not-a-virus.AdWare.Win32.Shopper.adw_5a41fb7ee4

by malwarelabrobot on November 12th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.Shopper.adw (Kaspersky), GenericInjector.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5a41fb7ee42c43f4db474de4e3108c4b
SHA1: 07f93ff5c4ddc9a62addc3bfdb75d2103367a156
SHA256: ef9091c5f1d1f74bb71fc91b865218c3bf391a7f9ba7099a007e0fcdea88d659
SSDeep: 12288:T7JHWjqO6X7AGBP4g2/EHQsRR6Mf0BjsRxFlypRmBAlNF zZPDdwzTXuc:HkjSE0gPzMEayuBQF lP2 c
Size: 747368 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Goobzo
Created at: 2014-11-01 20:12:18
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

spbia.exe:476
%original file name%.exe:1528
spbiu.exe:2008
spbiu.exe:440
spbiu.exe:1008
sc.exe:844
wscript.exe:1176
ShopperPro.exe:1748
ShopperPro.exe:1660
ShopperProJSINJFull.exe:396
regsvr32.exe:1712
regsvr32.exe:888
setup.exe:1868

The not-a-virus injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1528 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopperProJSINJFull.exe (46777 bytes)

The process spbiu.exe:2008 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%WinDir%\Tasks\SPBIW_UpdateTask_Time_3835323735333432352d3437415a556c2a3223346c41.job (946 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (435 bytes)

The process spbiu.exe:440 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (435 bytes)

The process ShopperPro.exe:1748 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%WinDir%\Tasks\ShopperPro.job (1974 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\config.json (215 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.json (6 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3073 bytes)
%Program Files%\ShopperPro\config.json (215 bytes)

The process ShopperPro.exe:1660 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%WinDir%\Tasks\ShopperPro.job (1974 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\config.json (215 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.json (6 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3073 bytes)
%Program Files%\ShopperPro\config.json (215 bytes)

The not-a-virus deletes the following file(s):

%WinDir%\Tasks\ShopperPro.job (0 bytes)

The process ShopperProJSINJFull.exe:396 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscB3.tmp (150812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\D1958.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\setup.exe (1572905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\setup1.exe (142075 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\D1958.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\NK.lky (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\setup1.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\setup.exe (0 bytes)

The process setup.exe:1868 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsBA.tmp (6 bytes)
%Program Files%\Common Files\ShopperPro\spbia.exe (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\System.dll (11 bytes)
%Program Files%\ShopperPro\Updater.exe (25112 bytes)
%Program Files%\ShopperPro\manifest.json (595 bytes)
%Program Files%\ShopperPro\database1_0_0.json (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsProcess.dll (4 bytes)
%Program Files%\ShopperPro\SPRemove.exe (19592 bytes)
%Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
%Program Files%\Common Files\ShopperPro\spbii32.exe (13368 bytes)
%Program Files%\ShopperPro\ShopperPro64.dll (16944 bytes)
%Program Files%\Common Files\ShopperPro\spbiu.exe (54196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsExec.dll (6 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
%Program Files%\ShopperPro\ShopperPro.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\AccDownload.dll (10136 bytes)
%Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
%Program Files%\Common Files\ShopperPro\spbici32.dll (35246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsBB.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsB9.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\MoreInfo.dll (7 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)
%Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
%Program Files%\Common Files\ShopperPro\spbiw.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB6.tmp (339385 bytes)
%Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
%Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\jsdrv.exe (100378 bytes)
%WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsBA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsBB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsB9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\MoreInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\jsdrv.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\AccDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB5.tmp (0 bytes)

Registry activity

The process spbia.exe:476 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 B6 99 42 62 DF 1B 1C E2 B7 E5 09 88 5B DE 4B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1528 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\ShopperPro]
"reportLevel" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ShopperProJSINJFull.exe" = "ShopperProJSINJFull"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 3F 68 8A AF F2 C0 89 75 03 5F E3 AF 3C B7 AC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process spbiu.exe:2008 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 24 B0 9F 34 E6 89 82 8B 0A AC 3A 2F 11 A3 BC"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Gcf" = "54 08 84 85 74 E0 27 AA BC 11 E0 4A 86 A5 58 52"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Scf" = "B5 5B FB 73 FF 5C 46 C6 ED A6 D3 4D 1B E0 3C 41"

The process spbiu.exe:440 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 96 36 CA 09 6D 78 A7 EA 9B 98 ED 40 F1 D6 8D"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Ult" = "Type: REG_QWORD, Length: 8"

The process spbiu.exe:1008 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 58 D3 A9 66 BA A6 3A 48 53 A4 BB 62 E9 F2 23"

The process sc.exe:844 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 B0 7E D6 DC 9E 41 CC 46 8D 81 24 3D 72 63 9E"

The process wscript.exe:1176 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 AD 02 59 F0 33 BC 82 59 1E B8 C4 68 0C 6F E6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files\ShopperPro]
"spbiu.exe" = "ShopperPro Update Service"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process ShopperPro.exe:1748 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\ShopperPro]
"CONFIGLOCATION" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKLM\SOFTWARE\ShopperPro\ExtraInfo]
"dbversion" = "1.0.0.3"

[HKLM\SOFTWARE\ShopperPro]
"DBLocation" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\ShopperPro]
"Version" = "1.7.7176.1400"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 DB 0A 8C BC B8 39 9A E5 16 12 C6 3C 74 2E EE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"NoExplore" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ShopperPro.exe:1660 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\ShopperPro]
"CONFIGLOCATION" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKLM\SOFTWARE\ShopperPro\ExtraInfo]
"dbversion" = "1.0.0.3"

[HKLM\SOFTWARE\ShopperPro]
"DBLocation" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\ShopperPro]
"Version" = "1.7.7176.1400"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F B9 06 E3 F5 3A 6C 17 A7 4F 95 60 0B 3C 8F 20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"NoExplore" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ShopperProJSINJFull.exe:396 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 B7 F7 48 99 A5 F7 07 34 62 A4 98 A4 92 C9 CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:1712 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA DA 1F 0D 23 A6 D6 4E 87 A7 F7 E4 B0 82 09 25"

