not-a-virus.AdWare.Win32.Shopper.ajf_14345cc10f

by malwarelabrobot on April 3rd, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.Shopper.ajf (Kaspersky), GenericInjector.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 14345cc10fd23430a0c1a31bcd09ad27
SHA1: c758275af4725db02d85174cbc060f5e79e70a7d
SHA256: ced9c480fc30e3ddb73a24365410d5549e45411da18c7266e10b068213a0963b
SSDeep: 12288:VctimrWnqzY9zknTVL4DgL/tuVyD9ZTX9m47OE/5EeBpd2rDDdwyWVIREQ2F:iFWnlex6VyD3JOE/JBn2rD VOg
Size: 751016 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Goobzo
Created at: 2015-03-20 08:13:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

%original file name%.exe:692
spbia.exe:1252
ShopperPro.exe:1100
spbiu.exe:2000
spbiu.exe:664
spbiu.exe:1936
sc.exe:920
wscript.exe:1276
ShopperProJSINJFull.exe:164
regsvr32.exe:448
setup.exe:676

The not-a-virus injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:692 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopperProJSINJFull.exe (30673 bytes)

The process ShopperPro.exe:1100 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%WinDir%\Tasks\ShopperPro.job (1974 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\config.json (215 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.json (11 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3073 bytes)
%Program Files%\ShopperPro\config.json (215 bytes)

The process spbiu.exe:664 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (439 bytes)

The process spbiu.exe:1936 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%WinDir%\Tasks\SPBIW_UpdateTask_Time_3835323735333432352d3437415a556c2a3223346c41.job (946 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (435 bytes)

The process ShopperProJSINJFull.exe:164 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\setup1.exe (143233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\setup.exe (1588424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (152667 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\D1958.dll (14 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\D1958.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\NK.lky (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\setup1.exe (0 bytes)

The process setup.exe:676 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\nsExec.dll (6 bytes)
%Program Files%\Common Files\ShopperPro\spbia.exe (9608 bytes)
%Program Files%\ShopperPro\Updater.exe (25112 bytes)
%Program Files%\ShopperPro\manifest.json (595 bytes)
%Program Files%\ShopperPro\database1_0_0.json (11 bytes)
%Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
%Program Files%\ShopperPro\SPRemove.exe (20416 bytes)
%Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
%Program Files%\Common Files\ShopperPro\spbii32.exe (13368 bytes)
%Program Files%\ShopperPro\ShopperPro64.dll (16944 bytes)
%Program Files%\Common Files\ShopperPro\spbiu.exe (54196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\jsdrv.exe (100378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\AccDownload.dll (11344 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
%Program Files%\ShopperPro\ShopperPro.dll (14184 bytes)
%Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
%Program Files%\Common Files\ShopperPro\spbici32.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\ns9.tmp (6 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)
%Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
%Program Files%\Common Files\ShopperPro\spbiw.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (344806 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\ns8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\MoreInfo.dll (7 bytes)
%Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
%WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\ns8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\ns9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\MoreInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\jsdrv.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\AccDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm7.tmp (0 bytes)

Registry activity

The process %original file name%.exe:692 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\ShopperPro]
"reportLevel" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ShopperProJSINJFull.exe" = "ShopperProJSINJFull"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D FF C9 9E 84 9D 51 70 24 F0 34 44 8A 9D 30 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process spbia.exe:1252 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C E8 1B D8 F2 7B ED E6 05 CF 71 A2 DA E6 7D 66"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process ShopperPro.exe:1100 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\ShopperPro]
"CONFIGLOCATION" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKLM\SOFTWARE\ShopperPro\ExtraInfo]
"DBVersion" = "1.0.1.3"

[HKLM\SOFTWARE\ShopperPro]
"DBLocation" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\ShopperPro]
"Version" = "2.8.8924.1728"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 FC 0C C6 46 2C 84 4F FD 8D AF E8 D6 E7 9E 76"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"NoExplore" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process spbiu.exe:2000 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 8D 33 D1 F4 5C E4 A7 73 C2 FC 24 A0 5E 3C 7C"

The process spbiu.exe:664 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 11 1A A7 22 59 A1 F1 3A 15 3E 9A 7B 94 CD 3B"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Ult" = "Type: REG_QWORD, Length: 8"

The process spbiu.exe:1936 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 4F 86 D8 F4 28 5A CC 13 46 6E 43 51 D0 D9 C4"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Gcf" = "BD 5C D8 2C 4B 26 89 3B 6B 04 51 21 50 9E D3 FC"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Scf" = "F4 DB E4 95 A8 E4 52 FE F2 C1 43 3C 85 EA F7 66"

The process sc.exe:920 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 BF 88 82 86 F8 21 26 9E 0E B0 59 09 E9 EC 5C"

The process wscript.exe:1276 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA B1 55 E5 E0 82 3B C7 5C E1 4C 7B B7 E2 E5 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files\ShopperPro]
"spbiu.exe" = "ShopperPro Update Service"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process ShopperProJSINJFull.exe:164 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 32 04 AB 26 82 15 CB 05 0F C9 A9 03 C1 B7 45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:448 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"

[HKCR\ShopperPro.ShopperProBHO\CurVer]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}]
"(Default)" = "ShopperPro"

[HKCR\AppID\ShopperPro.DLL]
"AppID" = "{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}"

[HKCR\ShopperPro.ShopperProBHO]
"(Default)" = "Shopper Pro"

[HKCR\ShopperPro.ShopperProBHO.1\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\ProgID]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "Shopper Pro"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"Version" = "1.0"

[HKCR\ShopperPro.ShopperProBHO\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\ShopperPro.ShopperProBHO.1]
"(Default)" = "Shopper Pro"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0]
"(Default)" = "ShopperPro 1.0 Type Library"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 95 85 A3 5E 66 E8 9A 04 CF 19 34 FF 50 84 00"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\VersionIndependentProgID]
"(Default)" = "ShopperPro.ShopperProBHO"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}]
"(Default)" = "IShopperProBHO"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

"NoExplorer" = "1"

The not-a-virus deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]

