mzpefinder_pcap_file.YR, Qakbot.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanDownloaderVundo.YR, TrojanPSWOnlineGames.YR, PUPHomePages.YR, PackedMysticCompressor.YR, GenericDownloader.YR, RATTurkojan.YR, GenericAutorunWorm.YR, SpyEye.YR, Necurs.YR, PackedThemida.YR, GenericPhysicalDrive0.YR, Bancos.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Banker, OnlineGames, Trojan, Worm, Packed, PUP, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 76507644f6d260d0bd52b3650c4c3991
SHA1: 6f50fb678f311c17be31f51c36cd1be2c2094640
SHA256: c5217ce2b55c003a08bf4d1dd3063ecf28a23089e2f52fc52e7f1e664d74aafc
SSDeep: 49152:58JnE3qBoj9ghi1RebpyTIg9Cbk/VRduSwZPSCdDS OuSlMQSFh6:58JnEwoj9ghi1RebMIg9Cbk/VeS
Size: 2042440 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: iS3, Inc.
Created at: 2015-04-07 19:50:21
Analyzed on: Windows7Ada SP1 64-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
SBSetupDrivers.exe:3152
SBSetupDrivers.exe:1812
%original file name%.exe:1912
runonce.exe:3092
runonce.exe:2736
GFI.Tools.Run64.exe:1928
DrvInst.exe:2212
DrvInst.exe:1680
STOPzilla.exe:3836
RUNDLL32.exe:3528
regsvr32.exe:3500
regsvr32.exe:1496
SZNetAssistant.exe:3916
mobsync.exe:3264
SZServer.exe:3384
SZServer.exe:992
SZWSC.exe:3788
SZWSC.exe:2612
MsiExec.exe:2456
MsiExec.exe:2624
The Trojan injects its code into the following process(es):
SBAMSvc.exe:3448
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process SBSetupDrivers.exe:3152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\drivers\sbwtis.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wnet\SbFwIm.sys (122 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\sbapifs.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbhips.sys (65 bytes)
C:\Windows\System32\drivers\sbhips.sys (65 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\SBWTIS.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbfw.sys (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DRVSetup\SetupDrv.log (17489 bytes)
C:\Windows\System32\drivers\sbapifs.sys (90 bytes)
C:\Windows\System32\drivers\SbFw.sys (1543 bytes)
The process SBSetupDrivers.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\drivers\SETEAAC.tmp (601 bytes)
C:\Windows\System32\drivers\SbFwIm.sys (601 bytes)
C:\Windows\System32\DriverStore\infpub.dat (496 bytes)
C:\Windows\System32\drivers\sbhips.sys (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB51.tmp (3 bytes)
C:\Windows\System32\config\SYSTEM (6769 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB5.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB4.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB31.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\amd64\wnet\SETDB62.tmp (601 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1764 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (9355 bytes)
C:\Windows\System32\catroot2\dberr.txt (1248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DRVSetup\SetupDrv.log (9771 bytes)
C:\Windows\System32\drivers\SbFw.sys (1281 bytes)
C:\$Directory (768 bytes)
C:\Windows\inf\oem13.PNF (8464 bytes)
C:\Windows\inf\oem14.PNF (4811 bytes)
C:\Windows\System32\drivers\SETED8A.tmp (601 bytes)
The process SBAMSvc.exe:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\STOPzilla\Definitions\LKGD\elf_hash.dat (5280 bytes)
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a81bb17e1f5dc49a730b06b63f6d28e9_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (61 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libNSIS.dll (3729 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504170900.xml (414 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ih.vdx (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\EPSigs.vdx (65 bytes)
C:\ProgramData\STOPzilla!\ThreatNetConfig.xml (810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\mime0.std (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMsCab.dll (6049 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libRar.dll (5729 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiarkup.dll (6010 bytes)
%Program Files% (x86)\STOPzilla\gfiark.dll (61 bytes)
%Program Files% (x86)\STOPzilla\Definitions\white0.std (15 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMsi.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\cblk.vtd (1236324 bytes)
%Program Files% (x86)\STOPzilla\Definitions\networkrules.dat (4 bytes)
%Program Files% (x86)\STOPzilla\Definitions\fsigs.vdx (192 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl64.sys (310 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\DefVer.txt (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libtd.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bhsl.vtd (22430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libtd.dll (2377 bytes)
%Program Files% (x86)\STOPzilla\gfiark32.sys (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\adsrules.dat (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\SBTS.dat (3280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging (20 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libEmail.dll (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\SBTS.dat (328 bytes)
%Program Files% (x86)\STOPzilla\Definitions\macroptn.std (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\macroptn.std (7306 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\smim0.std (50 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CatDesc.vdx (673 bytes)
C:\ProgramData\STOPzilla!\ServiceConfig.xml (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\hcol.wtd (226 bytes)
%Program Files% (x86)\STOPzilla\Definitions\lgpl.dll (7345 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\apincl.dat (7140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libCHM.dll (1873 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\sdll0.std (223360 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\updater.dll (3665 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatDT.vdx (392 bytes)
%Program Files% (x86)\STOPzilla\Definitions\smim0.std (5 bytes)