[HKCR\ShopperPro.ShopperProBHO]
"(Default)" = "Shopper Pro"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\VersionIndependentProgID]
"(Default)" = "ShopperPro.ShopperProBHO"

[HKCR\ShopperPro.ShopperProBHO.1\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\ProgID]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "Shopper Pro"

[HKCR\ShopperPro.ShopperProBHO\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\ShopperPro.ShopperProBHO\CurVer]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\AppID\ShopperPro.DLL]
"AppID" = "{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}"

[HKCR\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}]
"(Default)" = "ShopperPro"

[HKCR\ShopperPro.ShopperProBHO.1]
"(Default)" = "Shopper Pro"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

"NoExplorer" = "1"

The not-a-virus deletes the following registry key(s):

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\VersionIndependentProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\TypeLib]
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\Programmable]
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\ProgID]
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]

The process regsvr32.exe:888 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"

[HKCR\ShopperPro.ShopperProBHO\CurVer]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}]
"(Default)" = "ShopperPro"

[HKCR\AppID\ShopperPro.DLL]
"AppID" = "{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}"

[HKCR\ShopperPro.ShopperProBHO]
"(Default)" = "Shopper Pro"

[HKCR\ShopperPro.ShopperProBHO.1\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\ProgID]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "Shopper Pro"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"Version" = "1.0"

[HKCR\ShopperPro.ShopperProBHO\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\ShopperPro.ShopperProBHO.1]
"(Default)" = "Shopper Pro"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0]
"(Default)" = "ShopperPro 1.0 Type Library"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 EC C5 5C 84 B9 D9 62 18 A9 49 87 F4 7E 8F 53"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\VersionIndependentProgID]
"(Default)" = "ShopperPro.ShopperProBHO"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}]
"(Default)" = "IShopperProBHO"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

"NoExplorer" = "1"

The not-a-virus deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]

The process setup.exe:1868 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 2A 2B F6 FF C4 C2 C2 F7 F9 A6 09 DE 80 5A FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"UninstallString" = "%Program Files%\ShopperPro\SPremove.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"DisplayIcon" = "%Program Files%\ShopperPro\ShopperPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"DisplayName" = "Shopper-Pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ShopperPro.exe]
"(Default)" = "%Program Files%\ShopperPro\ShopperPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsmB7.tmp\AccDownload.dll,"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
d2cbe70e732d28efecaf2a57ce5c1671 c:\Documents and Settings\All Users\Application Data\ShopperPro\ShopperPro.dll
1dc50127bf8ac78c737ff8cbbd61f7af c:\Documents and Settings\All Users\Application Data\ShopperPro\ShopperPro64.dll
84d2b1af7d96f7c405fb96dd1c836405 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ShopperProJSINJFull.exe
23219670a1500135cbbdc6187868f555 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsmB7.tmp\AccDownload.dll
f0438a894f3a7e01a4aae8d1b5dd0289 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsmB7.tmp\nsProcess.dll
b91d349b5efea4b45670d2204b3fc7cc c:\Program Files\Common Files\ShopperPro\spbia.exe
45fe77ecaa9e5830662c9f0d8ee1390f c:\Program Files\Common Files\ShopperPro\spbici32.dll
0c7600fd064d1cb64015d89f59e99a9e c:\Program Files\Common Files\ShopperPro\spbii32.exe
92bbd5ec8f5ebf813239c8693b870f27 c:\Program Files\Common Files\ShopperPro\spbiu.exe
d66af832d675475b396a43961781bdd3 c:\Program Files\Common Files\ShopperPro\spbiw.sys
4d460fce14ed93e9bc65b19b228cd1fb c:\Program Files\ShopperPro\JSDriver\jsdrv.exe
de225a281e0de58dddf00f72d43a5a05 c:\Program Files\ShopperPro\JSDriver\jsdrv.sys
734420700087c9cf4cb65e0c9dbdc1da c:\Program Files\ShopperPro\SPRemove.exe
d2cbe70e732d28efecaf2a57ce5c1671 c:\Program Files\ShopperPro\ShopperPro.dll
3422424c77e16e29e2dfefd5fc59c32e c:\Program Files\ShopperPro\ShopperPro.exe
1dc50127bf8ac78c737ff8cbbd61f7af c:\Program Files\ShopperPro\ShopperPro64.dll
61c36fe16fcb1cff3f83ff8a9493bf83 c:\Program Files\ShopperPro\Updater.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls creation and closing of processes by installing the process notifier.
Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls creation and closing of threads by installing the thread notifier.
Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

Company Name: Goobzo
Product Name: Update Helper
Product Version: 1.4.0.0
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: Updater.exe
Internal Name: Update
File Version: 1.4.0.0
File Description: Update Helper
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 583344 583680 4.61012 e56627d9d8b3e983b18199ea72315e29
.rdata 589824 106308 106496 3.51619 e08be38ffd40f4c4c605db2707f39e89
.data 696320 24132 14336 3.72834 fcca6e020227a68fe307daae5bd2f5be
.rsrc 720896 2184 2560 2.66216 c2b8997025451484bfb43f1b382b0998
.reloc 724992 31946 32256 3.69064 7dab3f9fcbdc4851ac2cbbf215775f56

