(1422) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::CopyFolderHandler(1429) : CopyFile failed: %s (%lu)
DING::CUtils::CopyFolderHandler(1435) : CopyFile failed: %s (%lu) -- copy on reboot
DING::CUtils::CopyFolderHandler(1454) : failed to copy: %s -> %s (%lu)
DING::CUtils::CopyFolderHandler(1462) : MoveFileEx failed: %s -> %s (%lu)
MoveFile: %s -> %s
DING::CUtils::CopyFolderHandler(1471) : CopyFile failed: %s (%lu) -- move on reboot
DING::CUtils::CopyFolderHandler(1476) : MoveFileEx failed: %s -> %s (%lu)
DING::CUtils::CopyFilesHandler(1681) : FileEnsureAccess %s threw an exception: %d
DING::CUtils::CopyFilesHandler(1685) : FileEnsureAccess %s threw an exception: (0xx)
DING::CUtils::CopyFilesHandler(1689) : CreateDirectory failed: %s (%lu)
DING::CUtils::CopyFilesHandler(1698) : CopyFile failed: %s -> %s (%lu)
Copy: %s -> %s
%lsX
http://stats.norton.com/n/p?%s
http://stats.norton.com/n/p%s
DING::CUtils::CanonicalizePartialURL(2010) : UrlCanonicalizeW failed: 0xx
DING::CUtils::CanonicalizePartialURL(2021) : UrlCanonicalizeW failed: 0xx
Protecting Folder (%s): %s
!!!!Found known folder do not DELETE!!!: %s
@kernel32.dll
shell32.dll
Connections\Proxy\HTTP
Manual_Proxy_Port
Password
Auto_Config_URL
Secure connection failed 0xx
WinHttpReceiveResponse call failed, ErrorCode=%lu
WinHttpQueryHeaders call failed HR =0xx
Unexpected error during WinHTTPQueryHeaders (0xx)
WinHttpQueryDataAvailable failed: 0xx
Attack/Buffer Overflow guard for dwAvailableBytes:0xx.
WinHttpReadData failed: %lu
WinHttpQueryDataAvailable failed: %lu
Received WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING
WinHttpCrackUrl failed: %lu
DING/0.0.0.0/Win
InitializeWinHttp failed - unable to initialize WinHTTP services
LoadProxySettings failed with 0xx assuming no proxy
WinHttpOpen call failed, Error=%lu
WinHttpConnect call failed, Error=%lu
..\include\DING_WinHttpClient.cpp
Registry open failed for SILO %s with error %lu
DING::CWinHTTPClient::Query(624) : Unable to create Request Id GUID: 0xx
%s-%s
DING::CWinHTTPClient::Query(638) : Unable to create Request Id GUID
Request Id: %s
WinHttpOpenRequest call failed, ErrorCode=%d
WinHttpSetOption succeeded, invalid or out of date certificates allowed
Could not set relaxed SSL requirements, WinHttpSetOption failed: 0xx
DING::CWinHTTPClient::Query(688) : Failed to allocate memory for request context
callback can't be NULL for async operation
WinHttpSetStatusCallback call failed, ErrorCode=%lu
DING::CWinHTTPClient::Query(757) : Couldn't add request to map %s
WinHttpSetOption(WINHTTP_DISABLE_KEEP_ALIVE) failed: %lu
failed to open isolation key: %lu
failed to open Identifiers key: %lu
X-Symc-Local-User-Id: %s
X-Symc-Machine-Id: %s
X-Symc-Request-Id: %s
WinHttpAddRequestHeaders failed: %lu, Request ID=%s
WinHttpSendRequest call failed, ErrorCode=%lu
WinHttpReceiveResponse failed: %lu
WinHttpQueryHeaders failed: %lu
Getting response for the Request Id %s
failed to create settings Manager: 0xx
failed to get http settings
could not get AutoConfig URL
failed to get server: 0xx
Server is specified, but no port, assuming port 80
failed to get port: 0xx
Server: %s, Port: %lu, User: %s
https
%s://%s%s
WinHTTPSetOption Failed setting AutoProxy: %lu
WinHttpSetOption failed setting AutoProxyURL: %lu
Proxy port and proxy server must be set to use this option
%s:%lu
WinHttpSetOption failed setting manual proxy URL: %lu
WinHttpSetCredentials(WINHTTP_AUTH_TARGET_PROXY) failed: %lu
gengine.dll
CEngineWrapper::Load(68) : failed to initialize Engine: %s (0xx)