%Program Files% (x86)\STOPzilla\Definitions\elf_hash.dat (528 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\IncompatiblePrograms.dll (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\api0.std (3073 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ip.vtd (824 bytes)
%Program Files% (x86)\STOPzilla\SBTE.dll (49 bytes)
C:\ProgramData\STOPzilla!\History\20150425042029.xml (38 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libNSIS.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\api0.std (524 bytes)
%Program Files% (x86)\STOPzilla\Definitions\DefVer.txt (26 bytes)
C:\ProgramData\STOPzilla!\FirewallConfig.xml (1434 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\heur0.std (20 bytes)
%Program Files% (x86)\STOPzilla\mimepp.dll (212 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\remediation.dll (7961 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libRTF.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\incompats.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\updater.dll (849 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libBase64.dll (7025 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\dnrl.vdx (1513 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\AdviceTx.vdx (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xsd (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\TImem.vdx (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\sdll0.std (64896 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libVvs.dll (12217 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\networkrules.dat (40 bytes)
C:\ProgramData\STOPzilla!\RegistrationConfig.xml (2408 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\whsl.wtd (41850 bytes)
C:\ProgramData\STOPzilla!\ThreatDefinitionsConfig.xml (2236 bytes)
%Program Files% (x86)\STOPzilla\gfiutl64.sys (63 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dex_hash.dat (132706 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RegDT.vdx (36934 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FastSigs.vdx (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RTmem.vdx (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\unpck0.std (55 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiarkup.dll (2537 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FolderDT.vdx (1953 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libZip.dll (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dnrl.vdx (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CoreVer.txt (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\dex_hash.dat (378000 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libZip.dll (3441 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xsd (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CatDesc.vdx (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FileDT.vdx (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\qscnf.vdx (541 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\VVSSigs.vdx (360 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ih.vdx (11863 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CoreVer.txt (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bhmem.vtd (484 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Cookies.vdx (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\dnrl.vdx (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutil.dll (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\AdviceTx.vdx (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CatID.vdx (9 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libOleA.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatDT.vdx (545890 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libOleA.dll (4497 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ihmem.vtd (540 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMachoUniv.dll (2337 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\mime0.std (26 bytes)
%Program Files% (x86)\STOPzilla\Definitions\whsl.wtd (4185 bytes)
%Program Files% (x86)\STOPzilla\Definitions\remediation.dll (2449 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libOleA.dll (2105 bytes)
%Program Files% (x86)\STOPzilla\Definitions\kbu.dat (84216 bytes)
%Program Files% (x86)\STOPzilla\Definitions\heur0.std (2 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\patchw32.dll (3226 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\qscnr.vdx (8 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libCHM.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\networkrules.dat (4 bytes)
C:\Windows\System32\drivers\gfiark.sys (86 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\WebFilterExceptions.dat (1840 bytes)
%Program Files% (x86)\STOPzilla\Definitions\EPSigs.vdx (65 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\hstn.vtd (1369 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libZip.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\hstn.vtd (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\hstn.vtd (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\incompats.dat (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD (20 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMachoUniv.dll (673 bytes)
C:\ProgramData\STOPzilla!\SoftwareUpdateConfig.xml (1244 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark64.sys (41 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\adsrules.dat (281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cmem.vtd (692 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\mime0.std (26 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\EPSigs.vdx (650 bytes)
%Program Files% (x86)\STOPzilla\Definitions\kbu.dll (62 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ip.vtd (8240 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\remediation.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\comp0.std (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\SBTS.dat (328 bytes)