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://rep.shopper-pro.com/app/ping.ashx?e=lOCrbsNL2zWQ5lb rGZVAq PoSbQMIxKAeG8v9m1fNeRoZJTpqsyZxASc9FSZWyow7LDYC2FUunov TKFH66INevmu mE5zMjQU0tt7DNscnYBfPcNQB96JUqayHJ5ShVBsZBJTKQd33DmNrPeZCXg2WWe7WXU5pLdA rHOtLvrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVrBRuaRLHbXnAUq9vGFcnz6oiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=lOCrbsNL2zWQ5lb rGZVAq PoSbQMIxKAeG8v9m1fNeRoZJTpqsyZxASc9FSZWyow7LDYC2FUunov TKFH66INevmu mE5zMjQU0tt7DNsfynPSZphlRBgH NjEYJD5mwcMupkFTmaW6ZHVHPxt3eKDv5LZzzYK m1bb68faxo3E0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 SQ6/SOWVtKUMKBJQXm x8tG9pOkZ/PfGFwkoLVF6jef2zYWz6DzTPSToKv2VpIXZetFtmcGfLS6G/eITPVk2cBiFIt/eCwnOFhZWN4UpKuAnAhg 6mBvfU= 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=yhrBLBbZM9WBOuidoZFbta PoSbQMIxKAeG8v9m1fNeRoZJTpqsyZxASc9FSZWyow7LDYC2FUunov TKFH66INevmu mE5zMjQU0tt7DNse1J8WDbI2zXWceTUfoD7PipsrZDsYYadYLJQuWr4kCVnpsq67XB5ztMrPPaPUMpEQuTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHP9bXdNfe lQvZkK3dW3L3O r7NiSQEydOFU5mMfA2YwPKMRKx/Hy aYD1xi6d0GBG/fDcmPtyb/6CnTX MB8zBtIY2WtWIlXvh37zCULcAJjU0tqMnFrjE= 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=M2qT/ACBN2fLeMo2tcht1fIzPiw4haAe 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5otYRRGpvjKZmzjXrgYJQKsUCndBhIJGn5VWeEU9Hdtxh3DtGkC6i7z8TQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5JDr9I5ZW0pQwoElBeb7Hy0b2k6Rn898YXCSgtUXqN5/bNhbPoPNM9JOgq/ZWkhdl60W2ZwZ8tLob94hM9WTZwGIUi394LCc4WFlY3hSkq4CcCGD7qYG99Q== 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=PcwT4QFtuPBwlKCj/kNh836uATpQByLhxor/wRA5y0/ZhN5o5pkk8XKxIhAz9YyqV8m4sSxcrnBVhMJKItmH7BgpsFLASMB/VqUDDqJnuZuJWIAQ8Wjpin/USt YsXz/9jUckoqA0UYfqfFPqatGFoqP4Ly2z sHJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkkjazOIlR9SJb2T9B/ MLO4uZ/p4emFS3nW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC4jaKTJ4Po/ 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=t4TV4yXs13PLeMo2tcht1cqIxnKEan R 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5o15s9mVquxHmOAozCG7kpnRis2OOc4tTpkln9FuJUaDwQXXhfaudf74M2kfEeZIlMLb9RQzbrixrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVrBRuaRLHbXnJkwA4PeZyrqoiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=t4TV4yXs13PLeMo2tcht1cqIxnKEan R 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5ozBPpqhf0PbwP KOyuV23mgeZEN1AP6VOjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDkcz Uc4uGM3YJ3CItnITU93qPv/BEEOxGiq9ZfonCR6Oox6FF19pfqJlifxMfc97cyVb1EWo6eKpVEOys WrB2aQstvfmMt tUu62Z52dk1 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=t4TV4yXs13PLeMo2tcht1cqIxnKEan R 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5oukLs10lovlG5tusVM2xYMbfE6vPCBy0tUdFbdC4SuJj1CrnAmW6mFMC1caU1ePdjQl/5f1xlU/5foAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxQzFrZZ4espH12c/DxyAMANlwissX8oPDfQPHab7QXjtoXNw24za1vD4WpTRkXhg7nV3/LPfa2aq5oeRu5C4CqkWleu6Ut5wZJLhm4jKngLIPSVmnMg23wA= 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=eISsn0A7mAax1kvX9v50CIu9gKQH8db6t8f6YpiR28IQ9XpMu3JNOFT1j56xxeY4hcYa5DslSfEvHcROXjnAG7YW2 KnDgR9aACykertHSFZXoERp6XpyiLNABL9ZIdQh9runzXQxzHSTB7vPCta8MomPbia/xeOLdA rHOtLvrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVrBRuaRLHbXnAUq9vGFcnz6oiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=eISsn0A7mAax1kvX9v50CIu9gKQH8db6t8f6YpiR28IQ9XpMu3JNOFT1j56xxeY4hcYa5DslSfEvHcROXjnAG7YW2 KnDgR9aACykertHSH3P26CE7VcKdT/YAxQmelWArC6hfMON4Warmv4KHPD3jB2sHOZMZb jZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDkcz Uc4uGM35RLjvXtIWAp3qPv/BEEOxGiq9ZfonCR6Oox6FF19pfqJlifxMfc97cyVb1EWo6eKpVEOys WrB2aQstvfmMt tUu62Z52dk1 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=XJYuqQQo69ex1kvX9v50CIu9gKQH8db6t8f6YpiR28IQ9XpMu3JNOFT1j56xxeY4hcYa5DslSfEvHcROXjnAG7YW2 KnDgR9aACykertHSFtfPHGqF4p 1o8H6qezB8RIvhlc0B2ruPX0oeUDeNa6Dj6H2BIqEzZsYns0spGP2dTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBFjDsEl6RUU GNnePB/4x d7BqkdXXdfgmIGw6thMqh2V4jcHq5iDyWqnC7KpzdeJMQ6ACLmpwcVM5viV3xX GkoWVy5KPEJV 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=Feo0TQZfu6JEiM3QAgk1iX6uATpQByLhH2bw5h aGFDZhN5o5pkk8XKxIhAz9YyqV8m4sSxcrnBVhMJKItmH7BgpsFLASMB/8KlwLBy8lWeJWIAQ8Wjpin/USt YsXz/9jUckoqA0UbzzOTe NyYpAcj/vesq0q5LkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBz/W13TX3vpUL2ZCt3Vty9zvq zYkkBMnThVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACY1NLajJxa4x 173.239.4.105


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /app/ping.ashx?e=lOCrbsNL2zWQ5lb rGZVAq PoSbQMIxKAeG8v9m1fNeRoZJTpqsyZxASc9FSZWyow7LDYC2FUunov TKFH66INevmu mE5zMjQU0tt7DNsfynPSZphlRBgH NjEYJD5mwcMupkFTmaW6ZHVHPxt3eKDv5LZzzYK m1bb68faxo3E0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 SQ6/SOWVtKUMKBJQXm x8tG9pOkZ/PfGFwkoLVF6jef2zYWz6DzTPSToKv2VpIXZetFtmcGfLS6G/eITPVk2cBiFIt/eCwnOFhZWN4UpKuAnAhg 6mBvfU= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=PcwT4QFtuPBwlKCj/kNh836uATpQByLhxor/wRA5y0/ZhN5o5pkk8XKxIhAz9YyqV8m4sSxcrnBVhMJKItmH7BgpsFLASMB/VqUDDqJnuZuJWIAQ8Wjpin/USt YsXz/9jUckoqA0UYfqfFPqatGFoqP4Ly2z sHJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkkjazOIlR9SJb2T9B/ MLO4uZ/p4emFS3nW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC4jaKTJ4Po/  HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=t4TV4yXs13PLeMo2tcht1cqIxnKEan R 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5ozBPpqhf0PbwP KOyuV23mgeZEN1AP6VOjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDkcz Uc4uGM3YJ3CItnITU93qPv/BEEOxGiq9ZfonCR6Oox6FF19pfqJlifxMfc97cyVb1EWo6eKpVEOys WrB2aQstvfmMt tUu62Z52dk1 HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0



