Virus.Win32.Sality_bd5600ddf7

by malwarelabrobot on August 5th, 2014 in Malware Descriptions.

Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, SearchProtectToolbar.YR, GenericInjector.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bd5600ddf7f19d2f830362dcf083901c
SHA1: de6c712e849e3ae6f36d8f9a9feb91c25682a8fb
SHA256: 97f7d9dda9ff032aeadf230d62ceb587ac8b2131744fbd4527034c8519a8dc31
SSDeep: 49152:It4Wq 2TWNggtZGCxSkMdU3Zgdbzt5gxzlXMXls0KdRPO6cO:I5QT9CxS3qJm95gPXM1FKjPO6cO
Size: 2326936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2011-07-06 17:31:20
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):

CltMngSvc.exe:2068
CltMngSvc.exe:224
nsm4.exe:148
%original file name%.exe:1276
cltmng.exe:2516
nsq9.exe:1404

The Virus injects its code into the following process(es):

cltmng.exe:2492
Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nsm4.exe:148 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\inetc.dll (24 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (0 bytes)

The process %original file name%.exe:1276 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\json2.js (784 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winaownli.exe (741 bytes)
%Program Files%\SearchProtect\ffprotect\nsprotector.js (1 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0014EDF8_Rar\%original file name%.exe (15799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.exe (3616 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe (89498 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
%Program Files%\SearchProtect\bin\SPHook32.dll (5520 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook32.dll (5520 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\main.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcp100.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp (741694 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (11 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\popupTransparent.xul (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPRunner.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\FirefoxModule.dll (34773 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (175875 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Program Files%\SearchProtect\bin\uninstall.exe (6584 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\abstraction.js (52 bytes)
%Program Files%\SearchProtect\bin\SPRunner.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz8.tmp (1856 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\main.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcr100.dll (25824 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
%System%\msvcr100.dll (10882 bytes)
%Program Files%\SearchProtect\bin\cltmng.exe (89498 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\ChromeModule.dll (28288 bytes)
%WinDir%\system.ini (72 bytes)
%Program Files%\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm4.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ConduitMsTimestamp.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\CltMngSvc.exe (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (784 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\nsprotector.js (1 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (1 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
%System%\msvcp100.dll (4642 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
%Program Files%\SearchProtect\bin\ChromeModule.dll (28288 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (6 bytes)
%Program Files%\SearchProtect\bin\FirefoxModule.dll (34773 bytes)
%Program Files%\SearchProtect\ffprotect\abstraction.js (52 bytes)
%Program Files%\SearchProtect\bin\msvcr100.dll (25824 bytes)
%Program Files%\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\application.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Program Files%\SearchProtect\bin\CltMngSvc.exe (3312 bytes)
%Program Files%\SearchProtect\ffprotect\application.js (601 bytes)
%Program Files%\SearchProtect\bin\msvcp100.dll (14184 bytes)
%Program Files%\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\Dialogs\lib\json2.js (784 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ConduitMsTimestamp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winaownli.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

The process nsq9.exe:1404 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\inetc.dll (24 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscA.tmp (0 bytes)

Registry activity

The process CltMngSvc.exe:2068 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 6F DC A3 93 C0 43 1D E6 F2 6B AF 06 FA FC 8D"

The process CltMngSvc.exe:224 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 3F B7 92 E0 A9 4B 56 C6 DE 58 8E 71 5A 21 2C"

The process nsm4.exe:148 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 3C 79 C6 A7 2E F6 ED 2F 09 A0 D7 82 C1 4D EC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1276 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_36" = "258088356"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"Publisher" = "Conduit"

[HKLM\SOFTWARE\SearchProtect]
"Environment" = ""

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_30" = "215073630"
"a1_48" = "262978150"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a1_53" = "1560123974"
"a1_42" = "608335292"
"a1_50" = "4267342224"
"a2_28" = "200730413"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a2_26" = "186388573"
"a2_27" = "193573873"

[HKCU\Software\Aas\695404737]
"7169121" = "157"

[HKCU\Software\Aas]
"a2_25" = "179228956"
"a2_22" = "157728729"

"a2_20" = "143379083"
"a2_21" = "150544185"
"a2_7" = "50176954"
"a4_11" = "78860331"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas\695404737]
"35845605" = "279"

[HKCU\Software\SearchProtect\ffprotect]
"ffSettings" = "{}"

[HKCU\Software\Aas]
"a4_10" = "71691210"
"a2_6" = "43009444"
"a2_5" = "35841042"
"a2_4" = "28673537"
"a2_3" = "21498089"
"a2_2" = "14346572"
"a2_1" = "7173091"
"a2_0" = "9832"
"a2_44" = "315449677"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\,"