CEngineWrapper::Load(87) : failed to create EngineManager object (0xx)
@%s\Install.%%d.mft
DING_{737118AA-7857-4554-A6FD-B2F2718AD7E9}
DING_{4467AB8F-68C8-4ab5-9B48-B3E6EB65F6A1}
DING_{66F78E3E-B9A1-4723-A090-E48BBECF7802}
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
layout.dat
extract.dat
complete.dat
finalzed.dat
install.dat
Install.mft
InstStub.exe
InsMUI.loc
Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
CInstallManager::Initialize(144) : failed to create CKeyValueCollectionImpl
CInstallManager::Initialize(175) : InitializeEmbeddedData failed (0xx)
Service Control Manager failed to open: %d
Service %s failed to open: %d
StartService failed: %d
%s failed to start
AcceptEULA failed: 0xx
ForceLoad failed: 0xx
CInstallManager::Initialize(306) : InitializeEmbeddedData failed (0xx)
%s_CleanUp
Uninstall Key found
Setup path to Isolate.ini
\isolate.ini
%s_disabled
Unable to create path to isolate.ini
Disabling isolate.ini so that our IPC calls will go to the correct silo for the patch controller
Unable to disable %s
Couldn't connect to rebootless patch controller: 0xx
Couldn't send patch status, not rebootless patching? :0xx
Restored Isolate.ini
Unable to create %s semaphore
Finished: Extract Package: 0xx
CInstallManager::Initialize(515) : CreateUIFrame failed (0xx)
CInstallManager::Initialize(526) : GetFrame failed (0xx)
Finished: Extract Package (media retry): 0xx
CInstallManager::Initialize(601) : failed to import embedded data
CInstallManager::Initialize(631) : InitializeOutputManifest failed (0xx)
Stage cmd set
CInstallManager::Initialize(710) : CreateUIFrame failed (0xx)
CInstallManager::Initialize(738) : GetFrame failed (0xx)
CInstallManager::Initialize(771) : GetInstallUI failed (0xx)
CInstallManager::Initialize(870) : Unable to execute %s
Launching: %s %s
CInstallManager::Initialize(968) : failed to launch "%s" in tray mode (%lu), use this process for tray mode
engine returned: 0xx (reboot: %d)
change return code so initial setup doesn't delete its cache: 0xx
%s /%s
InstallManager.cpp
CInstallManager::RunOnceRelaunch(1197) : failed to open RunOnce subkey (%s): %lu
/%s "%s"
CInstallManager::RunOnceRelaunch(1242) : ShellExecuteEx failed (%lu), continue installing
CInstallManager::CheckValidationMode(1277) : failed to load engine: 0xx
CInstallManager::CheckValidationMode(1294) : failed to Initialize engine: 0xx
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
d-d-d-dhdmds
CInstallManager::CreateDirectories(1426) : failed to create directory (%s) (0xx)
command line: %s
base install folder: %s
install log folder: %s
install temp folder: %s
CInstallManager::CreateDirectories(1440) : failed to create directory (%s) (0xx)
attempting to fix access denied error: %s
CInstallManager::EnsureCreateDirectory(1498) : FileEnsureAccess %s threw an exception: %d
CInstallManager::EnsureCreateDirectory(1503) : FileEnsureAccess %s threw an exception: (0xx)
CInstallManager::InitializeLogging(1543) : g_CrashHandler.SetOptions() == FALSE
CInstallManager::GetCommonInstallFolder(1569) : reg.Open() == FALSE
CInstallManager::InitializeEmbeddedData(1640) : SetSiloID failed: %s
CInstallManager::InitializeEmbeddedData(1655) : SetSiloRegistryRoot failed: %s
CInstallManager::InitializeEmbeddedData(1673) : failed to create directory (%s) (0xx)
Install Cache: %s
CInstallManager::InitializeEmbeddedData(1758) : failed to create directory: %s (0xx)
CInstallManager::InitializeEmbeddedData(1775) : unable to import external settings
deleting folder: %s (reboot: %d)