%Program Files% (x86)\STOPzilla\Definitions\pack0.std (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\IncompatiblePrograms.dll (2281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\whsl.wtd (5041 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libNSIS.dll (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CatID.vdx (90 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\acertdefs0.std (4770 bytes)
%Program Files% (x86)\STOPzilla\Definitions\idsrules.dat (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\WebFilterExceptions.dat (184 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark.dll (955 bytes)
%Program Files% (x86)\STOPzilla\Definitions\script0.std (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FileDT.vdx (3227 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\patchw32.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\lgpl.dll (13065 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\bhsl.vtd (224300 bytes)
%Program Files% (x86)\STOPzilla\Definitions\HistoryCleaner.xml (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\smim0.std (5 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\RegDT.vdx (74330 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\cname.wtd (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\JSSigs.vdx (8281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libEmail.dll (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\lib7zip.dll (4425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\VVSSigs.vdx (36 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark.dll (29 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FastSigs.vdx (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libVvs.dll (2105 bytes)
%Program Files% (x86)\STOPzilla\Definitions\qscnf.vdx (541 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RegDT.vdx (7433 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libEmail.dll (6505 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\pack0.std (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RTA84430 (5516 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dat (86490 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\SBBIN.RTP (405 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bmem.vtd (708 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FolderDT.vdx (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libBase64.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\apprules.dat (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\lgpl.dll (73450 bytes)
%Program Files% (x86)\STOPzilla\Definitions\hcol.wtd (50 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dnrlmem.vtd (554 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\cname.wtd (905 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dexmem.vtd (348 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl64.sys (31 bytes)
%Program Files% (x86)\STOPzilla\Definitions\sel.dat (6 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnf.vdx (5410 bytes)
%Program Files% (x86)\STOPzilla\SBAMConfig.bin (20 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ctid.vtd (2001852 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\JSSigs.vdx (1 bytes)
C:\ProgramData\STOPzilla!\HIPSConfig.xml (3056 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl32.sys (240 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\DefVer.txt (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\qscnr.vdx (8 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMsCab.dll (2321 bytes)
%Program Files% (x86)\STOPzilla\Definitions\WebFilterExceptions.dat (184 bytes)
%Program Files% (x86)\STOPzilla\Definitions\patchw32.dll (1514 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\white.wtd (3903230 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\defs0.std (50348 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\vcore.dll (395060 bytes)
%Program Files% (x86)\STOPzilla\Definitions\vcore.dll (40233 bytes)
%Program Files% (x86)\STOPzilla\Definitions\VVSSigs.vdx (36 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libRar.dll (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark64.sys (410 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ih.vdx (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\script0.std (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xml (470 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\JSSigs.vdx (82810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark32.sys (823 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsCab.dll (23210 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\idsrules.dat (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FileDT.vdx (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\comp0.std (430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\IncompatiblePrograms.dll (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\dex_hash.dat (1327060 bytes)
%Program Files% (x86)\STOPzilla\gfiark64.sys (86 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libRTF.dll (1761 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\Cookies.vdx (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\updater.dll (6730 bytes)
C:\ProgramData\STOPzilla!\APConfig.xml (592 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\acertdefs0.std (477 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\RootCA.wtd (340 bytes)
%Program Files% (x86)\STOPzilla\Definitions\rem0.std (9605 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\pack0.std (140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsi.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\white.wtd (492846 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutl64.sys (31 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\hcol.wtd (500 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dll (450 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\idsrules.dat (136 bytes)