[HKCU\Software\Aas]
"a2_9" = "64528830"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a2_53" = "379972038"
"a3_43" = "324843106"
"a2_51" = "365619674"
"a2_50" = "358449583"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a2_55" = "394299729"
"a2_54" = "387136433"
"a3_51" = "348755322"
"a3_35" = "267899754"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "5E8F4F62667CCCACEB781E90A37BB0A8ADFF5D0207CECC747614EAA681F1DF0F00D65B17772A9DACB325D1E7C4AC55E9F9253BF5993C7E62952C57DF62A6E5FDC9B8A5299A8DBED1FB5A9EB34E350D6061885163CFAE9F1D1D0ECFBA99B9BDAEB650B55175FC1C2A965481E15E9A3CAD71726D65F3CDA5637BF0BE3BC8E374C3"

[HKCU\Software\Aas]
"a2_8" = "57360172"
"a1_28" = "3228685785"
"a1_12" = "1174665665"
"a1_13" = "4076776892"
"a1_10" = "1071546649"
"a1_11" = "2318739959"
"a1_16" = "1472144990"
"a1_17" = "3772702960"
"a1_14" = "4170948361"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_18" = "1449162629"
"a1_19" = "3052690794"
"a2_48" = "344126011"
"a2_49" = "351278618"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"UninstallString" = "%Program Files%\SearchProtect\bin\uninstall.exe /S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_40" = "286766458"
"a2_41" = "293932015"
"a2_42" = "301100597"
"a2_43" = "308266908"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a2_46" = "329785115"
"a2_47" = "336951251"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayVersion" = "1.5.0.71"

[HKCU\Software\Aas]
"a3_36" = "241268621"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayName" = "Search Protect by conduit"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 4C 54 69 16 36 A5 04 DB BB 6F 3F 2D BA 9F D5"

[HKCU\Software\SearchProtect\ffprotect]
"ffHomepage" = "{}"

[HKCU\Software\Aas]
"a2_57" = "408634468"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_56" = "401466235"
"a3_42" = "284237251"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a1_0" = "3299283285"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_33" = "253401768"
"a4_13" = "93198573"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_41" = "1175678420"
"a1_40" = "3112489572"
"a1_43" = "812055938"
"a4_12" = "86029452"
"a1_45" = "2664743508"
"a1_44" = "806423141"
"a1_47" = "3114940119"
"a1_46" = "382469827"
"a1_49" = "1624578760"
"a4_15" = "107536815"

[HKCU\Software\Aas\695404737]
"43014726" = "0800687474703A2F2F3230322E3134332E3135392E3133352F696D616765732F6C6F676F2E67696600687474703A2F2F62656D2E646B2F696D616765732F6C6F676F662E67696600687474703A2F2F62616E626F6F6E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6264622E636F6D2E6D792F6C6F676F2E67696600687474703A2F2F6261756C61756E672E6F72672F696D616765732F6C6F676F2E67696600687474703A2F2F62617A7961722D617279612E636F6D2F6C6F676F2E67696600687474703A2F2F6261726C696B696E736161742E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F626173616D616B68616C6973692E636F6D2F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_41" = "277248416"
"a4_14" = "100367694"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayIcon" = "%Program Files%\SearchProtect\bin\cltmng.exe"

[HKCU\Software\Aas]
"a4_17" = "121875057"
"a3_28" = "183865525"
"a4_16" = "114705936"
"a3_40" = "269796609"
"a3_29" = "224867540"
"a4_19" = "136213299"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a4_18" = "129044178"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a4_24" = "172058904"
"a4_25" = "179228025"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a3_47" = "353765350"
"a2_29" = "207899426"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a1_22" = "767601794"
"a1_56" = "776211010"
"a1_57" = "3096474560"
"a1_54" = "622265903"
"a1_55" = "2017316994"
"a1_52" = "638804490"
"a2_24" = "172061634"
"a3_37" = "248309804"
"a1_51" = "2008350609"

"a4_55" = "394301655"
"a3_46" = "313221959"

[HKLM\SOFTWARE\SearchProtect]
"SPID" = "SP1D2CC307-73C5-420E-A9B7-FA66CBBB6DAF"

[HKCU\Software\Aas]
"a1_21" = "3088289700"
"a2_23" = "164896728"
"a2_17" = "121878036"
"a2_16" = "114708582"
"a2_15" = "107543232"
"a2_14" = "100362012"
"a2_13" = "93206883"
"a2_12" = "86027549"
"a2_11" = "78860252"
"a2_10" = "71693673"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_26" = "169827315"
"a3_34" = "260325067"
"a2_19" = "136209430"
"a2_18" = "129046589"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_1" = "3386940473"
"a1_2" = "3712339979"
"a1_3" = "2620474486"
"a1_4" = "83174613"
"a1_5" = "616562248"
"a1_6" = "454656014"
"a1_7" = "2401786110"
"a1_8" = "310532945"
"a1_9" = "2948510009"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a4_26" = "186397146"
"a1_23" = "1393522403"
"a1_29" = "2974281407"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_20" = "1050578346"
"a3_44" = "332278405"
"a3_30" = "231909751"
"a1_27" = "889908127"
"a3_31" = "205278614"
"a1_26" = "675954575"
"a1_25" = "2922091070"
"a2_52" = "372799793"
"a3_32" = "212854281"
"a1_24" = "2020335726"