deleting folder (reboot): %s
deleting empty folders: %s
delete file: %s
CInstallManager::Run(2037) : ExtractLayout failed (0xx)
CInstallManager::IsDepPatchWaiting(2065) : failed to open isolation key: %lu
CInstallManager::IsDepPatchWaiting(2075) : failed to open patch key: %lu
CInstallManager::IsDepPatchWaiting(2085) : failed to open engine key: %lu
Dependent patch waiting - delete patch key
CInstallManager::ExtractLayout(2136) : Initialize failed (0xx)
CInstallManager::ExtractLayout(2153) : Open failed (0xx)
CInstallManager::ExtractLayout(2161) : ExtractFolder failed (0xx)
Finished: Extracting Layout (%s
CopyBaseFiles: %s
CInstallManager::ExtractLayout(2181) : failed to write layout.dat
CInstallManager::LaunchEngine(2219) : failed to load engine: 0xx
CInstallManager::LaunchEngine(2228) : failed to get UI frame: 0xx
CInstallManager::LaunchEngine(2309) : failed to initialize engine: 0xx
Unable to delete return code %s/%s
CInstallManager::LaunchEngine(2360) : ReturnCode: failed to set "%s" = "%d": %lu
Unable to open SILO key
%s\%s
CInstallManager::LaunchEngine(2382) : ReturnCode: failed to set "%s" = "%d": %lu
CInstallManager::LaunchEngine(2393) : engine failed: 0xx
CInstallManager::DeleteCompleteAndExtract(2448) : failed to delete %s: 0xx
CInstallManager::DeleteCompleteAndExtract(2454) : failed to delete %s: 0xx
CInstallManager::ShowMB(2532) : failed to set the isolation reg key
CInstallManager::ShowMB(2555) : failed to LoadString Message %d];
CInstallManager::ShowMB(2560) : failed to LoadString Message %d];
CInstallManager::ShowMB(2597) : failed to LoadString Message %d];
CInstallManager::ShowMB(2602) : failed to LoadString Message %d];
NortonInstall\temp.loc
NortonInstall\%s.loc
ExtractResource returned 0xx
Removing languages: %s
delete folder: %s
delete empty folder: %s
CInstallManager::UpdateDefaultLanguageFromDisk(3038) : failed to open: %s (%lu)
CInstallManager::UpdateDefaultLanguageFromDisk(3046) : fallback.dat is corrupt
CInstallManager::UpdateDefaultLanguageFromDisk(3052) : failed to read: %s (%lu)
fallback language id: %x
LocaleIDToLangString for language ID %x failed
%s_%s_%d.exe
CInstallManager::SetupAndLaunchRemovalProcess(3153) : CopyFile failed (%s -> %s): %lu
CInstallManager::SetupAndLaunchRemovalProcess(3200) : collection import failed
set DeleteMode for: %s
set deletemode for empty folders: %s
/%s /%s "%s"
deleting folder: %s
deleting file: %s
CInstallManager::CheckAndSignalOtherInstance(3374) : GetFrame failed (0xx)
CInstallManager::CheckAndSignalOtherInstance(3386) : GetInstallTray failed (0xx)
CInstallManager::ShowRebootTray(3451) : CreateUIFrame failed (0xx)
CInstallManager::ShowRebootTray(3459) : failed to get ui frame: 0xx
CInstallManager::CRelaunchThread::Run(3566) : ShellExecuteEx failed: %lu
%INSTALLCACHEDIR%\inststub.exe
initialzed embedded data: %s
CInstallManager::GetLicenseType(3666) : failed to export to FDE data to install.dat
failed to initialze embedded data: %s
FAILURE: Hint: %d, HR: 0xx
failed to set DING 9003 failure count: %s = %lu (%lu)
does not meet winhttp requirements do not ping
%u.%u.%u.%u.%u.%u
?module=%s&error=%s
&%s=%s
URL: %ls
&zzz=%s
http://stats.qalabs.symantec.com/n/p
http://stats.norton.com/n/p
CInstallManager::SendPing(3897) : Initializing winhttpclient failed: 0xx
ccIPC::ccIPCMgd_IComLib::CreateObject failed: 0xx
CreateClient(MASTERSERVICE_CHANNEL) failed: 0xx
SendCommand(CMDID_MASTERSERVICE_COMMAND_FORCELOAD) failed: E_INVALIDARG (not available, service is already started or BTP enabled)
SendCommand(CMDID_MASTERSERVICE_COMMAND_FORCELOAD) failed: 0xx