GET /app/ping.ashx?e=eISsn0A7mAax1kvX9v50CIu9gKQH8db6t8f6YpiR28IQ9XpMu3JNOFT1j56xxeY4hcYa5DslSfEvHcROXjnAG7YW2 KnDgR9aACykertHSFZXoERp6XpyiLNABL9ZIdQh9runzXQxzHSTB7vPCta8MomPbia/xeOLdA rHOtLvrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVrBRuaRLHbXnAUq9vGFcnz6oiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:54 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=XJYuqQQo69ex1kvX9v50CIu9gKQH8db6t8f6YpiR28IQ9XpMu3JNOFT1j56xxeY4hcYa5DslSfEvHcROXjnAG7YW2 KnDgR9aACykertHSFtfPHGqF4p 1o8H6qezB8RIvhlc0B2ruPX0oeUDeNa6Dj6H2BIqEzZsYns0spGP2dTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBFjDsEl6RUU GNnePB/4x d7BqkdXXdfgmIGw6thMqh2V4jcHq5iDyWqnC7KpzdeJMQ6ACLmpwcVM5viV3xX GkoWVy5KPEJV HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:54 GMT
Content-Length: 0
....



GET /app/ping.ashx?e=eISsn0A7mAax1kvX9v50CIu9gKQH8db6t8f6YpiR28IQ9XpMu3JNOFT1j56xxeY4hcYa5DslSfEvHcROXjnAG7YW2 KnDgR9aACykertHSH3P26CE7VcKdT/YAxQmelWArC6hfMON4Warmv4KHPD3jB2sHOZMZb jZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDkcz Uc4uGM35RLjvXtIWAp3qPv/BEEOxGiq9ZfonCR6Oox6FF19pfqJlifxMfc97cyVb1EWo6eKpVEOys WrB2aQstvfmMt tUu62Z52dk1 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:54 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=Feo0TQZfu6JEiM3QAgk1iX6uATpQByLhH2bw5h aGFDZhN5o5pkk8XKxIhAz9YyqV8m4sSxcrnBVhMJKItmH7BgpsFLASMB/8KlwLBy8lWeJWIAQ8Wjpin/USt YsXz/9jUckoqA0UbzzOTe NyYpAcj/vesq0q5LkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBz/W13TX3vpUL2ZCt3Vty9zvq zYkkBMnThVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACY1NLajJxa4x HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:54 GMT
Content-Length: 0



GET /app/ping.ashx?e=lOCrbsNL2zWQ5lb rGZVAq PoSbQMIxKAeG8v9m1fNeRoZJTpqsyZxASc9FSZWyow7LDYC2FUunov TKFH66INevmu mE5zMjQU0tt7DNscnYBfPcNQB96JUqayHJ5ShVBsZBJTKQd33DmNrPeZCXg2WWe7WXU5pLdA rHOtLvrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVrBRuaRLHbXnAUq9vGFcnz6oiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=yhrBLBbZM9WBOuidoZFbta PoSbQMIxKAeG8v9m1fNeRoZJTpqsyZxASc9FSZWyow7LDYC2FUunov TKFH66INevmu mE5zMjQU0tt7DNse1J8WDbI2zXWceTUfoD7PipsrZDsYYadYLJQuWr4kCVnpsq67XB5ztMrPPaPUMpEQuTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHP9bXdNfe lQvZkK3dW3L3O r7NiSQEydOFU5mMfA2YwPKMRKx/Hy aYD1xi6d0GBG/fDcmPtyb/6CnTX MB8zBtIY2WtWIlXvh37zCULcAJjU0tqMnFrjE= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=M2qT/ACBN2fLeMo2tcht1fIzPiw4haAe 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5otYRRGpvjKZmzjXrgYJQKsUCndBhIJGn5VWeEU9Hdtxh3DtGkC6i7z8TQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5JDr9I5ZW0pQwoElBeb7Hy0b2k6Rn898YXCSgtUXqN5/bNhbPoPNM9JOgq/ZWkhdl60W2ZwZ8tLob94hM9WTZwGIUi394LCc4WFlY3hSkq4CcCGD7qYG99Q== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=t4TV4yXs13PLeMo2tcht1cqIxnKEan R 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5o15s9mVquxHmOAozCG7kpnRis2OOc4tTpkln9FuJUaDwQXXhfaudf74M2kfEeZIlMLb9RQzbrixrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVrBRuaRLHbXnJkwA4PeZyrqoiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=t4TV4yXs13PLeMo2tcht1cqIxnKEan R 0R MP RL3UJOLXkS9L/h4r0mJ8VlOnIEpE4o jpI/96TXG bRkoYik3OSAWWw5oukLs10lovlG5tusVM2xYMbfE6vPCBy0tUdFbdC4SuJj1CrnAmW6mFMC1caU1ePdjQl/5f1xlU/5foAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxQzFrZZ4espH12c/DxyAMANlwissX8oPDfQPHab7QXjtoXNw24za1vD4WpTRkXhg7nV3/LPfa2aq5oeRu5C4CqkWleu6Ut5wZJLhm4jKngLIPSVmnMg23wA= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 11 Nov 2014 20:08:49 GMT
Content-Length: 0







The not-a-virus connects to the servers at the folowing location(s):







spbiu.exe_440:




.text
`.rdata
@.data
.rsrc
@.reloc
Uj.hlQW
t.VWPj
<1%u5
PhX%X
Sh@%X
 2 34 567
j.Yf;
_tcPVj@
.PjRW
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
operator
GetProcessWindowStation
?456789:;<=
!"#$%&'()* ,-./0123
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.2.3
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.7.2
CREATE TEMP TABLE sqlite_temp_master(
Catcher.ProcessId:
Catcher.Path:
Watcher.Filter:
/Url:
Update.xml
URLSet
Report
homeURL
suggestURL
newTabURL
ieSearchURL
chSearchURL
ffSearchURL
opSearchURL
chromeKeyword
[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]
vup.tmp
Argument.CheckResult:
Argument.IsRunning:
Delivery of report succeeded. TaskId:
Delivery of report failed.
SHDeleteKeyW
RegDeleteKeyExA
RegDeleteKeyExW
NtQueryKey
1.3.6.1.4.1.311.2.1.12
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
Snapshot.xml
GoogleChrome
MozillaFirefox
AboutTabsUrl
HomePageUrl
DefaultProviderKeyword
UrlsToRestoreOnStartup
StartupHomepageUrl
ParentKey:
1, 0, 0, 4
Envelop.xml
Configuration.xml
UrlSet
Opera
StartPageUrl
AboutTabUrl
SearchScopeUrl
SearchScopeIconUrl
SearchScopeSuggestUrl
DefaultProviderSearchUrl
DefaultProviderIconUrl
DefaultProviderSuggestUrl
SearchPluginUrl
SearchPluginSuggestionUrl
TabPageUrl
SearchEngineFaviconUrl
SearchEngineSuggestionUrl
SearchEngineSearchUrl
SearchEngineKeyword
System.xml
Reset-2.1.0.7
UpdateUrl
ReportUrl
ReportDlls
User.xml
Argument.GeneralConfig:
Argument.Snapshot:
Argument.Flags:
keyword
favicon_url
originating_url
suggest_url
keywords
keyword LIKE '
WHERE key = 'Default Search Provider ID'
key = 'Default Search Provider ID'
DELETE from keywords WHERE id =
search_url
icon_url
startup_urls
chrome_url_overrides
urls_to_restore_on_startup
instant_url
web_url
search_icon.png
%d-%m-%Y %H:%M, %a
foreign_key_list
*** in database %s ***
unsupported encoding: %s
%s - %s
malformed database schema (%s)
unsupported file format
database schema is locked: %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unknown or unsupported join type: %T %T%s%T
a NATURAL join may not have an ON or USING clause
RIGHT and FULL OUTER JOINs are not currently supported
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
%s.%s
%s:%d
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
no such index: %s
SELECTs to the left and right of %s do not have the same number of result columns
no such table: %s
sqlite_subquery_%p_
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
-- TRIGGER %s
no such trigger: %S
no such column: %s
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
vtable constructor failed: %s
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor did not declare schema: %s
no such module: %s
at most %d tables in a join
table %s: xBestIndex returned an invalid plan
TABLE %s
cannot use index: %s
%s WITH AUTOMATIC INDEX
%s AS %s
%s VIA MULTI-INDEX UNION
%s WITH INDEX %s
%s VIRTUAL TABLE INDEX %d:%s
%s USING PRIMARY KEY
%s ORDER BY
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
large file support is disabled
unknown database: %s
no such vfs: %s
misuse at line %d of [%.10s]
database corruption at line %d of [%.10s]
cannot open file at line %d of [%.10s]
SQLITE_
d-d-d d:d:d
d-d-d
d:d:d
failed memory resize %u to %u bytes
failed to allocate %u bytes of memory
API call with %s database connection pointer
922337203685477580
RowKey
%s-shm
OsError 0x%x (%u)
%s\etilqs_
Recovered %d frames from WAL file %s
2nd reference to page %d
invalid page number %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
Page %d:
freelist leaf count too big on page %d
btreeInitPage() returns error code %d
unable to get the page. error code=%d
On tree page %d cell %d:
On page %d at right child:
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
keyinfo(%d
%s(%d)
foreign key constraint failed
%s-mjX
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
constraint failed at %d in [%s]
abort at %d in [%s]: %s
no such savepoint: %s
cannot open savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot %s savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
sqlite_master
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
database table is locked: %s
cannot open view: %s
cannot open virtual table: %s
foreign key
no such column: "%s"
cannot open %s column for writing
indexed
cannot open value of type %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s
%s: %s.%s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
variable number must be between ?1 and ?%d
Expression tree is too large (maximum depth %d)
too many columns in %s
too many SQL variables
misuse of aggregate: %s()
%s%.*s"%w"
%.*s"%w"%s
sqlite_rename_table
sqlite_rename_parent
sqlite_rename_trigger
%s OR name=%Q
there is already another table or index with this name: %s
table %s may not be altered
sqlite_
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
invalid name: "%s"
SELECT idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
database %s is already in use
unable to open database: %s
cannot detach database %s
no such database: %s
database %s is locked
sqlite_attach
sqlite_detach
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
object name reserved for internal use: %s
too many columns on %s
there is already an index named %s
default value of column [%s] is not constant
duplicate column name: %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
no such collation sequence: %s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
foreign key on %s should reference only one column of table %T
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
indexed columns are not unique
table %s may not be indexed
virtual tables may not be indexed
views may not be indexed
index %s already exists
there is already a table named %s
table %s has no column named %s
sqlite_autoindex_%s_%d
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
no such index: %S
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
a JOIN clause is required before %s
unable to identify the object to be reindexed
cannot modify %s because it is a view
table %s may not be modified
sqlite_source_id
sqlite_version
sqlite_compileoption_get
sqlite_compileoption_used
foreign key mismatch
table %S has %d columns but %d values were supplied
table %S has no column named %s
%d values for %d columns
%s.%s may not be NULL
PRIMARY KEY must be unique
sqlite3_extension_init
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
automatic extension loading failed: %s
error during initialization: %s
foreign_keys