C:\ProgramData\STOPzilla!\HttpServerConfig.xml (624 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiarkup.dll (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libRTF.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libVvs.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RootCA.wtd (34 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xml (47 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RootCA.wtd (34 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\apincl.dat (714 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatID.vdx (8632 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\white0.std (150 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ckmem.vdx (412 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\defs0.std (852280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\HistoryCleaner.xml (6730 bytes)
%Program Files% (x86)\STOPzilla\SbHips.dll (90 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dll (620 bytes)
C:\ProgramData\STOPzilla!\CountScans.XML (338 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\AdviceTx.vdx (100 bytes)
%Program Files% (x86)\STOPzilla\gfiutil.dll (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xml (47 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\fsigs.vdx (192 bytes)
%Program Files% (x86)\STOPzilla\Definitions\apprules.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\rem0.std (57449 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\sel.dat (6 bytes)
C:\ProgramData\STOPzilla!\Logs\SBAMThreatEngineLog.csv (1134046 bytes)
C:\Windows\System32\drivers\gfiutil.sys (63 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cblk.vtd (998680 bytes)
%Program Files% (x86)\STOPzilla\Definitions\comp0.std (43 bytes)
%Program Files% (x86)\STOPzilla\kbu.dll (127 bytes)
%Program Files% (x86)\STOPzilla\FSSC.dat (12 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CatID.vdx (9 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dat (842160 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMachoUniv.dll (6730 bytes)
C:\ProgramData\STOPzilla!\WSCConfig.xml (1330 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutil.dll (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libtd.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\lib7zip.dll (6730 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504171201.xml (370 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark64.sys (41 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504202902.xml (370 bytes)
%Program Files% (x86)\STOPzilla\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\heur0.std (2 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutil.dll (140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\sdll0.std (22336 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark.dll (290 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libRar.dll (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\lib7zip.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark32.sys (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xsd (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatID.vdx (8281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ip.vtd (824 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatDT.vdx (54589 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\bhsl.vtd (40124 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark32.sys (430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\api0.std (30730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\unpck0.std (55 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libCHM.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\sel.dat (60 bytes)
%Program Files% (x86)\STOPzilla\Definitions\defs0.std (85228 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\script0.std (5374 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ctid.vtd (3413080 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\vcore.dll (76554 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\macroptn.std (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\rem0.std (96050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\apincl.dat (714 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\apprules.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMsi.dll (3761 bytes)
C:\ProgramData\STOPzilla!\EmailAVConfig.xml (205 bytes)
%Program Files% (x86)\STOPzilla\Definitions\incompats.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CatDesc.vdx (180 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\white0.std (15 bytes)
C:\ProgramData\STOPzilla!\ScanConfig.xml (2932 bytes)
%Program Files% (x86)\STOPzilla\SBTIS.dll (114 bytes)
%Program Files% (x86)\STOPzilla\Definitions\white.wtd (390323 bytes)
%Program Files% (x86)\STOPzilla\Definitions\acertdefs0.std (477 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\Cookies.vdx (3097 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CoreVer.txt (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\cblk.vtd (9985728 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\fsigs.vdx (1920 bytes)
%Program Files% (x86)\STOPzilla\Definitions\adsrules.dat (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\unpck0.std (550 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FolderDT.vdx (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libBase64.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatID.vdx (82810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FastSigs.vdx (280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\HistoryCleaner.xml (5951 bytes)
C:\ProgramData\STOPzilla!\Logs\SBAMSvcLog.csv (1383028 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ctid.vtd (341308 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cname.wtd (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\elf_hash.dat (528 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnr.vdx (80 bytes)
The process %original file name%.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarF5E3.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabF5E2.tmp (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\STOPzilla7.msi (1643823 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)
The process runonce.exe:3092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)
The process runonce.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)