The process setup.exe:676 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 8D 32 05 8C CD 48 02 C5 3F B0 9D 70 DB 0A 8B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"UninstallString" = "%Program Files%\ShopperPro\SPremove.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"DisplayIcon" = "%Program Files%\ShopperPro\ShopperPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"DisplayName" = "Shopper-Pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ShopperPro.exe]
"(Default)" = "%Program Files%\ShopperPro\ShopperPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm6.tmp\AccDownload.dll,"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
c7fe404737de716087b839e238b817bb c:\Documents and Settings\All Users\Application Data\ShopperPro\ShopperPro.dll
93931db182969db99595c3580912ba1b c:\Documents and Settings\All Users\Application Data\ShopperPro\ShopperPro64.dll
f45d6466ffdba2b27a434a8addb7058c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ShopperProJSINJFull.exe
6f7d9e111a17fab195efe0bbd3a0442d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm6.tmp\AccDownload.dll
faa7f034b38e729a983965c04cc70fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm6.tmp\nsProcess.dll
5cf896bcc5236978066a38c5c25da90a c:\Program Files\Common Files\ShopperPro\spbia.exe
0dfe7ab9042acb04173dd2fb2ac1eb9f c:\Program Files\Common Files\ShopperPro\spbici32.dll
abeb41e00469315a9336c0b79706c7d4 c:\Program Files\Common Files\ShopperPro\spbii32.exe
44949bddbdfaaaa944e88d239196cb07 c:\Program Files\Common Files\ShopperPro\spbiu.exe
4d9f737f67ba6d4bea08022105f612ea c:\Program Files\Common Files\ShopperPro\spbiw.sys
23b1ed4228e698770d109980a760c39c c:\Program Files\ShopperPro\JSDriver\jsdrv.exe
515a4bff18fe48336e92c0dfe67c6c02 c:\Program Files\ShopperPro\JSDriver\jsdrv.sys
bd345a040d5db36b50fc66e6ccc32a9c c:\Program Files\ShopperPro\SPRemove.exe
c7fe404737de716087b839e238b817bb c:\Program Files\ShopperPro\ShopperPro.dll
0020546dab8d2637438e3c1e665630e9 c:\Program Files\ShopperPro\ShopperPro.exe
93931db182969db99595c3580912ba1b c:\Program Files\ShopperPro\ShopperPro64.dll
c9542a74c543f4dc73d5fa2c0b5795d0 c:\Program Files\ShopperPro\Updater.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls creation and closing of processes by installing the process notifier.
Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls creation and closing of threads by installing the thread notifier.
Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