C:\Builds\Build_ShopperProMulti\BrowserInjection\Bin\ShopperPro_SPBIUpdate\Win32\WinMV\Release\spbiu.pdb
SHELL32.dll
KERNEL32.dll
USER32.dll
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
Secur32.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
CreatePipe
ConnectNamedPipe
CreateNamedPipeW
GetNamedPipeInfo
DisconnectNamedPipe
GetCPInfo
GetProcessHeap
RegCreateKeyW
RegCreateKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegDeleteKeyA
RegDeleteKeyW
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyA
RegEnumKeyExW
RegCloseKey
RegEnumKeyW
zcÁ
.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVPipedProcess@Utils@SpeedBit@@
.?AVImplementation@PipedProcess@Utils@SpeedBit@@
.?AVImplementation@MachineKey@Utils@SpeedBit@@
.?AVMachineKey@Utils@SpeedBit@@
.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@
.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@Implementation@General@Config@SpeedBit@@
.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@
.?AVOperaSettings@Implementation@General@Config@SpeedBit@@
.?AVSettings@Firefox@General@Config@SpeedBit@@
.?AVSettings@Opera@General@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@
.?AVValueSet@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@General@Config@SpeedBit@@
.?AVValueSet@Firefox@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Firefox@User@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Chrome@User@Config@SpeedBit@@
.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@
.?AVBrowserSettings@Chrome@SpeedBit@@
.?AVWebDataDB@SQLite@SpeedBit@@
.?AVImplementation@WebDataDB@SQLite@SpeedBit@@
.?AVException@sql@@
// SpeedBit hidden execute
if (WScript.Arguments.length > 0)
var root = WScript.Arguments(0);
for (var i = 1, n = WScript.Arguments.length; i < n;   i)
args.push(WScript.Arguments(i));
var path = "\""   root.replace(/\\*$/, "").replace(/\//g, "\\")   "\"";
path  = " \""   args.join("\" \"")   "\"";
var shell = WScript.CreateObject("WScript.Shell");
shell.Run(path, 0, false);
<requestedExecutionLevel level='highestAvailable' uiAccess='false' />
343f3
%0 000^0
7%8X8
3%4X4
11o1
88D8V8b8o8{8
= >6>>>\>
4_5X5}5
2 363>3\3
2-2
0 0$0(0,0004080<0
4 4$4(4,4044484*6
?#?'? ?/?3?7?;???
8Ÿ9
5 5$5(5,50545~5
3I4C4M4u4
2#3&4-5]5
1 1$1(1,1014181<1
? ?$?(?,?
7 7$7(7,70747
0 0$0(0,000
combase.dll
kernel32.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
Injection::Snapshot::Controller::IsChromeInstalled
Chrome installed:
Chrome unchanged:
Checking<Parameter.Input>
Checking<Parameter.Key>
777705555443332
5555443332
5555443332
logs\${ModuleName}.${Pid}.log
WatchmanKey::TimeBomb::UninstallTimeBomb
Reporting
1.0.0.4
Chrome::StartPageProtectionEnabled
Chrome::SearchEngineProtectionEnabled
Chrome::RestoreOnStartupProtectionEnabled
Chrome::StartPageProtectionDisabled
Chrome::SearchEngineProtectionDisabled
Chrome::RestoreOnStartupProtectionDisabled
ProcessCatcher::ExecutionContext::Resume
Allocation<ExecutionContext>
ProcessMonitor::ExecutionContext::Resume
EndsBy:\iexplore.exe|EndsBy:\rundll32.exe
EndsBy:\chrome.exe
EndsBy:\firefox.exe
iexplore.exe
rundll32.exe
chrome.exe
firefox.exe
opera.exe
spbiei32.dll
spbici32.dll
spbifi32.dll
spbioi32.dll
spbii32.exe
Utils::PipedProcess::Create
Utils::PipedProcess::Start
Utils::PipedProcess::WriteData
[ReportDllsThread]
ProcessWatcher::ExecutionContext::Resume
spbia.exe
Utils::PipedProcess::ReadData
Utils::PipedProcess::Wait
Utils::PipedProcess::WriteEof
Utils::MachineKey::Create
Utils::MachineKey::Generate
Encrypt data. Key:
Decrypt data. Key:
Package url:
WatchmanKey::Updater::SetLastTime
.Service
/report
/report1
%d.%d.%d.%d%n
Created URL Set object from configuration. Name:
UrlSetID:
Could not find matching URL set... Using old configuration
spbiu.exe
[LocalScope::UpdateParser::ParseReportSection]
Monitor::ServerEncryption::CreateSessionKey
Full url:
Data url:
sbu.exe
spbiw.sys
wscript.exe
spbihe.js
[Monitor::WatchmanGuard::SendReport]
Monitor::ServerReporter::Create
/urlset:
Options.InjectAllBrowsers:
Options.InjectDefaultOnly:
Options.ServiceName:
Options.ProductCode:
Options.ProductPriority:
Options.UpdateUrl:
Options.ReportUrl:
Options.AutoStart:
Options.ProtectSearch:
Options.ProtectHome:
Options.ProtectTab:
Options.ExplorerInjection:
Options.ChromeInjection:
Options.FirefoxInjection:
Options.OperaInjection:
Options.ConfigPath:
Options.ConfigKey:
Getting current URL Set
Getting URL Set from options
] Provided. And is different from current URL set [
URL Set [
Need to send report!!!
ServerReporter::Create
general_config.xml
system_config.xml
[WatchmanInstaller::SendReport1]
iexplore.exe is running, result for getting DLL's:
firefox.exe is running, result for getting DLL's:
chrome.exe is running, result for getting DLL's:
[WatchmanInstaller::SendReport]
Currently set URLSet:
Updating system config with new URL set...
Already reported duiring first install
Report' been sent:
WatchmanInstaller::SendReport1
calling SendReport1...
WatchmanInstaller::SendReport
[Monitor::WatchmanMonitor::CreateSendReportTask]
SendReportTask
new<SendReportTask>
[Monitor::WatchmanMonitor::OnSendReportSucceeded]
[Monitor::WatchmanMonitor::OnSendReportFailed]
[Monitor::WatchmanMonitor::OnChromeProtectionChanged]
User has changed the chrome protection for:
[Monitor::WatchmanMonitor::OnResetFirefoxProtection]
User has reset the firefox protection:
Next report task:
Scheduller::RegisterTask<SendReportTask>
Monitor::Application::EnsureSystemKey
Options.Revert:
Settings.Final:
@ADVAPI32.DLL
shlwapi.dll
Utils::Registry::OpenKeyExW
Subkey:
[Utils::Registry::RecursiveDeleteKeyW]
SHLWAPI.GetAddressOf<SHDeleteKeyW>
WKERNEL32.DLL
VERSION.DLL
NTDLL.DLL
[Utils::PipedProcess::CreateOutputHandles]
[Utils::PipedProcess::CreateInputHandles]
[Utils::PipedProcess::SpawnProcess]
Utils::PipedProcess::CreateOutputHandles
Utils::PipedProcess::CreateInputHandles
Utils::PipedProcess::SpawnProcess
[Utils::PipedProcess::Start]
[Utils::PipedProcess::Wait]
Utils::PipedProcess::WriteProc
[Utils::PipedProcess::WriteData]
Utils::PipedProcess::ReadProc
[Utils::PipedProcess::ReadData]
.cache
FIPHLPAPI.DLL
X-hX-hX-XX-XXXXXX
\\.\pipe\
Could not create thread event. %%s
Could not create new client event. %%s
Could not create accept thread. %%s
Could not create work thread. %%s
Could not start thread. %%s
Stop IPC error. %%s
Pipe (0x%X) read problems. %%s
IAction::QueryInterface<IExecAction>
IExecAction::put_Path
IExecAction::put_WorkingDirectory
IExecAction::put_Arguments
http\shell\open\command
[Utils::SoftwareInfo::GetHttpOpenHandler]
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