"a3_50" = "341766363"
"a2_45" = "322613994"
"a3_52" = "389745053"
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a4_52" = "372794292"
"a1_38" = "213872447"
"a1_39" = "3964775043"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_30" = "2646907918"
"a1_31" = "3886322426"
"a1_32" = "1167938370"
"a1_33" = "2462240188"
"a1_34" = "2225036716"
"a1_35" = "370808629"
"a1_36" = "2012235382"
"a1_37" = "3198637671"
"a1_15" = "247433699"
"a2_31" = "222234361"
"a2_30" = "215079550"
"a2_33" = "236579903"
"a2_32" = "229414781"
"a2_35" = "250911624"
"a2_34" = "243747348"
"a2_37" = "265263361"
"a2_36" = "258081705"
"a2_39" = "279598592"
"a2_38" = "272431981"
"a3_45" = "305778468"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchProtectAll" = "%Program Files%\SearchProtect\bin\cltmng.exe"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtect" = "%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallCleanUp"

The process cltmng.exe:2516 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 92 CE 45 82 30 DD A3 08 AE AF 56 9A D9 C6 C2"

The process cltmng.exe:2492 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E CB 9C 9D 07 D8 E3 43 6D 1F 7D EC 36 CB DA 3A"

[HKCU\Software\SearchProtect\ffprotect]
"ffSettings" = "{}"
"ffHomepage" = "{}"

The process nsq9.exe:1404 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshB.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 CA 86 5B 21 B1 A9 9A C0 C8 F2 47 95 7D 48 CA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
427bd933e1e35f75b39ea0e97420672e c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\ChromeModule.dll
2b9a15dfdc14b4ecb1e8fc13ae43e60f c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\CltMngSvc.exe
47d4e142baff5016f0c5a089b16d629f c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\FirefoxModule.dll
55b460acb7d70c33db75c310c651e095 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\InternetExplorerModule.dll
9feacad9b427f3eac86200053816bfb2 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPHook32.dll
ba2d6991a577dc63be639603de1218bf c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPRunner.exe
e7bfaec48b638814f9da09ff1f4b723a c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\cltmng.exe
03e9314004f504a14a61c3d364b62f66 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\msvcr100.dll
427bd933e1e35f75b39ea0e97420672e c:\Program Files\SearchProtect\bin\ChromeModule.dll
2b9a15dfdc14b4ecb1e8fc13ae43e60f c:\Program Files\SearchProtect\bin\CltMngSvc.exe
47d4e142baff5016f0c5a089b16d629f c:\Program Files\SearchProtect\bin\FirefoxModule.dll
55b460acb7d70c33db75c310c651e095 c:\Program Files\SearchProtect\bin\InternetExplorerModule.dll
9feacad9b427f3eac86200053816bfb2 c:\Program Files\SearchProtect\bin\SPHook32.dll
ba2d6991a577dc63be639603de1218bf c:\Program Files\SearchProtect\bin\SPRunner.exe
e7bfaec48b638814f9da09ff1f4b723a c:\Program Files\SearchProtect\bin\cltmng.exe
03e9314004f504a14a61c3d364b62f66 c:\Program Files\SearchProtect\bin\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1 c:\Program Files\SearchProtect\bin\msvcr100.dll
1ffd12341e910d9be43658b98f1cb9dc c:\Program Files\SearchProtect\bin\uninstall.exe
03e9314004f504a14a61c3d364b62f66 c:\WINDOWS\system32\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1 c:\WINDOWS\system32\msvcr100.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Conduit
Product Name: Search Protect
Product Version: 1.5.0.71
Legal Copyright: 2012 (c) Conduit. All rights reserved.
Legal Trademarks:
Original Filename: SearchProtect (R) P
Internal Name: Unknown
File Version: 1.5.0.71
File Description: Search Protect by Conduit
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25506 25600 4.51095 eaec91b880ba7bb207ca9d4c54420c5d
.rdata 32768 6386 6656 3.3883 170563e94de7ebfd6e622a164ce38c8a
.data 40960 419484 512 0.991115 23d69b1e3a55dee07701198b7650a06b
.ndata 462848 1642496 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 2105344 118784 115200 5.13064 99d9329d11a35d3b208487fa4e82d274

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

CltMngSvc.exe_2068:

.text
`.rdata
@.data
.rsrc
@.reloc
RSSSh
D:\builds\27\Search Protector\SP-1.5.0-CI\Binaries\Win32\Release\CltMngSvc.pdb
KERNEL32.dll
RegCloseKey
ReportEventW
RegOpenKeyW
ADVAPI32.dll
SHELL32.dll
MSVCP100.dll
SHLWAPI.dll
WTSAPI32.dll
MSVCR100.dll
_amsg_exit
_acmdln
_crt_debugger_hook
CryptMsgGetParam
CertFindCertificateInStore
CertGetNameStringW
CertFreeCertificateContext
CertCloseStore
CryptMsgClose
CRYPT32.dll
/1::::0/
.8:::;::8.
0"8    8<<5
>633,,   ,&36>
ttt.ttt{mnn
ttt.ttttprp
PAD-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
%s (Error: %d)
r\\?\
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
1.5.0.71

cltmng.exe_2492:

.text
`.rdata
@.data
.rsrc
@.reloc
QSSSSh
PSSSSSSSSh
j.hDdb
.EKSWU
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by 
Camellia for x86 by 
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by 
RC4 for x86, CRYPTOGAMS by 
Montgomery Multiplication for x86, CRYPTOGAMS by 
SHA1 block transform for x86, CRYPTOGAMS by 
SHA256 block transform for x86, CRYPTOGAMS by 
FtPS
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
.\boost/exception/detail/exception_ptr.hpp
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
PUBLIC KEY
RSA part of OpenSSL 1.0.0e 6 Sep 2011
SHA-512 part of OpenSSL 1.0.0e 6 Sep 2011
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
?456789:;<=
!"#$%&'()* ,-./0123
pubkey
PEM part of OpenSSL 1.0.0e 6 Sep 2011
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.0e 6 Sep 2011
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
Big Number part of OpenSSL 1.0.0e 6 Sep 2011
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
ERAND part of OpenSSL 1.0.0e 6 Sep 2011
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.0e 6 Sep 2011
Stack part of OpenSSL 1.0.0e 6 Sep 2011
value.single
value.set
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
EVP part of OpenSSL 1.0.0e 6 Sep 2011
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*s%s:
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
ASN.1 part of OpenSSL 1.0.0e 6 Sep 2011
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
AUTHORITY_KEYID
keyid
cert_info
Diffie-Hellman part of OpenSSL 1.0.0e 6 Sep 2011
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
EC part of OpenSSL 1.0.0e 6 Sep 2011
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
SHA1 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-256 part of OpenSSL 1.0.0e 6 Sep 2011
RIPE-MD160 part of OpenSSL 1.0.0e 6 Sep 2011
SHA part of OpenSSL 1.0.0e 6 Sep 2011
MD5 part of OpenSSL 1.0.0e 6 Sep 2011
MD4 part of OpenSSL 1.0.0e 6 Sep 2011
CAST part of OpenSSL 1.0.0e 6 Sep 2011
Blowfish part of OpenSSL 1.0.0e 6 Sep 2011
:RC2 part of OpenSSL 1.0.0e 6 Sep 2011
.pp@0
aEÐ
 (#EÚ
ÚE<<0
IDEA part of OpenSSL 1.0.0e 6 Sep 2011
libdes part of OpenSSL 1.0.0e 6 Sep 2011
DES part of OpenSSL 1.0.0e 6 Sep 2011
\X
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
ddddddZ
ddddddZ
%d.%d.%d.%d
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_AUX
X.509 part of OpenSSL 1.0.0e 6 Sep 2011
x%s
%s - d:d:d%.*s %d%s
.\crypto\dh\dh_key.c
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
3ECDSA part of OpenSSL 1.0.0e 6 Sep 2011
'() ,-./:=?
%lu:%s:%s:%d:%s
Verifying - %s
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.0e 6 Sep 2011
PROXY_CERT_INFO_EXTENSION
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
keylength
keyfunc
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF_def part of OpenSSL 1.0.0e 6 Sep 2011
[[%s]]
[%s] %s=%s
ECDH part of OpenSSL 1.0.0e 6 Sep 2011
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
%s.dll
inflate 1.1.3 Copyright 1995-1998 Mark Adler
P%d_T%d_Dld_ld_ld_Tld_ld_ld
Main.cpp
09:15:37
FileHandler.cpp
Logger\Log4cxxWrapper.cpp
WM_DDE_EXECUTE
WM_KEYLAST
WM_SYSKEYUP
WM_SYSKEYDOWN
WM_KEYUP
WM_KEYDOWN
WM_VKEYTOITEM
WM_CTLCOLORMSGBOX
\StringFileInfo\xx\%s
%d/%d/%d d:d:d
Module %d
Image Base: 0xx Image Size: 0xx
Checksum: 0xx Time Stamp: 0xx
File Size: %-10d File Time: %s
Company: %s
Product: %s
FileDesc: %s
FileVer: %d.%d.%d.%d
ProdVer: %d.%d.%d.%d
kernel32.dll
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 9
Windows Server 9
Web Server Edition
Windows Server 2003 R2
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003
Web Edition
Windows XP
Windows 2000
(build %d)
This sample does not support this version of Windows.
Error occurred at %s.
Operating system: %s
Operating system: Could not Determine
%d processor(s), type %d.
%d%% memory in use.
%d MBytes physical memory.
%d MBytes physical memory free.
%d MBytes paging file.
%d MBytes paging file free.
%d MBytes user address space.
%d MBytes user address space free.
a Float Denormal Operand
a Float Invalid Operation
0xx:
EDI: 0xx ESI: 0xx EAX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
%s\CRASH_REPORT_%s.txt
%s caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
===== [end of %s] =====
%s\CRASH_DUMP_%s.dmp
Exception code is 0xX
Crash dump file: %s
Crash report file :%s
Error creating dump file, err=%d
Utils.cpp
Utils::GetHttpHeaderData
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 9