The process GFI.Tools.Run64.exe:1928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\STOPzilla\SBSetupDrivers.exe (180 bytes)
The process DrvInst.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDC0D.tmp (3 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDBFC.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1764 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (940 bytes)
C:\Windows\inf\oem13.inf (3 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\amd64\wnet\SETDC0E.tmp (601 bytes)
C:\Windows\System32\DriverStore\FileRepository\sbfwim.inf_amd64_neutral_09abe461a7fb864d\sbfwim.PNF (8464 bytes)
The process DrvInst.exe:1680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDE0.tmp (8 bytes)
C:\Windows\inf\oem14.inf (1 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1628 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1325 bytes)
C:\Windows\System32\DriverStore\infstor.dat (748 bytes)
C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDF0.tmp (1 bytes)
C:\Windows\System32\DriverStore\FileRepository\sbfwim_m.inf_amd64_neutral_9058dec7bb12b258\sbfwim_m.PNF (4811 bytes)
The process STOPzilla.exe:3836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\STOPzilla!\Logs\S-1-5-21-2858020935-2156992550-3658131804-1003.stopzilla7.log (24142 bytes)
C:\ProgramData\STOPzilla!\sz7.data-journal (4518 bytes)
C:\ProgramData\STOPzilla!\sz7.data (1853 bytes)
The process RUNDLL32.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\OLD168C.tmp (601 bytes)
C:\Windows\System32\drivers\SET169B.tmp (691 bytes)
The process regsvr32.exe:3500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\STOPzilla\x64\SBAMSvcPS.dll (69 bytes)
The process regsvr32.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll (446 bytes)
The process SZNetAssistant.exe:3916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\cfc791fe-c515-4b74-a3d5-bd35083fed43 (223 bytes)
C:\Windows\Temp\b547cdad-d8a5-4d61-95a2-f7616170c67e (223 bytes)
C:\Windows\Temp\ae0b2b8c-b2b5-4e50-b7ff-769522044179 (223 bytes)
C:\ProgramData\STOPzilla!\Logs\sz-net-assist.log (19768668 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
C:\Windows\Temp\fff275e4-419b-48fe-963a-c0011a05bfb9 (48733 bytes)
C:\Windows\Temp\037d4f6a-0574-4316-b003-d803b0bc2577 (24945 bytes)
C:\Windows\Temp\4c7c3001-c7cf-4f43-88e1-0f52a08e06a9 (223 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)
C:\Windows\Temp\59db4a19-a509-4b93-b854-13678662fd8f (10071 bytes)
C:\Windows\Temp\bbe27e88-1190-4118-a730-4f9519d6c74d (30169149 bytes)
C:\Windows\Temp\7f53ae67-47b8-4bf2-aad3-054d5e7e2bf1 (223 bytes)
C:\Windows\Temp\73901abc-e30f-42ed-898e-68cb9217849e (223 bytes)
The process SZServer.exe:3384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\STOPzilla!\sz7.data-journal (86080 bytes)
C:\ProgramData\STOPzilla!\sz7.data (35985 bytes)
C:\ProgramData\STOPzilla!\Logs\sz7.log (78551 bytes)
The process SZServer.exe:992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\STOPzilla!\sz7.data-journal (129706 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_o4arGwZ2LOh436Q (80 bytes)
C:\Windows\SysWOW64\msvcr120.dll (974 bytes)
C:\ProgramData\STOPzilla!\Logs\sz7-msi.log (18618 bytes)
C:\ProgramData\STOPzilla!\sz7.data (22161 bytes)
%Program Files% (x86)\STOPzilla\GFI.Tools.Run64.exe (192 bytes)
C:\Windows\SysWOW64\msvcp120.dll (458 bytes)
The process SZWSC.exe:3788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\STOPzilla!\Logs\wsc.log (6794 bytes)
The process SZWSC.exe:2612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\STOPzilla!\Logs\wsc.log (11204 bytes)
The process MsiExec.exe:2456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI16DA.tmp (159 bytes)
Registry activity
The process SBSetupDrivers.exe:3152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\SbFw]
"Start" = "1"
"ErrorControl" = "1"
"Type" = "1"
"ImagePath" = "system32\drivers\SbFw.sys"
"AlwaysSecure" = "0"
"Tag" = "12"
"DisplayName" = "SbFw"
"AdapterNotificationDisabled" = "0"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\services\SbFw]
"DependOnService" = "tdx,"
"Group" = "PNP_TDI"
"StatInspEnabled" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\services\SbFw]
The process SBSetupDrivers.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"UpperBind" = "Wanarpv6"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"RootDevice" = "{E73BBB69-B487-482C-A52B-439651CE880D}, {4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"
[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"BlockIPv6" = "0"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"FilterMediaTypes" = "ethernet, wan"
[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0000\Device Parameters]
"InstanceIndex" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"FilterClass" = "failover"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"RootDevice" = "NdisWanIp"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"NetLuidIndex" = "3"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"*IfType" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"UpperBind" = "Ndisuio, RasPppoe, rspndr, lltdio, Tcpip"
[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"NetLuidIndex" = "2"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"NewDeviceInstall" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"UpperBind" = "Wanarp"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Ndi]
"Service" = "SBFWIMCLMP"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"Characteristics" = "41"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0001"
"NewDeviceInstall" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"RootDevice" = "NdisWanBh"
[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000100000100" = "AE 01 84 04 32 00 4C 00 6F 00 63 00 61 00 6C 00"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"Description" = "GFI Software Firewall NDIS IM Filter"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"sstpsvc.dll,-203" = "Allows you to securely connect to a private network using the Internet."