[SynchronousPipe::Write]
[SynchronousPipe::Read]
Error code: %u ('%s')
Could not allocate IPC memory. Requires size: %u
Could not create pipe. %%s
Could not create pipe event. %%s
Event error. %%s
Pipe connecting error. %%s
FCould not create IPC event. %%s
SHELL32.DLL
Google\Chrome
\Application\chrome.exe
\Google\Chrome\Application\chrome.exe
\resources.pak
\Google\Chrome\Application\
\Web Data
[Injection::Snapshot::Chrome::Settings::Dump]
[Injection::Snapshot::Firefox::Settings::Dump]
[Monitor::RestoreData::Controller::Build<ChromeSettings>]
[Monitor::RestoreData::Controller::Build<FirefoxSettings>]
[Injection::Snapshot::Builder::BuildSettings<ChromeSettings>]
[Injection::Snapshot::Builder::BuildSettings<FirefoxSettings>]
new<ChromeSettings>
Injection::Snapshot::Parser::Parse<ChromeSettings>
new<FirefoxSettings>
Injection::Snapshot::Parser::Parse<FirefoxSettings>
ReadStringNode<AboutTabsUrl>
[Injection::Snapshot::Parser::Parse<ChromeSettings>]
ReadStringNode<DefaultProviderKeyword>
[Injection::Snapshot::Parser::Parse<FirefoxSettings>]
[Injection::Snapshot::Controller::IsChromeInstalled]
Chrome::BrowserSettings::Create
[Injection::Snapshot::Controller::IsFirefoxInstalled]
Firefox::BrowserSettings::Create
Argument.UserSid:
WatchmanKey::Users::SaveRestoreData
MachineKey::Create
[WatchmanKey::GetEncryptionKey]
[WatchmanKey::CleanupKey]
MachineKey::Generate
[WatchmanKey::LoadEncodedData]
WatchmanKey::GetEncryptionKey
[WatchmanKey::SaveEncodedData]
[WatchmanKey::System::LoadGeneralConfig]
WatchmanKey::LoadEncodedData
WatchmanKey::System::Open
WatchmanKey::System::Ensure
[WatchmanKey::System::SaveGeneralConfig]
[WatchmanKey::System::LoadSystemConfig]
WatchmanKey::SaveEncodedData
[WatchmanKey::Users::Ensure]
[WatchmanKey::System::SaveSystemConfig]
[WatchmanKey::Users::Open]
WatchmanKey::EnsureKey
[WatchmanKey::Users::LoadConfiguration]
WatchmanKey::OpenKey
WatchmanKey::Users::Ensure
[WatchmanKey::Users::LoadRestoreData]
[WatchmanKey::Users::SaveConfiguration]
[WatchmanKey::Updater::SetLastTime]
[WatchmanKey::Updater::SetBlackListHash]
[WatchmanKey::Reporter::GetLastTime]
[WatchmanKey::Updater::GetBlackListHash]
WatchmanKey::SystemKey::Open
[WatchmanKey::TimeBomb::Uninstall]
Argument.Config::General:
Argument.SystemConfig:
Argument.Config::User:
DATAMNGR.DLL
IEBHO.DLL
[Config::General::UrlSet::Copy]
[Config::General::Chrome::Settings::Copy]
[Config::General::Chrome::Settings::Dump]
[Config::General::Firefox::Settings::Dump]
[Config::General::Chrome::ValueSet::Copy]
[Config::General::Firefox::ValueSet::Copy]
[Config::General::Firefox::Settings::Copy]
[Config::General::Opera::Settings::Copy]
[Config::General::Opera::Settings::Dump]
Config::General::Parser::ParseUrlSet
Config::General::Parser::ParseChromeSettings
Config::General::Parser::ParseFirefoxSettings
Config::General::Parser::ParseOperaSettings
ReadStringNode<StartPageUrl>
ReadStringNode<AboutTabUrl>
eReadStringNode<SearchScopeUrl>
ReadStringNode<SearchScopeIconUrl>
ReadStringNode<SearchScopeSuggestUrl>
[Config::General::Parser::ParseChromeSettings]
Config::General::Parser::ParseChromeValueSets
MissedElement<GoogleChrome>
ReadStringNode<HomePageUrl>
[Config::General::Parser::ParseChromeValueSets]
ReadStringNode<DefaultProviderSearchUrl>
ReadStringNode<DefaultProviderIconUrl>
[Config::General::Parser::ParseFirefoxSettings]
ReadStringNode<DefaultProviderSuggestUrl>
Config::General::Parser::ParseFirefoxValueSets
MissedElement<MozillaFirefox>
ReadOptionalStringNode<HomePageUrl>
[Config::General::Parser::ParseFirefoxValueSets]
ReadOptionalStringNode<SearchPluginUrl>
lReadOptionalStringNode<SearchPluginSuggestionUrl>
MissedElement<UrlSet>
[Config::General::Parser::ParseUrlSet]
ReadStringNode<TabPageUrl>
ReadStringNode<SearchEngineFaviconUrl>
ReadStringNode<SearchEngineSuggestionUrl>
ReadStringNode<SearchEngineSearchUrl>
ReadStringNode<SearchEngineKeyword>
dMissedElement<Opera>
[Config::General::Parser::ParseOperaSettings]
ReadStringNode<Key>
[Config::General::Builder::Build<FirefoxSettinsg>]
[Config::General::Builder::Build<ChromeSettinsg>]
[Config::General::Builder::Build<OperaSettinsg>]
We couldn't find the URL Set section... probably an old configuration!
WatchmanKey::System::LoadGeneralConfig
WatchmanKey::System::SaveGeneralConfig
HReset-2.1.0.7
2.1.0.7
2.0.0.0
ReadStringNode<UpdateUrl>
ReadOptionalStringNode<UrlSet>
ReadStringNode<ReportUrl>
ReadBooleanNode<GoogleChrome>
ReadBooleanNode<Opera>
ReadBooleanNode<MozillaFirefox>
Could not find URL Set in configuration. Probably older configuration.
WatchmanKey::System::LoadSystemConfig
WatchmanKey::System::SaveSystemConfig
[Config::User::Firefox::Settings::Copy]
[Config::User::Chrome::Settings::Copy]
Config::User::Parser::ParseFirefoxSettings
Config::User::Parser::ParseChromeSettings
[Config::User::Parser::ParseChromeSettings]
[Config::User::Parser::ParseFirefoxSettings]
[Config::User::Builder::BuildChromeSettings]
[Config::User::Builder::BuildFirefoxSettings]
WatchmanKey::User::LoadConfiguration
WatchmanKey::User::SaveConfiguration
Chrome::InstallInfo::Get
[Chrome::BrowserSettings::OpenConfigFiles]
SQLite::WebDataDB::Create
Argument.HomePageUrl:
[Chrome::BrowserSettings::SetHomePagePreferences]
[Chrome::BrowserSettings::SetDefaultProviderPreferences]
Argument.HomePageIsNewTabPage:
Argument.DefaultProviderKeyWord:
Argument.DefaultProviderId:
Argument.DefaultProviderEncoding:
Argument.DefaultProviderName:
Argument.DefaultProviderIconUrl:
Argument.DefaultProviderSearchUrl:
[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]
Argument.DefaultProviderSuggestUrl:
Argument.UrlsToRestoreOnStartup:
Argument.RestoreOnStartup:
Argument.KeywordToSearch:
[Chrome::BrowserSettings::GetSearchProviderId]
SQLite::WebDataDB::GetProviderById
SQLite::WebDataDB::GetFirstProviderId
[Chrome::BrowserSettings::EnsureSearchProvider]
Result.ProviderId:
[Chrome::BrowserSettings::DeleteSearchProvider]
SQLite::WebDataDB::Values::Create
Key deleted:
[Chrome::BrowserSettings::MakeSnapshot]
[Chrome::BrowserSettings::RestoreState]
Chrome::BrowserSettings::OpenConfigFiles
SQLite::WebDataDB::SetDefaultProvider
Chrome::BrowserSettings::DeleteSearchProvider
[Chrome::BrowserSettings::PropagateState]
Chrome::BrowserSettings::EnsureSearchProvider
[SQLite::Implementation::AddProvider]
[SQLite::Implementation::GetProviderById]
[SQLite::Implementation::GetFirstProviderId]
[SQLite::Implementation::GetProviderByKeyword]
[SQLite::Implementation::GetProviderId]
Rchrome-extension://
Checking<extensions.settings>
%Program Files%\Common Files\ShopperPro\spbiu.exe
1.0.0.9