Windows Server 9
PingSender.cpp
the value the Arg has been passed.
Main\CommandLineHandler.cpp
(1 , 5 , 0 , 71)
Main\SearchProtector.cpp
SearchProtector_::InitLoginService
SearchProtector_::GetAppDataExePath
SelfProtector\SelfProtector.cpp
key path:
Settings\SettingsManager.cpp
SettingsManager_::ParseKeyValueSettings
Services\ServiceManager.cpp
ServiceManager_::GetDefaultServiceMapUrl
ServiceManager_::SetServiceMapUrl
ServiceManager_::SetServiceMapUrlToSettings
ServiceManager_::HttpAsyncCallBack
BrowserManager.cpp
TranslationManager.cpp
TranslationManager_::GetServiceUrl
Dialogs\DialogsManager.cpp
DialogsManager_::HandleDialogInvokeSync
Navigation URL=
ToolbarManager.cpp
Main\FinishInstallHandler.cpp
UninstallManager.cpp
UninstallManager::RemoveSelfFromPendingFileRenameOperations
ErrorManager.cpp
ErrorManager_::ReportError
ErrorManager_::ReportErrors
SearchAssetsManager.cpp
SearchAssetsManager_::GetCtidAssetUrl
SearchAssetsManager_::GetCurrentAssetUrl
SearchAssetsManager_::SetUrlByCtidAndAsset
SearchAssetsManager_::GetUrlByCtidAndAsset
LoginManager::LoginManager
LoginManager.cpp
LoginManager::~LoginManager
LoginManager::RequestService
LoginManager::CreateInitialJson
LoginManager::GetBrowserSpecificData
LoginManager::GetInstalledCompetitors
LoginManager::ReqestServiceByBrowser
AutoUpdateManager.cpp
ShellExecute error
SelfProtector\FilesProtector.cpp
SelfProtector\ProtectorBase.cpp
SelfProtector\RegistryProtector.cpp
Settings\RepositoryManager.cpp
Settings\InitDataManager.cpp
Settings\ServerSettingsManager.cpp
Services\TimerBasedServiceHandler.cpp
TimerBasedServiceHandler::HttpAsyncCallBack
Services\ServiceHandler.cpp
ServiceHandler::HttpAsyncCallBack
ServiceHandler::GetServiceUrl
AliasManager.cpp
Settings\ModuleSettingsManager.cpp
ModuleSettingsManager::GetAssetUrl
AssetHandlers\AssetHandler.cpp
, using default url :
, using url as is
AssetHandler::UpdateUrlParams
AssetHandler::MergeSearchUrlParameters
Usages\TakeoverUsageData.cpp
Usages\UsageManager.cpp
UsageManager_::FlushReportsQueue
UsageManager_::EnqueueReport
UsageManager_::FlushReport
AssetHandlerClassFactory.cpp
Settings\InitData.cpp
Dialogs\SettingsDialog.cpp
SettingsDialog::GetNavigationURL
Dialogs\DialogBase.cpp
DialogBase::CompetitorURL
BrowserUserCtid.cpp
Usages\FunnelDataManager.cpp
FunnelDataManager_::ReportFunnelData
FunnelDataManager_::CreateInitialReportJson
Usages\ProtectionUserChangedAssetUsageData.cpp
Usages\ProtectionUsageData.cpp
Usages\BrowserSpecificUsageData.cpp
Usages\UsageData.cpp
AssetHandlers\FFAssetHandler.cpp
FFAssetHandler::UpdateUrlParams
FFAssetHandler::GetRevertSettingsRegKeyByOS
AssetHandlers\IEAssetHandler.cpp
RegistryHandler.cpp
RegistryHandler::CreateKey
RegistryHandler::GetKey
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc
HTTP\HTTPManager.cpp
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc_
Conduit::SearchProtector::Utils::HTTPManager::RequestAsync
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc_
Conduit::SearchProtector::Utils::HTTPManager::DownloadFileAsync
Conduit::SearchProtector::Utils::HTTPManager::CheckInternetConnection
TimerWindow.cpp
DataChangeNotifier.cpp
CompressionHandler.cpp
Content-Type: application/x-www-form-urlencoded
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"
https
HTTP/1.0
http://
https://
Content-Length: %u
Data\UsersProfileData.cpp
BrowserModule.cpp
Data\UserBrowserAsset.cpp
ToolbarSettings.cpp
Data\SearchAssetData.cpp
Data\BrowserAsset.cpp
Events\Event.cpp
ModuleAction.cpp
WebBrowserDefs.cpp
WebBrowserContainer::WebBrowserContainer
WebBrowserContainer.cpp
WebBrowserContainer::~WebBrowserContainer
WebBrowserContainer::Initialize
WebBrowserContainer::CreateExternal
WebBrowserContainer::Navigate
Calling Navigate bsUrl=
Failed Navigate bsUrl=
WebBrowserContainer::InitContainer
WebBrowserContainer::Finalize
WebBrowserContainer::SetLocation
WebBrowserContainer::SetVisible
WebBrowserContainer::AddBehaviorToBodyElement
WebBrowserContainer::GetWindowContext
WebBrowserContainer::OnBeforeNavigate
WebBrowserContainer::OnDocumentComplete
WebBrowserContainer::OnNavigateComplete
WebBrowserContainer::OnNavigateError
WebBrowserContainer::InjectJs
WebBrowserContainer::OnFocus
WebBrowserContainer::UIActivateIO
WebBrowserContainer::HasFocusIO
WebBrowserContainer::TranslateAcceleratorIO
WebBrowserContainer::OnRefresh
WebBrowserContainer::OnSize
WebBrowserContainer::FocusChange
WebBrowserContainer::SetAlphaColorKey