Company Name: Goobzo
Product Name: Update Helper
Product Version: 1.4.0.0
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: Updater.exe
Internal Name: Update
File Version: 1.4.0.0
File Description: Update Helper
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 585600 585728 4.609 9ed00c8dba0422715b3a73e217bbbb98
.rdata 589824 107292 107520 3.51449 adb950812c934b02d0a6617de1bea60d
.data 700416 24164 14336 3.72683 c70356a0dafdada995312aee9aa9b17b
.rsrc 724992 2184 2560 2.66487 1dcfdd2ffc762a7a0facff5fb2201199
.reloc 729088 32776 33280 3.63445 ae30a8ad7da78773e4d195acca33b7c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://50.18.63.239/app/ping.ashx?e=uWabAt9SLcwd5zMhdw4gNjVQ4tsfM4p Rk6 scAfi2D7RH4w/5EvdUqAWhGQi7pGedGSGvoDLGNsNJfpIfs778en35vktBsJx6 Utk3yOOrhrXnnSje mECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mbjagVUTwqno3tPfNk0LwjiLK0PdH5S113vQnLoLWpSHwkwBI6xGSTGbP2J8sl1sM00KMJoV MDdUipml/xTtJneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy36 2rnEMjUuKYbM9UAJTh5I6sLZ 32Ou70b8FmD360SCU=
hxxp://50.18.63.239/app/ping.ashx?e=uWabAt9SLcwd5zMhdw4gNjVQ4tsfM4p Rk6 scAfi2D7RH4w/5EvdUqAWhGQi7pGedGSGvoDLGNsNJfpIfs773Nqus3mZGr7UveRa4FPcHYV eXnWIJw0sTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5IKvLbF/776uHTPu28Xg1KLL1nZBo7eeo8anEoWbKjymmCGm6aEfEMRDPPKLIJnK7Cneg GZ11mgu3uNDO55DTPQPHab7QXjtoXNw24za1vD4WpTRkXhg7nV3/LPfa2aq5oeRu5C4CqkWleu6Ut5wZJLhm4jKngLIDtEhzkZ2j k8eWl /xhUn3wRjl/q8gRfT14az48HSfI=
hxxp://50.18.63.239/app/ping.ashx?e=t1D UTAmiee yyS2qzaxR6UJDMapLwfaTEgCpOx0T0GQL2F0hg1RiTOxvMX97V0ps943/u aXwShJMsVUchB6N77hnAdSnY7Ffnl51iCcNLE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 SCry2xf rh0z7tvF4NSiy9Z2QaO3nqPGpxKFmyo8ppghpumhHxDEQzzyiyCZyuwp3oPhmddZoLt7jQzueQ0z0Dx2m 0F47aFzcNuM2tbw FqU0ZF4YO51d/yz32tmquaHkbuQuAqpFpXrulLecGSS4ZuIyp4CyA7RIc5Gdo/pPHlpfv8YVJ98EY5f6vIEX5qM9V I3rpu
hxxp://50.18.63.239/app/ping.ashx?e=PcwT4QFtuPClUB4b/muCJdpqjzJQw3pk62ls PLHCLDT03ZwnpMmrhaKnKXtexuXYCpHZc9ZUaEFUvUzhh6wGQQLYPAA0y1BwAVB0Eq REj6D9O0Cwt/JFO8xmMRVWZOb7j5JAyiJ5DwvGnwcuiCjBHn3WtPO7TkH/l0 VcKauomaBJypNliqEDvyV6N5VRE9DaBISBxhIe/lnqT5e8lFzBS dTknIQm1M7W6XtnBsvhVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACd8Xs5iSfOPnHAqJyimMY2ShQNbb34rcplEQ7FJ9hNOM
hxxp://rep.shopper-pro.com/app/ping.ashx?e=WVbe3wHlwMFwFDZ4m8MeBpJx4LavVxtF2YTeaOaZJPFysSIQM/WMqlfJuLEsXK5wcwL6a1vW iw912kUBNkf3ECniOnbhHGnDyhRDL0PLakre4uHDLyH9Ris2OOc4tTpB2Q HIGk6C6aa mhHWxsWuThJq2ybZRJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkkjazOIlR9SJb2T9B/ MLOQp/ql BaU3XnW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC4jaKTJ4Po/ 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=yhrBLBbZM9XWk3RCzFhOxiV Qu7xXRZn62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfGFmqJhaN8khCsHEelWCJ5fjam4MEBhSaVIe8C2d7qMd/hzmJ3DuMHpZrdGZ5CXclVTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBFjDsEl6RUU GNnePB/4x d7BqkdXXdfgmIGw6thMqh2V4jcHq5iDyWqnC7KpzdeJMQ6ACLmpwcVM5viV3xX GkoWVy5KPEJV 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=yhrBLBbZM9XWk3RCzFhOxiV Qu7xXRZn62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfEokLndUNuBHKli32pbacVsAF2DE/CAne/g0awzhjZsXPGPQ 2aX6wlX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8UMxa2WeHrKR9dnPw8cgDADqAsGZZs3OrP0Dx2m 0F47aFzcNuM2tbw FqU0ZF4YO51d/yz32tmquaHkbuQuAqpFpXrulLecGSS4ZuIyp4CyD0lZpzINt8A 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=PcwT4QFtuPBwlKCj/kNh83AUNnibwx4GknHgtq9XG0XZhN5o5pkk8XKxIhAz9YyqV8m4sSxcrnBzAvprW9b6LD3XaRQE2R/cQKeI6duEcaeJWIAQ8Wjpin/USt YsXz/9jUckoqA0UbzzOTe NyYpAcj/vesq0q5LkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBz/W13TX3vpUL2ZCt3Vty9zvq zYkkBMnThVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACY1NLajJxa4x 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=KSz5qzb2KgK3/TSRmvrD0qpcHkZ8gszkB70p5cFj8vcSZTerw9Y85dVUaX7QH4by7Y0fiNf1rljDMqqaRKVJBs5mQvCBtLnJPWfQa8x9cgefD5PY7X0q xis2OOc4tTp1sgfHgwJGopMjaP02 pNDljtKNJXIFNsxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fkkOv0jllbSlDCgSUF5vsfLRvaTpGfz3xhcJKC1Reo3n9s2Fs g80z0k6Cr9laSF2XrRbZnBny0uhv3iEz1ZNnAYhSLf3gsJzhYWVjeFKSrgJwIYPupgb31 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=QHucCbLl /bcrHBJLG9UXzVAbGpJT0aj62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfEWbXDZ/fQGq7DZxT1gF3s8/utPely9Ar8sexx7yz0/8Osk005mr4h3RELklnnBsg3IAQp/s6g24UCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mKGC96/uInThvKhzwACpnMwRyEEgFIv6merot47/97D9xGy1pkyHuhz0mbos5SmUuL1RonSUM0G8HF9ed47qLJcu89NeIzxh4vUld/OOG8dY= 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=QHucCbLl /bcrHBJLG9UXzVAbGpJT0aj62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfFNf/BPVXtDpcDn4lsvTWhNwUxux5aAOZpTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBoL5EnBtwOkGGNnePB/4x d7BqkdXXdfgmIGw6thMqh2V4jcHq5iDyWqnC7KpzdeJMQ6ACLmpwcVM5viV3xX GkoWVy5KPEJV 173.239.4.105
hxxp://rep.shopper-pro.com/app/ping.ashx?e=QHucCbLl /bcrHBJLG9UXzVAbGpJT0aj62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfE9LGoxHbVyuYaP0IDq/YEE9jUckoqA0Ua808AiUQEulnpsq67XB5ztMrPPaPUMpEQuTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHP9bXdNfe lQvZkK3dW3L3Mu2rvMw5F/F FU5mMfA2YwPKMRKx/Hy aYD1xi6d0GBG/fDcmPtyb/6CnTX MB8zBtIY2WtWIlXvh37zCULcAJjU0tqMnFrjE= 173.239.4.105
hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=uWabAt9SLcwd5zMhdw4gNjVQ4tsfM4p Rk6 scAfi2D7RH4w/5EvdUqAWhGQi7pGedGSGvoDLGNsNJfpIfs778en35vktBsJx6 Utk3yOOrhrXnnSje mECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mbjagVUTwqno3tPfNk0LwjiLK0PdH5S113vQnLoLWpSHwkwBI6xGSTGbP2J8sl1sM00KMJoV MDdUipml/xTtJneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy36 2rnEMjUuKYbM9UAJTh5I6sLZ 32Ou70b8FmD360SCU=
hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=t1D UTAmiee yyS2qzaxR6UJDMapLwfaTEgCpOx0T0GQL2F0hg1RiTOxvMX97V0ps943/u aXwShJMsVUchB6N77hnAdSnY7Ffnl51iCcNLE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 SCry2xf rh0z7tvF4NSiy9Z2QaO3nqPGpxKFmyo8ppghpumhHxDEQzzyiyCZyuwp3oPhmddZoLt7jQzueQ0z0Dx2m 0F47aFzcNuM2tbw FqU0ZF4YO51d/yz32tmquaHkbuQuAqpFpXrulLecGSS4ZuIyp4CyA7RIc5Gdo/pPHlpfv8YVJ98EY5f6vIEX5qM9V I3rpu
hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=PcwT4QFtuPClUB4b/muCJdpqjzJQw3pk62ls PLHCLDT03ZwnpMmrhaKnKXtexuXYCpHZc9ZUaEFUvUzhh6wGQQLYPAA0y1BwAVB0Eq REj6D9O0Cwt/JFO8xmMRVWZOb7j5JAyiJ5DwvGnwcuiCjBHn3WtPO7TkH/l0 VcKauomaBJypNliqEDvyV6N5VRE9DaBISBxhIe/lnqT5e8lFzBS dTknIQm1M7W6XtnBsvhVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACd8Xs5iSfOPnHAqJyimMY2ShQNbb34rcplEQ7FJ9hNOM
hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=uWabAt9SLcwd5zMhdw4gNjVQ4tsfM4p Rk6 scAfi2D7RH4w/5EvdUqAWhGQi7pGedGSGvoDLGNsNJfpIfs773Nqus3mZGr7UveRa4FPcHYV eXnWIJw0sTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5IKvLbF/776uHTPu28Xg1KLL1nZBo7eeo8anEoWbKjymmCGm6aEfEMRDPPKLIJnK7Cneg GZ11mgu3uNDO55DTPQPHab7QXjtoXNw24za1vD4WpTRkXhg7nV3/LPfa2aq5oeRu5C4CqkWleu6Ut5wZJLhm4jKngLIDtEhzkZ2j k8eWl /xhUn3wRjl/q8gRfT14az48HSfI=