SendCommand(CMDID_MASTERSERVICE_COMMAND_ACCEPTEULA) failed: E_INVALIDARG (not available, service is already started or BTP enabled)
SendCommand(CMDID_MASTERSERVICE_COMMAND_ACCEPTEULA) failed: 0xx
readding run once. Old Commandline: %s
Failed to open runonce (0xx
writing new commandline %s to run key
CInstallManager::LogUserName(4202) : Session(%d) UserName: %s
CInstallManager::GetInteractiveSessions(4280) : Session: %lu, "%s", %lu - %s
CInstallManager::GetInteractiveSessions(4342) : UserName(%lu): %s
CInstallManager::LaunchTrayInActiveSessions(4376) : Running as SYSTEM - Attempting to launch multiple instances of: %s
CInstallManager::LaunchTrayInActiveSessions(4421) : Unable to launch for session %lu: 0xx
CInstallManager::LaunchTrayInActiveSessions(4426) : Launching for session %lu: 0xx
@InstUI.dll
CInstallUIWrapper::Load(58) : failed to initialize InstallUI: %s (0xx)
CInstallUIWrapper::Load(80) : failed to create install UI frame object (0xx)
CInstallUIWrapper::Load(88) : engine IInstallUIFrame::Initialize failed (0xx)
CInstallUnpacker::ExtractPackage(49) : failed to create directory: %s (%lu)
Finish: extract stub (0xx)
CInstallUnpacker::HandleStub(223) : failed to open file: %s (%lu)
CInstallUnpacker::HandleUIPackage(285) : archive.Initialize failed: 0xx
CInstallUnpacker::HandleUIPackage(292) : archive.Open failed: 0xx
CInstallUnpacker::HandleUIPackage(299) : archive.ExtractArchive failed: 0xx
CInstallUnpacker::HandleStream(312) : failed to add stream at key %d
CMediaCheck::Show(45) : GetInstallUI failed (0xx)
CMediaCheck::Show(65) : SetStartPage failed (0xx)
CMediaCheck::Show(77) : DisplayFrame failed (0xx)
GHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
wWinMain(65) : g_CrashHandler.SetOptions() == FALSE
wWinMain(104) : failed to coinitialize (0xx)
wWinMain(113) : CoInitializeSecurity() != S_OK, 0xX
MiniStub: Returned (0xx)
Advapi32.dll
CRebootTray::Show(45) : failed to get InstallTray: 0xx
CRebootTray::OnTrayClick(138) : failed to get InstallUI: 0xx
Patch reboot key was not found, not watching key for close
Patch reboot key has been cleared, closing down tray
FExtracting: %s %I64d (eFileType_UIPackage)
CResourceUnpacker::OnExtractStream(54) : archive.Initialize failed: 0xx
CResourceUnpacker::OnExtractStream(61) : archive.Open failed: 0xx
CResourceUnpacker::OnExtractStream(68) : archive.ExtractFile(%s, %s) failed: 0xx
Done Extracting: %s
CTestModeUnpacker::OnExtractStream(74) : failed to initialize archive: 0xx
CTestModeUnpacker::OnExtractStream(80) : failed to open archive: 0xx
CTestModeUnpacker::OnExtractStream(126) : failed to initialize archive: 0xx
CTestModeUnpacker::OnExtractStream(132) : failed to open archive: 0xx
DING::CRegistry::ForceOpenKey(125) : failed to open key: %s at %s (0xx)
DING::CRegistry::EnsureOpen(206) : RegistryEnsureAccess %s threw an exception: %d
DING::CRegistry::EnsureOpen(211) : RegistryEnsureAccess %s threw an exception: (0xx)
DING::CRightsChecker::ChangeAccess(228) : CRightsChecker::ChangeAccess: %s
C7zArchive::Open(151) : failed to open archive: 0xx
C7zArchive::Open(168) : failed to open archive (file not found): %s
C7zArchive::Open(191) : failed to open file: %s (%lu)
C7zArchive::Open(203) : failed to open archive: %s (0xx)
C7zArchive::Open(208) : failed to open file archive: %s (S_FALSE)
..\Source\7zArchive.cpp
C7zArchive::GetStream(802) : failed to open file: %s (%lu)
C7zArchive::SetOperationResult(836) : CRC check failed
C7zArchive::SetOperationResult(841) : Data Error