WebBrowserContainer::OnRefreshComplete
WebBrowserContainer::SetDragAndDropFiles
, m_pWebBrowser =
WebBrowserContainer::SetMainToolbarBrowserTransparent
WebBrowserContainer::InvokeSync
WebBrowserContainer::InvokeASync
WebBrowserContainer::SetInvokeSyncCallback
n%D,3
WebWindow::WebWindow
WebWindow.cpp
WebWindow::~WebWindow
WebWindow::WindowProc_
WebWindow::OnKillFocus
WebWindow::OnSetFocus
WebWindow::Create
WebWindow::Show
WebWindow::GetWindowRect
WebWindow::GetClientRect
WebWindow::SetAlphaColorKey
WebWindow::OnEraseBackground
WebBrowserDispatcher::WebBrowserDispatcher
WebBrowserDispatcher.cpp
WebBrowserDispatcher::~WebBrowserDispatcher
WebBrowserDispatcher::InitGIT
WebBrowserDispatcher::GetDocumentInterface
WebBrowserDispatcher::GetIDsOfNames
WebBrowserDispatcher::Invoke
WebBrowserDispatcher::DisconnectAllHtmlEvents
WebBrowserDispatcher::ConnectEvents
WebBrowserDispatcher::DisconnectEvents
WebBrowserDispatcher::OnDocumentComplete
WebBrowserDispatcher::OnBeforeNavigate
WebBrowserDispatcher::OnNavigateComplete
WebBrowserDispatcher::OnNavigateError
WebBrowserDispatcher::OnWindowStateChanged
WebBrowserDispatcher::OnDownloadComplete
WebBrowserDispatcher::OnDownloadBegin
WebBrowserDispatcher::OnWindowClosing
WebBrowserExternal::WebBrowserExternal
WebBrowserExternal.cpp
WebBrowserExternal::~WebBrowserExternal
WebBrowserExternal::Invoke
WebBrowserExternal::OnApiWriteDebugString
WebBrowserExternal::GetTypeInfo
WebBrowserExternal::GetTypeInfoCount
WebBrowserExternal::GetDispatch
WebBrowserExternal::GenerateFunctionsAndDISPIDs
CWebBrowserFocusWnd::CWebBrowserFocusWnd
WebBrowserFocusWnd.cpp
CWebBrowserFocusWnd::~CWebBrowserFocusWnd
BaseWnd.cpp
D:\builds\27\Search Protector\SP-1.5.0-CI\Binaries\Win32\Release\cltmng.pdb
SetProcessShutdownParameters
KERNEL32.dll
USER32.dll
MSVCP100.dll
SHLWAPI.dll
VERSION.dll
PSAPI.DLL
MSVCR100.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
dbghelp.dll
CryptMsgGetParam
CertFindCertificateInStore
CertGetNameStringW
CertFreeCertificateContext
CertCloseStore
CryptMsgClose
CRYPT32.dll
CreateIoCompletionPort
GetProcessHeap
GDI32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
UrlUnescapeW
InternetCrackUrlW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoA
WININET.dll
GetProcessWindowStation
RegCreateKeyExW
RegNotifyChangeKeyValue
RegQueryInfoKeyW
ReportEventA
COMCTL32.dll
.?AVwindows_file_codecvt@@
.?AVIHttpAsyncCallback@Utils@SearchProtector@Conduit@@
.?AVCmdLine@TCLAP@@
.?AVCmdLineInterface@TCLAP@@
.?AVCmdLineOutput@TCLAP@@
.?AVCmdLineParseException@TCLAP@@
.?AV?$sp_counted_impl_p@VLoginManager@@@detail@boost@@
.PA_W
.?AV?$thread_data@V?$bind_t@XV?$BindThis2@_NVDialogsManager_@@PAVIWebBrowserContainer@@PAUtagDISPPARAMS@@@@V?$list2@V?$value@PAVIWebBrowserContainer@@@_bi@boost@@V?$value@PAUtagDISPPARAMS@@@23@@_bi@boost@@@_bi@boost@@@detail@boost@@
.?AVLoginManager@@
.?AVWebBrowserDispatcher@@
.?AVWebWindow@@
.?AVIWebBrowserContainer@@
.?AVWebBrowserContainer@@
.?AVWebBrowserExternal@@
.?AVCWebBrowserFocusWnd@@
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\
/1::::0/
.8:::;::8.
0"8    8<<5
>633,,   ,&36>
ttt.ttt{mnn
ttt.ttttprp
PAD-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
5U5l6
8"8'8@8{8
;%;.;@;[;
8Ÿ9|9
6%6.6@6[6
4%5U5-6`6e6
9&:2:[:`:
8%8X8a8s8
9):.:4:~:
1/2u2
;&<5<:<\<
3<4
7%7X7
>%? ?2?\?
7t7D7L7[7w7|7
:":):0:7:
< <&<,<2<8<0=
6,6064686<6
4%4S4Z4c4l4
8&81888~8
; <$<(<,<0<4<8<<<@<
9;<#=(=2=
99J9P9f9
4L4
4#41494~4
6 6,646<6$7
? ?$?(?,?0?4?8?
3 3$3(3,30343
9 9$9(9,909
: :$:(:,:0:
6 6$6(6,6064686<6
4,=0=4=8=
3 3$3(3,3034383<3
: :$:$;(;,;0;4;8;
7,787\7|7
Login
LoggerConfig.xml
1.5.0.71
SetProcessShutdownParameters ,bRet:
CreateIoCompletionPort, hFile=
Error in CreateIoCompletionPort, err
Exit function. uiKey=
uiMonitorKey=
MonitorDirectoryThread(): I/O Operation has been canceled, Stopped=
CloseHandle on hDirOPPort, GetLastError=
PWM_SYSKEYDOWN
RWM_KEYUP
TWM_CTLCOLORMSGBOX
AIDispatch error #%d
user32.dll
Blog4cxx.dll
Firefox
Chrome
SOFTWARE\Microsoft\Windows NT\CurrentVersion
rep.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
msvcp100.dll
msvcr100.dll
yGetProccessID Failed on explorer.exe!
Integrity level is high while explorer.exe is not!
Software\Microsoft\Windows\CurrentVersion\Run
m_InitDataChangeQueue.size() =
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/smart_ptr/shared_ptr.hpp
ChromeModule.dll
FirefoxModule.dll
InternetExplorerModule.dll
Enter function. wkey=
GetSetting wkey=