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /app/ping.ashx?e=WVbe3wHlwMFwFDZ4m8MeBpJx4LavVxtF2YTeaOaZJPFysSIQM/WMqlfJuLEsXK5wcwL6a1vW iw912kUBNkf3ECniOnbhHGnDyhRDL0PLakre4uHDLyH9Ris2OOc4tTpB2Q  HIGk6C6aa mhHWxsWuThJq2ybZRJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkkjazOIlR9SJb2T9B/ MLOQp/ql BaU3XnW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC4jaKTJ4Po/  HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:58 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=yhrBLBbZM9XWk3RCzFhOxiV Qu7xXRZn62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfEokLndUNuBHKli32pbacVsAF2DE/CAne/g0awzhjZsXPGPQ 2aX6wlX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8UMxa2WeHrKR9dnPw8cgDADqAsGZZs3OrP0Dx2m 0F47aFzcNuM2tbw FqU0ZF4YO51d/yz32tmquaHkbuQuAqpFpXrulLecGSS4ZuIyp4CyD0lZpzINt8A HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:58 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=KSz5qzb2KgK3/TSRmvrD0qpcHkZ8gszkB70p5cFj8vcSZTerw9Y85dVUaX7QH4by7Y0fiNf1rljDMqqaRKVJBs5mQvCBtLnJPWfQa8x9cgefD5PY7X0q xis2OOc4tTp1sgfHgwJGopMjaP02 pNDljtKNJXIFNsxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fkkOv0jllbSlDCgSUF5vsfLRvaTpGfz3xhcJKC1Reo3n9s2Fs g80z0k6Cr9laSF2XrRbZnBny0uhv3iEz1ZNnAYhSLf3gsJzhYWVjeFKSrgJwIYPupgb31 HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:59 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=QHucCbLl /bcrHBJLG9UXzVAbGpJT0aj62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfFNf/BPVXtDpcDn4lsvTWhNwUxux5aAOZpTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBoL5EnBtwOkGGNnePB/4x d7BqkdXXdfgmIGw6thMqh2V4jcHq5iDyWqnC7KpzdeJMQ6ACLmpwcVM5viV3xX GkoWVy5KPEJV HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:59 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=QHucCbLl /bcrHBJLG9UXzVAbGpJT0aj62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfE9LGoxHbVyuYaP0IDq/YEE9jUckoqA0Ua808AiUQEulnpsq67XB5ztMrPPaPUMpEQuTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHP9bXdNfe lQvZkK3dW3L3Mu2rvMw5F/F FU5mMfA2YwPKMRKx/Hy aYD1xi6d0GBG/fDcmPtyb/6CnTX MB8zBtIY2WtWIlXvh37zCULcAJjU0tqMnFrjE= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:24:00 GMT
Content-Length: 0



GET /app/ping.ashx?e=yhrBLBbZM9XWk3RCzFhOxiV Qu7xXRZn62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfGFmqJhaN8khCsHEelWCJ5fjam4MEBhSaVIe8C2d7qMd/hzmJ3DuMHpZrdGZ5CXclVTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBFjDsEl6RUU GNnePB/4x d7BqkdXXdfgmIGw6thMqh2V4jcHq5iDyWqnC7KpzdeJMQ6ACLmpwcVM5viV3xX GkoWVy5KPEJV HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:58 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=PcwT4QFtuPBwlKCj/kNh83AUNnibwx4GknHgtq9XG0XZhN5o5pkk8XKxIhAz9YyqV8m4sSxcrnBzAvprW9b6LD3XaRQE2R/cQKeI6duEcaeJWIAQ8Wjpin/USt YsXz/9jUckoqA0UbzzOTe NyYpAcj/vesq0q5LkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBz/W13TX3vpUL2ZCt3Vty9zvq zYkkBMnThVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACY1NLajJxa4x HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:58 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=QHucCbLl /bcrHBJLG9UXzVAbGpJT0aj62ls PLHCLDT03ZwnpMmrnnHkVEbFY2m3Utxb6gxTCgASc2/kx91qRTHjmB6zG1aGJMtnIyRqfEWbXDZ/fQGq7DZxT1gF3s8/utPely9Ar8sexx7yz0/8Osk005mr4h3RELklnnBsg3IAQp/s6g24UCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mKGC96/uInThvKhzwACpnMwRyEEgFIv6merot47/97D9xGy1pkyHuhz0mbos5SmUuL1RonSUM0G8HF9ed47qLJcu89NeIzxh4vUld/OOG8dY= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:59 GMT
Content-Length: 0



GET /app/ping.ashx?e=uWabAt9SLcwd5zMhdw4gNjVQ4tsfM4p Rk6 scAfi2D7RH4w/5EvdUqAWhGQi7pGedGSGvoDLGNsNJfpIfs773Nqus3mZGr7UveRa4FPcHYV eXnWIJw0sTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5IKvLbF/776uHTPu28Xg1KLL1nZBo7eeo8anEoWbKjymmCGm6aEfEMRDPPKLIJnK7Cneg GZ11mgu3uNDO55DTPQPHab7QXjtoXNw24za1vD4WpTRkXhg7nV3/LPfa2aq5oeRu5C4CqkWleu6Ut5wZJLhm4jKngLIDtEhzkZ2j k8eWl /xhUn3wRjl/q8gRfT14az48HSfI= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=t1D UTAmiee yyS2qzaxR6UJDMapLwfaTEgCpOx0T0GQL2F0hg1RiTOxvMX97V0ps943/u aXwShJMsVUchB6N77hnAdSnY7Ffnl51iCcNLE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 SCry2xf   rh0z7tvF4NSiy9Z2QaO3nqPGpxKFmyo8ppghpumhHxDEQzzyiyCZyuwp3oPhmddZoLt7jQzueQ0z0Dx2m 0F47aFzcNuM2tbw FqU0ZF4YO51d/yz32tmquaHkbuQuAqpFpXrulLecGSS4ZuIyp4CyA7RIc5Gdo/pPHlpfv8YVJ98EY5f6vIEX5qM9V I3rpu HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:49 GMT
Content-Length: 0