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    spbia.exe:476
    %original file name%.exe:1528
    spbiu.exe:2008
    spbiu.exe:440
    spbiu.exe:1008
    sc.exe:844
    wscript.exe:1176
    ShopperPro.exe:1748
    ShopperPro.exe:1660
    ShopperProJSINJFull.exe:396
    regsvr32.exe:1712
    regsvr32.exe:888
    setup.exe:1868
    

    3. 

  3. Delete the original not-a-virus file.
    4. 

  4. Delete or disinfect the following files created/modified by the not-a-virus:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ShopperProJSINJFull.exe (46777 bytes)
    %WinDir%\Tasks\SPBIW_UpdateTask_Time_3835323735333432352d3437415a556c2a3223346c41.job (946 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (435 bytes)
    %WinDir%\Tasks\ShopperPro.job (1974 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\config.json (215 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.json (6 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3073 bytes)
    %Program Files%\ShopperPro\config.json (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB3.tmp (150812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\NK.lky (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\D1958.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\setup.exe (1572905 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp\setup1.exe (142075 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsBA.tmp (6 bytes)
    %Program Files%\Common Files\ShopperPro\spbia.exe (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\System.dll (11 bytes)
    %Program Files%\ShopperPro\Updater.exe (25112 bytes)
    %Program Files%\ShopperPro\manifest.json (595 bytes)
    %Program Files%\ShopperPro\database1_0_0.json (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsProcess.dll (4 bytes)
    %Program Files%\ShopperPro\SPRemove.exe (19592 bytes)
    %Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
    %Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
    %Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
    %Program Files%\Common Files\ShopperPro\spbii32.exe (13368 bytes)
    %Program Files%\ShopperPro\ShopperPro64.dll (16944 bytes)
    %Program Files%\Common Files\ShopperPro\spbiu.exe (54196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsExec.dll (6 bytes)
    %Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
    %Program Files%\ShopperPro\ShopperPro.dll (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\AccDownload.dll (10136 bytes)
    %Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
    %Program Files%\Common Files\ShopperPro\spbici32.dll (35246 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsBB.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\nsB9.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\MoreInfo.dll (7 bytes)
    %Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)
    %Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
    %Program Files%\Common Files\ShopperPro\spbiw.sys (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nswB6.tmp (339385 bytes)
    %Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
    %Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB7.tmp\jsdrv.exe (100378 bytes)
    %WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now