GetSetting failed getting wkey=
Overwritting previous setting. key=
wUrl=
https://servicemap.conduit-services.com/sp
https://servicemap.qaconduit-services.com/sp
Exit function. wUrl=
Missing Export entries in DLL
t!pAssetChangedData
pAssetEvent == NULL
translatedKeys
Missing array of translated keys!
keyId
Couldn't find translation for key
Couldn't find default translation for key
Enter function. wKey=
Unsupported dialog position =
cNot enough arguments were passed
Finish Reason is unsupported =
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/auto_buffer.hpp
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/signal_template.hpp
_shared_state.unique()
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/slot_groups.hpp
this_map_it != _group_map.end()
it != _list.end()
map_it != _group_map.end()
weakly_equivalent(map_it->first, key)
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/optional/optional.hpp
members_.capacity_ >= N
members_.capacity_ >= n
size_ <= members_.capacity_
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/thread/win32/thread_primitives.hpp
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/thread/win32/thread_heap_alloc.hpp
detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/smart_ptr/scoped_ptr.hpp
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/variant/detail/visitation_impl.hpp
D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/variant/detail/forced_return.hpp
SPSetup.exe
sPendingFileRenameOperations
Deleted the error report from requests map =
tKeepCrashReports
CRASH*.txt
CRASH*.dmp
Maxed out retries count for error report:
HomePageUrl
SearchUrl
Unable to get current Asset URL for
Sending login for browser =
LoginData=
Not sending login for browser =
autoUpdateModuleUrl
AutoUpdateDownloadUrl
.Invalid URL
Starting download: m_wAutoUpdateURL=
DownloadFileAsync Error. Unable to download auto-update file, URL:
SPUpdater.exe
Key has changed!
Software\Mozilla\Mozilla Firefox
tPathToExe
Change in exe directory detected.
serviceMapUrl
3.6.0.0
3.7.0.0
CustomizedAssetUrl
Unknown server setting. key =
Interval hasn't passed yet for
data.iRefreshInterval=
. HTTP Code:
Getting service failed. URL:
Exit function. Failed getting Client Log service, Not reporting error on it,Avoid Poison Reverse
eSet key path [
No knowledge of current url for asset.
Current url:
KnownUrlForState
No last known url (Shouldn't happen). Sending Asset change event
CurrentUrl=
, Known url=
e wCurrentUrl=
!pAssetChangeEvent || !pAssetChangeEvent->NewAssetData()
PreviousUrl=
NewUrl=
MyKnownUrl=
Unable to parse CTID from new conduit search URL:
Not protecting firefox!
This lose event already executed.
, prev URL
, new URL
Url found as invalid
http://search.conduit.com/?ctid=
Failed to build default url :
No valid url to takeover with
Url before update:
m_pSearchAssetData->Url()=
SearchAssetManaget->GetCtidAssetUrl failed for CTID:
aggressiveTakeoverWindowSec
Enter function. wMainUrl=
wNewUrl=
wMainUrl=
Enter function. wSearchApiCtidUrl=
New url and search api urls are identical. Nothing to merge or takeover.
takeover_url
Enqueuing usage report:
Unable to build usage report
No queued usages to report
..\Dialogs\spsd\main.html
Reg Key:
revertedUrl
Url Reverted to
different from new url
d-d-d d:d:d
RegCloseKey failed. Name=
hKey is null. Error code:
, bKeyExist=
RegCloseKey failed
RegCreateKeyExW failed
yExitFunction hKey = 0x
RegNotifyChangeKeyValue failed
pHttpAsyncData == NULL
wUrl=
Exception while trying to send HTTP request
Exception(...) while trying to send HTTP request
Deleting pHttpAsyncData
Qsearch.conduit.com
search.qasite.com
%s%s%s
], Url[
Shell.Explorer
Failed reciving IWebBrowser 2 from IUnknown
WebWindow::Create failed
EnterFunction bsUrl=
Navigate received null Url
m_pWebBrowser is NULL !!!
Browser is busy navigation will not be execute
Exception: Navigate failed!!! url=
Stoping IWebBrowser2 ...
m_pWebBrowser->Stop failed. hRes=
get_URL failed
EnterFunction clrColorKey =
SetAlphaColorKey failed
SP_Web_Window
Failed to load user32.dll
m_pWebBrowser is NULL
Windows.External.writeDebugString
Windows.External.InvokePlatformAction: param 1 is not string
SetWindowSubclass Failed
TSPHOOK_MSG_NEW_WINDOW_CREATED
SPHOOK_MSG_USER_CHANGED_HOMEPAGE
SPHOOK_MSG_USER_CHANGED_SEARCH_PROVIDER
SPHOOK_MSG_IE_FRAME_ACTIVATED
SPHOOK_MSG_END_HOOK
SPHOOK_REGISTRY_CHANGED_MSG
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]