GET /app/ping.ashx?e=uWabAt9SLcwd5zMhdw4gNjVQ4tsfM4p Rk6 scAfi2D7RH4w/5EvdUqAWhGQi7pGedGSGvoDLGNsNJfpIfs778en35vktBsJx6 Utk3yOOrhrXnnSje mECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mbjagVUTwqno3tPfNk0LwjiLK0PdH5S113vQnLoLWpSHwkwBI6xGSTGbP2J8sl1sM00KMJoV MDdUipml/xTtJneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy36 2rnEMjUuKYbM9UAJTh5I6sLZ 32Ou70b8FmD360SCU= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:49 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=PcwT4QFtuPClUB4b/muCJdpqjzJQw3pk62ls PLHCLDT03ZwnpMmrhaKnKXtexuXYCpHZc9ZUaEFUvUzhh6wGQQLYPAA0y1BwAVB0Eq REj6D9O0Cwt/JFO8xmMRVWZOb7j5JAyiJ5DwvGnwcuiCjBHn3WtPO7TkH/l0 VcKauomaBJypNliqEDvyV6N5VRE9DaBISBxhIe/lnqT5e8lFzBS dTknIQm1M7W6XtnBsvhVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACd8Xs5iSfOPnHAqJyimMY2ShQNbb34rcplEQ7FJ9hNOM HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 02 Apr 2015 11:23:50 GMT
Content-Length: 0







The not-a-virus connects to the servers at the folowing location(s):







spbiu.exe_664:




.text
`.rdata
@.data
.rsrc
@.reloc
t.VWPj
<1%u5
SShp<X
Qh4%X
Shx%X
Vhd%X
 2 34 567
j.Yf;
_tcPVj@
.PjRW
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
operator
GetProcessWindowStation
?456789:;<=
!"#$%&'()* ,-./0123
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.2.3
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.7.2
CREATE TEMP TABLE sqlite_temp_master(
Catcher.ProcessId:
Catcher.Path:
Watcher.Filter:
/Url:
Update.xml
URLSet
Report
homeURL
suggestURL
newTabURL
ieSearchURL
chSearchURL
ffSearchURL
opSearchURL
chromeKeyword
[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]
vup.tmp
Argument.CheckResult:
Argument.IsRunning:
Delivery of report succeeded. TaskId:
Delivery of report failed.
SHDeleteKeyW
RegDeleteKeyExA
RegDeleteKeyExW
NtQueryKey
1.3.6.1.4.1.311.2.1.12
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
Snapshot.xml
GoogleChrome
MozillaFirefox
AboutTabsUrl
HomePageUrl
DefaultProviderKeyword
UrlsToRestoreOnStartup
StartupHomepageUrl
ParentKey:
1, 0, 0, 4
Envelop.xml
UrlSet
Configuration.xml
Opera
StartPageUrl
AboutTabUrl
SearchScopeUrl
SearchScopeIconUrl
SearchScopeSuggestUrl
DefaultProviderSearchUrl
DefaultProviderIconUrl
DefaultProviderSuggestUrl
SearchPluginUrl
SearchPluginSuggestionUrl
TabPageUrl
SearchEngineFaviconUrl
SearchEngineSuggestionUrl
SearchEngineSearchUrl
SearchEngineKeyword
System.xml
Reset-2.1.0.7
ReportUrl
UpdateUrl
ReportDlls
User.xml
Argument.Snapshot:
Argument.GeneralConfig:
Argument.Flags:
favicon_url
keyword
originating_url
suggest_url
keyword LIKE '
WHERE key = 'Default Search Provider ID'
keywords
DELETE from keywords WHERE id =
key = 'Default Search Provider ID'
icon_url
search_url
urls_to_restore_on_startup
startup_urls
chrome_url_overrides
instant_url
web_url
search_icon.png
%d-%m-%Y %H:%M, %a
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
cannot join using column %s - column not present in both tables
%s.%s
ORDER BY clause should come after %s not before
%s:%d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
sqlite_subquery_%p_
no such index: %s
no such table: %s
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create INSTEAD OF trigger on table: %S
no such trigger: %S
no such column: %s
-- TRIGGER %s
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
cannot use index: %s
at most %d tables in a join
%s AS %s
TABLE %s
%s WITH INDEX %s
%s WITH AUTOMATIC INDEX
%s USING PRIMARY KEY
%s VIA MULTI-INDEX UNION
%s ORDER BY
%s VIRTUAL TABLE INDEX %d:%s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
large file support is disabled
unknown database: %s
no such vfs: %s
database corruption at line %d of [%.10s]
cannot open file at line %d of [%.10s]
misuse at line %d of [%.10s]
SQLITE_
d:d:d
d-d-d d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
%s-shm
%s\etilqs_
OsError 0x%x (%u)
Recovered %d frames from WAL file %s
invalid page number %d
Failed to read ptrmap key=%d
2nd reference to page %d
%d of %d pages missing from overflow list starting at %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
freelist leaf count too big on page %d
failed to get page %d
unable to get the page. error code=%d
Page %d:
On tree page %d cell %d:
btreeInitPage() returns error code %d
On page %d at right child:
Corruption detected in cell %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Pointer map page %d is referenced
Page %d is never used
Outstanding page count goes from %d to %d during this analysis
keyinfo(%d
%s(%d)
%s-mjX
foreign key constraint failed
bind on a busy prepared statement: [%s]
unable to use function %s in the requested context
zeroblob(%d)
abort at %d in [%s]: %s
cannot open savepoint - SQL statements in progress
constraint failed at %d in [%s]
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
sqlite_master
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
database table is locked: %s
cannot change %s wal mode from within a transaction
cannot open virtual table: %s
statement aborts at %d: [%s] %s
no such column: "%s"
cannot open view: %s
indexed
foreign key
cannot open %s column for writing
cannot open value of type %s
misuse of aliased aggregate %s
%s: %s.%s
%s: %s.%s.%s
not authorized to use function: %s
%s: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_trigger
sqlite_rename_table
sqlite_rename_parent
%s OR name=%Q
sqlite_
there is already another table or index with this name: %s
view %s may not be altered
table %s may not be altered
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
DELETE FROM %Q.%s WHERE tbl=%Q
CREATE TABLE %Q.%s(%s)
SELECT idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
invalid name: "%s"
database %s is already in use
no such database: %s
unable to open database: %s
cannot detach database %s
sqlite_detach
database %s is locked
%s %T cannot reference objects in database %s
sqlite_attach
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
duplicate column name: %s
too many columns on %s
table "%s" has more than one primary key
default value of column [%s] is not constant
no such collation sequence: %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
view %s is circularly defined
use DROP TABLE to delete table %s
table %s may not be dropped
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
indexed columns are not unique
unknown column "%s" in foreign key definition
views may not be indexed
table %s may not be indexed
there is already a table named %s
virtual tables may not be indexed
sqlite_autoindex_%s_%d
index %s already exists
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM %Q.%s WHERE name=%Q
a JOIN clause is required before %s
table %s may not be modified
unable to identify the object to be reindexed
cannot modify %s because it is a view
sqlite_version
sqlite_compileoption_used
sqlite_source_id
sqlite_compileoption_get
foreign key mismatch
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has no column named %s
PRIMARY KEY must be unique
%s.%s may not be NULL
unable to open shared library [%s]
sqlite3_extension_init
error during initialization: %s
no entry point [%s] in shared library [%s]
automatic extension loading failed: %s
foreign_keys
C:\Builds\Build_ShopperProMulti\BrowserInjection\Bin\ShopperPro_SPBIUpdate\Win32\WinMV\Release\spbiu.pdb
SHELL32.dll
KERNEL32.dll
USER32.dll
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
Secur32.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
CreatePipe
ConnectNamedPipe
CreateNamedPipeW
GetNamedPipeInfo
DisconnectNamedPipe
GetCPInfo
GetProcessHeap
RegCreateKeyW
RegCreateKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegDeleteKeyA
RegDeleteKeyW
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyA
RegEnumKeyExW
RegCloseKey
RegEnumKeyW
zcÁ
.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVPipedProcess@Utils@SpeedBit@@
.?AVImplementation@PipedProcess@Utils@SpeedBit@@
.?AVImplementation@MachineKey@Utils@SpeedBit@@
.?AVMachineKey@Utils@SpeedBit@@
.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@
.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@Implementation@General@Config@SpeedBit@@
.?AVOperaSettings@Implementation@General@Config@SpeedBit@@
.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@
.?AVSettings@Firefox@General@Config@SpeedBit@@
.?AVSettings@Opera@General@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@
.?AVValueSet@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@General@Config@SpeedBit@@
.?AVValueSet@Firefox@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Firefox@User@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Chrome@User@Config@SpeedBit@@
.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@
.?AVBrowserSettings@Chrome@SpeedBit@@
.?AVWebDataDB@SQLite@SpeedBit@@
.?AVImplementation@WebDataDB@SQLite@SpeedBit@@
.?AVException@sql@@
// SpeedBit hidden execute
if (WScript.Arguments.length > 0)
var root = WScript.Arguments(0);
for (var i = 1, n = WScript.Arguments.length; i < n;   i)
args.push(WScript.Arguments(i));
var path = "\""   root.replace(/\\*$/, "").replace(/\//g, "\\")   "\"";
path  = " \""   args.join("\" \"")   "\"";
var shell = WScript.CreateObject("WScript.Shell");
shell.Run(path, 0, false);
<requestedExecutionLevel level='highestAvailable' uiAccess='false' />
343f3
%0 000^0
7%8X8
3%4X4
11o1
88D8V8b8o8{8
= >6>>>\>
4_5X5}5
2 363>3\3
2-2
0 0$0(0,0004080<0
4 4$4(4,4044484*6
<!<%<)<-<1<5<9<=<}<
5 5$5(5,50545~5
3I4C4M4u4
2#3&4-5]5
1 1$1(1,1014181<1
? ?$?(?,?0?4?8?
2 2$2(2,2
5 5$5(5,50545
= =$=(=,=0=4=8=<=@=
> >$>(>,>0>
5@5\5`5|5
combase.dll
kernel32.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
Injection::Snapshot::Controller::IsChromeInstalled
Chrome installed:
Chrome unchanged:
Checking<Parameter.Input>
Checking<Parameter.Key>
777705555443332
5555443332
5555443332
logs\${ModuleName}.${Pid}.log
WatchmanKey::TimeBomb::UninstallTimeBomb
Reporting
1.0.0.4
Chrome::StartPageProtectionEnabled
Chrome::SearchEngineProtectionEnabled
Chrome::RestoreOnStartupProtectionEnabled
Chrome::StartPageProtectionDisabled
Chrome::SearchEngineProtectionDisabled
Chrome::RestoreOnStartupProtectionDisabled
ProcessCatcher::ExecutionContext::Resume
Allocation<ExecutionContext>
ProcessMonitor::ExecutionContext::Resume
EndsBy:\iexplore.exe|EndsBy:\rundll32.exe
EndsBy:\chrome.exe
EndsBy:\firefox.exe
iexplore.exe
rundll32.exe
chrome.exe
firefox.exe
opera.exe
spbici32.dll
spbifi32.dll
spbioi32.dll
spbii32.exe
Utils::PipedProcess::Create
Utils::PipedProcess::Start
Utils::PipedProcess::WriteData
[ReportDllsThread]
ProcessWatcher::ExecutionContext::Resume
spbia.exe
Utils::PipedProcess::ReadData
Utils::PipedProcess::Wait
Utils::PipedProcess::WriteEof
Utils::MachineKey::Create
Utils::MachineKey::Generate