C7zArchive::SetOperationResult(846) : Data Error2
C7zArchive::SetOperationResult(851) : Data Error3
C7zArchive::SetOperationResult(855) : Unsupported function
C7zArchive::GetProperty(1003) : unexpected type (BSTR): %u
C7zArchive::GetProperty(1029) : unexpected type (bool): %u
C7zArchive::GetProperty(1052) : unexpected type (DWORD): %u
C7zArchive::GetProperty(1075) : unexpected type (filetime): %u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SymInstallStub\estorecj\nssSetup.exe
4.1.0.28
Setup.exe
10/7/2013

SymInstallStub.exe_1788_rwx_0051B000_00002000:


kernel32.dll
RPCRT4.dll
Secur32.dll
USER32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
gdiplus.dll
WINHTTP.dll
WinHttpReceiveResponse
USERENV.dll
3.6.1.16

SymInstallStub.exe_1788_rwx_00B20000_00002000:


The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:972
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SymCCIS.dll (1302 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SymCCISExe.exe (9907 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SCC[1].dll (22747 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SCC.dll (167 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\SCC.config[1].txt (1504 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SymInstallStub.exe (35252 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SymInstallStub[1].exe (44299 bytes)
   %System%\wbem\Logs\wbemprox.log (76 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\SCC.config (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\IS2.tmp (698 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\IS3.tmp (2556018 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\SymInstallStub.state.dat (790 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\InstUI.dll (40137 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\ccSet.dll (3388 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\09\01\InsBrand.loc (11 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\msvcp100.dll (3194 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\09\01\InsMUI.loc (3249 bytes)
   %Documents and Settings%\All Users\Application Data\NortonInstaller\Logs\2014-07-05-09h23m10s\NortonInstall-2014-07-05-09h23m10s.log (69780 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\SKU.dll (10 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\ccL120U.dll (6441 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\Engine.dll (22617 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\InstStub.exe (42359 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\ProdCbk.dll (1258 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\Install.mft (1209 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\Images\InsImage.dll (10217 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\fallback.dat (4 bytes)
   %Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\msvcr100.dll (6854 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "SymInstallStub" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\SymInstallStub.exe /partnerid=estorecj /productlist=nss /staging=false /affid=softonic-e /dist=webbanner /delay=5 /launchedby=7 /fallback"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "NSS" = "%Program Files%\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.1.0.28\InstStub.exe /RELAUNCH /RUNONCE /PRODID NSS"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSS]
   "MEDIA" = "%Documents and Settings%\%current user%\Local Settings\Temp\SymInstallStub\estorecj\nssSetup.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.