cltmng.exe_2492_rwx_011D0000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

cltmng.exe_2492_rwx_011E0000_00001000:




|cltmng.exeM_2492_

Explorer.EXE_1684_rwx_00EE0000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_1684_rwx_00EF0000_00001000:




|explorer.exeM_1684_

Explorer.EXE_1684_rwx_038D0000_0108E000:




c:\windows
http://202.143.159.135/images/logo.gif
http://bem.dk/images/logof.gif
http://banboon.com/images/logo.gif
http://bdb.com.my/logo.gif
http://baulaung.org/images/logo.gif
http://bazyar-arya.com/logo.gif
http://barlikinsaat.com.tr/images/logo.gif
http://basamakhalisi.com/logo.gif
%System%\drivers\hlmihn.sys
13714532319
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
http://
ipfltdrv.sys
www.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    CltMngSvc.exe:2068
    CltMngSvc.exe:224
    nsm4.exe:148
    %original file name%.exe:1276
    cltmng.exe:2516
    nsq9.exe:1404

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\inetc.dll (24 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\json2.js (784 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winaownli.exe (741 bytes)
    %Program Files%\SearchProtect\ffprotect\nsprotector.js (1 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0014EDF8_Rar\%original file name%.exe (15799 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq9.exe (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe (89498 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
    %Program Files%\SearchProtect\bin\SPHook32.dll (5520 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook32.dll (5520 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\main.html (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcp100.dll (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp (741694 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (11 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\popupTransparent.xul (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPRunner.exe (11048 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\FirefoxModule.dll (34773 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (175875 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
    %Program Files%\SearchProtect\bin\uninstall.exe (6584 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\abstraction.js (52 bytes)
    %Program Files%\SearchProtect\bin\SPRunner.exe (11048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz8.tmp (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\main.html (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcr100.dll (25824 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
    %System%\msvcr100.dll (10882 bytes)
    %Program Files%\SearchProtect\bin\cltmng.exe (89498 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\ChromeModule.dll (28288 bytes)
    %WinDir%\system.ini (72 bytes)
    %Program Files%\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm4.exe (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ConduitMsTimestamp.dll (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (3 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\CltMngSvc.exe (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (784 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\nsprotector.js (1 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (1 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (986 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\main.html (986 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
    %System%\msvcp100.dll (4642 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
    %Program Files%\SearchProtect\bin\ChromeModule.dll (28288 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (6 bytes)
    %Program Files%\SearchProtect\bin\FirefoxModule.dll (34773 bytes)
    %Program Files%\SearchProtect\ffprotect\abstraction.js (52 bytes)
    %Program Files%\SearchProtect\bin\msvcr100.dll (25824 bytes)
    %Program Files%\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (938 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\application.js (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
    %Program Files%\SearchProtect\bin\CltMngSvc.exe (3312 bytes)
    %Program Files%\SearchProtect\ffprotect\application.js (601 bytes)
    %Program Files%\SearchProtect\bin\msvcp100.dll (14184 bytes)
    %Program Files%\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\main.html (986 bytes)
    %Program Files%\SearchProtect\Dialogs\lib\json2.js (784 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\inetc.dll (24 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SearchProtectAll" = "%Program Files%\SearchProtect\bin\cltmng.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SearchProtect" = "%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now