Encrypt data. Key:
Decrypt data. Key:
Package url:
WatchmanKey::Updater::SetLastTime
.Service
/report
/report1
%d.%d.%d.%d%n
Created URL Set object from configuration. Name:
UrlSetID:
Could not find matching URL set... Using old configuration
spbiu.exe
[LocalScope::UpdateParser::ParseReportSection]
Monitor::ServerEncryption::CreateSessionKey
Full url:
Data url:
sbu.exe
spbiw.sys
wscript.exe
spbihe.js
[Monitor::WatchmanGuard::SendReport]
Monitor::ServerReporter::Create
/urlset:
Options.InjectAllBrowsers:
Options.InjectDefaultOnly:
Options.ServiceName:
Options.ProductCode:
Options.ProductPriority:
Options.UpdateUrl:
Options.ReportUrl:
Options.AutoStart:
Options.ProtectSearch:
Options.ProtectHome:
Options.ProtectTab:
Options.ExplorerInjection:
Options.ChromeInjection:
Options.FirefoxInjection:
Options.OperaInjection:
Options.ConfigPath:
Options.ConfigKey:
Getting current URL Set
Getting URL Set from options
] Provided. And is different from current URL set [
URL Set [
Need to send report!!!
ServerReporter::Create
general_config.xml
system_config.xml
[WatchmanInstaller::SendReport1]
iexplore.exe is running, result for getting DLL's:
firefox.exe is running, result for getting DLL's:
chrome.exe is running, result for getting DLL's:
[WatchmanInstaller::SendReport]
Currently set URLSet:
Updating system config with new URL set...
Already reported duiring first install
Report' been sent:
WatchmanInstaller::SendReport1
calling SendReport1...
WatchmanInstaller::SendReport
[Monitor::WatchmanMonitor::CreateSendReportTask]
SendReportTask
new<SendReportTask>
[Monitor::WatchmanMonitor::OnSendReportSucceeded]
[Monitor::WatchmanMonitor::OnSendReportFailed]
[Monitor::WatchmanMonitor::OnChromeProtectionChanged]
User has changed the chrome protection for:
[Monitor::WatchmanMonitor::OnResetFirefoxProtection]
User has reset the firefox protection:
Next report task:
Scheduller::RegisterTask<SendReportTask>
Monitor::Application::EnsureSystemKey
Options.Revert:
Settings.Final:
@ADVAPI32.DLL
shlwapi.dll
Utils::Registry::OpenKeyExW
Subkey:
[Utils::Registry::RecursiveDeleteKeyW]
SHLWAPI.GetAddressOf<SHDeleteKeyW>
WKERNEL32.DLL
VERSION.DLL
NTDLL.DLL
[Utils::PipedProcess::CreateOutputHandles]
[Utils::PipedProcess::CreateInputHandles]
[Utils::PipedProcess::SpawnProcess]
Utils::PipedProcess::CreateOutputHandles
Utils::PipedProcess::CreateInputHandles
Utils::PipedProcess::SpawnProcess
[Utils::PipedProcess::Start]
[Utils::PipedProcess::Wait]
Utils::PipedProcess::WriteProc
[Utils::PipedProcess::WriteData]
Utils::PipedProcess::ReadProc
[Utils::PipedProcess::ReadData]
.cache
FIPHLPAPI.DLL
X-hX-hX-XX-XXXXXX
\\.\pipe\
Could not create thread event. %%s
Could not create new client event. %%s
Could not create accept thread. %%s
Could not create work thread. %%s
Could not start thread. %%s
Stop IPC error. %%s
Pipe (0x%X) read problems. %%s
IAction::QueryInterface<IExecAction>
IExecAction::put_Path
IExecAction::put_WorkingDirectory
IExecAction::put_Arguments
http\shell\open\command
[Utils::SoftwareInfo::GetHttpOpenHandler]
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
[SynchronousPipe::Write]
[SynchronousPipe::Read]
Error code: %u ('%s')
Could not allocate IPC memory. Requires size: %u
Could not create pipe. %%s
Could not create pipe event. %%s
Event error. %%s
Pipe connecting error. %%s
FCould not create IPC event. %%s
SHELL32.DLL
Google\Chrome
\Application\chrome.exe
\Google\Chrome\Application\chrome.exe
\resources.pak
\Google\Chrome\Application\
\Web Data
[Injection::Snapshot::Chrome::Settings::Dump]
[Injection::Snapshot::Firefox::Settings::Dump]
[Monitor::RestoreData::Controller::Build<ChromeSettings>]
[Monitor::RestoreData::Controller::Build<FirefoxSettings>]
[Injection::Snapshot::Builder::BuildSettings<ChromeSettings>]
[Injection::Snapshot::Builder::BuildSettings<FirefoxSettings>]
new<ChromeSettings>
Injection::Snapshot::Parser::Parse<ChromeSettings>
new<FirefoxSettings>
Injection::Snapshot::Parser::Parse<FirefoxSettings>
ReadStringNode<AboutTabsUrl>
[Injection::Snapshot::Parser::Parse<ChromeSettings>]
ReadStringNode<DefaultProviderKeyword>
[Injection::Snapshot::Parser::Parse<FirefoxSettings>]
[Injection::Snapshot::Controller::IsChromeInstalled]
Chrome::BrowserSettings::Create
[Injection::Snapshot::Controller::IsFirefoxInstalled]
Firefox::BrowserSettings::Create
Argument.UserSid:
WatchmanKey::Users::SaveRestoreData
[WatchmanKey::GetEncryptionKey]
MachineKey::Generate
MachineKey::Create
[WatchmanKey::LoadEncodedData]
[WatchmanKey::CleanupKey]
WatchmanKey::GetEncryptionKey
[WatchmanKey::SaveEncodedData]
WatchmanKey::System::Open
[WatchmanKey::System::LoadGeneralConfig]
[WatchmanKey::System::SaveGeneralConfig]
WatchmanKey::LoadEncodedData
WatchmanKey::SaveEncodedData
WatchmanKey::System::Ensure
[WatchmanKey::System::SaveSystemConfig]
[WatchmanKey::System::LoadSystemConfig]
WatchmanKey::EnsureKey
[WatchmanKey::Users::Ensure]
WatchmanKey::OpenKey
[WatchmanKey::Users::Open]
[WatchmanKey::Users::LoadConfiguration]
[WatchmanKey::Users::SaveConfiguration]
WatchmanKey::Users::Ensure
[WatchmanKey::Users::LoadRestoreData]
[WatchmanKey::Updater::SetLastTime]
[WatchmanKey::Updater::GetBlackListHash]
[WatchmanKey::Updater::SetBlackListHash]
[WatchmanKey::Reporter::GetLastTime]
[WatchmanKey::TimeBomb::Uninstall]
WatchmanKey::SystemKey::Open
Argument.SystemConfig:
Argument.Config::User:
Argument.Config::General:
IEBHO.DLL
DATAMNGR.DLL
[Config::General::UrlSet::Copy]
[Config::General::Chrome::Settings::Dump]
[Config::General::Chrome::ValueSet::Copy]
[Config::General::Chrome::Settings::Copy]
[Config::General::Firefox::Settings::Copy]
[Config::General::Firefox::Settings::Dump]
[Config::General::Opera::Settings::Dump]
[Config::General::Firefox::ValueSet::Copy]
[Config::General::Opera::Settings::Copy]
Config::General::Parser::ParseUrlSet
Config::General::Parser::ParseFirefoxSettings
Config::General::Parser::ParseChromeSettings
Config::General::Parser::ParseOperaSettings
lReadStringNode<StartPageUrl>
ReadStringNode<AboutTabUrl>
ReadStringNode<SearchScopeUrl>
ReadStringNode<SearchScopeIconUrl>
ReadStringNode<SearchScopeSuggestUrl>
MissedElement<GoogleChrome>
[Config::General::Parser::ParseChromeSettings]
[Config::General::Parser::ParseChromeValueSets]
Config::General::Parser::ParseChromeValueSets
ReadStringNode<HomePageUrl>
gReadStringNode<DefaultProviderSearchUrl>
ReadStringNode<DefaultProviderIconUrl>
ReadStringNode<DefaultProviderSuggestUrl>
MissedElement<MozillaFirefox>
[Config::General::Parser::ParseFirefoxSettings]
[Config::General::Parser::ParseFirefoxValueSets]
Config::General::Parser::ParseFirefoxValueSets
ReadOptionalStringNode<HomePageUrl>
ReadOptionalStringNode<SearchPluginUrl>
ReadOptionalStringNode<SearchPluginSuggestionUrl>
[Config::General::Parser::ParseUrlSet]
MissedElement<UrlSet>
ReadStringNode<TabPageUrl>
ReadStringNode<SearchEngineFaviconUrl>
ReadStringNode<SearchEngineSuggestionUrl>
dReadStringNode<SearchEngineSearchUrl>
[Config::General::Parser::ParseOperaSettings]
ReadStringNode<SearchEngineKeyword>
MissedElement<Opera>
ReadStringNode<Key>
[Config::General::Builder::Build<ChromeSettinsg>]
[Config::General::Builder::Build<OperaSettinsg>]
[Config::General::Builder::Build<FirefoxSettinsg>]
We couldn't find the URL Set section... probably an old configuration!
WatchmanKey::System::LoadGeneralConfig
WatchmanKey::System::SaveGeneralConfig
H2.1.0.7
2.0.0.0
ReadOptionalStringNode<UrlSet>
ReadStringNode<ReportUrl>
ReadStringNode<UpdateUrl>
ReadBooleanNode<MozillaFirefox>
ReadBooleanNode<GoogleChrome>
Could not find URL Set in configuration. Probably older configuration.
ReadBooleanNode<Opera>
WatchmanKey::System::LoadSystemConfig
WatchmanKey::System::SaveSystemConfig
[Config::User::Chrome::Settings::Copy]
[Config::User::Firefox::Settings::Copy]
Config::User::Parser::ParseChromeSettings
Config::User::Parser::ParseFirefoxSettings
[Config::User::Parser::ParseChromeSettings]
[Config::User::Parser::ParseFirefoxSettings]
[Config::User::Builder::BuildFirefoxSettings]
[Config::User::Builder::BuildChromeSettings]
WatchmanKey::User::LoadConfiguration
WatchmanKey::User::SaveConfiguration
[Chrome::BrowserSettings::OpenConfigFiles]
SQLite::WebDataDB::Create
Chrome::InstallInfo::Get
[Chrome::BrowserSettings::SetHomePagePreferences]
Argument.HomePageIsNewTabPage:
Argument.HomePageUrl:
Argument.DefaultProviderId:
[Chrome::BrowserSettings::SetDefaultProviderPreferences]
Argument.DefaultProviderName:
Argument.DefaultProviderKeyWord:
Argument.DefaultProviderSearchUrl:
Argument.DefaultProviderEncoding:
Argument.DefaultProviderSuggestUrl:
Argument.DefaultProviderIconUrl:
Argument.RestoreOnStartup:
[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]
[Chrome::BrowserSettings::GetSearchProviderId]
Argument.UrlsToRestoreOnStartup:
SQLite::WebDataDB::GetFirstProviderId
Argument.KeywordToSearch:
Result.ProviderId:
SQLite::WebDataDB::GetProviderById
SQLite::WebDataDB::Values::Create
[Chrome::BrowserSettings::EnsureSearchProvider]
Key deleted:
[Chrome::BrowserSettings::DeleteSearchProvider]
[Chrome::BrowserSettings::MakeSnapshot]
[Chrome::BrowserSettings::RestoreState]
Chrome::BrowserSettings::DeleteSearchProvider
Chrome::BrowserSettings::OpenConfigFiles
SQLite::WebDataDB::SetDefaultProvider
[Chrome::BrowserSettings::PropagateState]
Chrome::BrowserSettings::EnsureSearchProvider
[SQLite::Implementation::AddProvider]
[SQLite::Implementation::GetProviderByKeyword]
[SQLite::Implementation::GetProviderById]
[SQLite::Implementation::GetProviderId]
[SQLite::Implementation::GetFirstProviderId]
chrome-extension://
Checking<extensions.settings>
%Program Files%\Common Files\ShopperPro\spbiu.exe
1.2.0.0






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:692
    spbia.exe:1252
    ShopperPro.exe:1100
    spbiu.exe:2000
    spbiu.exe:664
    spbiu.exe:1936
    sc.exe:920
    wscript.exe:1276
    ShopperProJSINJFull.exe:164
    regsvr32.exe:448
    setup.exe:676
    

    3. 

  3. Delete the original not-a-virus file.
    4. 

  4. Delete or disinfect the following files created/modified by the not-a-virus:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ShopperProJSINJFull.exe (30673 bytes)
    %WinDir%\Tasks\ShopperPro.job (1974 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\config.json (215 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.json (11 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3073 bytes)
    %Program Files%\ShopperPro\config.json (215 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (439 bytes)
    %WinDir%\Tasks\SPBIW_UpdateTask_Time_3835323735333432352d3437415a556c2a3223346c41.job (946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\setup1.exe (143233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\NK.lky (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\setup.exe (1588424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (152667 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\D1958.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\nsExec.dll (6 bytes)
    %Program Files%\Common Files\ShopperPro\spbia.exe (9608 bytes)
    %Program Files%\ShopperPro\Updater.exe (25112 bytes)
    %Program Files%\ShopperPro\manifest.json (595 bytes)
    %Program Files%\ShopperPro\database1_0_0.json (11 bytes)
    %Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
    %Program Files%\ShopperPro\SPRemove.exe (20416 bytes)
    %Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
    %Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
    %Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
    %Program Files%\Common Files\ShopperPro\spbii32.exe (13368 bytes)
    %Program Files%\ShopperPro\ShopperPro64.dll (16944 bytes)
    %Program Files%\Common Files\ShopperPro\spbiu.exe (54196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\jsdrv.exe (100378 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\AccDownload.dll (11344 bytes)
    %Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
    %Program Files%\ShopperPro\ShopperPro.dll (14184 bytes)
    %Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
    %Program Files%\Common Files\ShopperPro\spbici32.dll (36698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\nsProcess.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\ns9.tmp (6 bytes)
    %Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)
    %Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
    %Program Files%\Common Files\ShopperPro\spbiw.sys (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (344806 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\ns8.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\MoreInfo.dll (7 bytes)
    %Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
    %WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now