[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\NdisWanIpv6]
"UpperBindings" = "\Device\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"*IfType" = "1"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"LowerRange" = "nolower"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"UpperBind" = ""
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"FilterClass" = "failover"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{E73BBB69-B487-482C-A52B-439651CE880D}\Connection]
"Name" = "Local Area Connection* 9"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0003"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"FilterInfId" = "sb_sbfwimcl"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers]
"pacer.sys,-100" = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"FilterDeviceInfFile" = "sbfwim_m.inf"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"Export" = "\Device\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}\Connection]
"Name" = "Local Area Connection* 12"
[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0002\Device Parameters]
"InstanceIndex" = "3"
[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"EventMessageFile" = "%SystemRoot%\System32\drivers\sbapifs.sys"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0002"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"FilterInfId" = "sb_sbfwimcl"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"FilterInfId" = "sb_sbfwimcl"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}\Connection]
"Name" = "Local Area Connection* 14"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}\Connection]
"DefaultNameIndex" = "13"
[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000300000100" = "AE 01 84 04 32 00 4C 00 6F 00 63 00 61 00 6C 00"
[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0001\Device Parameters]
"InstanceIndex" = "2"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}\Connection]
"DefaultNameIndex" = "14"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"RootDevice" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"
[HKLM\System\CurrentControlSet\services\SbFw]
"StatInspEnabled" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"ComponentID" = "sb_sbfwimclmp"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"Characteristics" = "41"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"rascfg.dll,-32008" = "Allows you to securely connect to a private network using the Internet."
"rascfg.dll,-32009" = "Allows you to securely connect to a private network using the Internet."
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"RootDevice" = "{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}, NdisWanBh"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}\Connection]
"Name" = "Local Area Connection* 13"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"ComponentID" = "sb_sbfwimclmp"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"@netcfgx.dll,-50003" = "Allows other computers to access resources on your computer using a Microsoft network."
"@netcfgx.dll,-50002" = "Allows your computer to access resources on a Microsoft network."
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"FilterClass" = "failover"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"UpperBind" = "Ndisuio, RasPppoe, rspndr, lltdio, Tcpip"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Ndi]
"Service" = "SBFWIMCLMP"
[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000000000100" = "AE 01 84 04 30 00 4C 00 6F 00 63 00 61 00 6C 00"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"FilterList" = "{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{E73BBB69-B487-482C-A52B-439651CE880D}\Connection]
"DefaultNameIndex" = "9"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"Characteristics" = "41"
[HKLM\System\CurrentControlSet\services\SbFw]
"AdapterNotificationDisabled" = "0"
[HKLM\System\CurrentControlSet\services\NDIS\IfTypes\1]
"IfUsedNetLuidIndices" = "01"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"Characteristics" = "41"
[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Altitude" = "268000"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"Service" = "SBFWIMCL"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"@tcpipcfg.dll,-50002" = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"HelpText" = "GFI Software Firewall NDIS IM Filter"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"Export" = "\Device\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}"
[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Export" = "\Device\NdisWan_{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\NdisWan_{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\NdisWan_{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\NdisWan_{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\NdisWan_{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\NdisWan_{CFCD29B3-A836-426F-8329-8362EC941293}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"Export" = "\Device\{E73BBB69-B487-482C-A52B-439651CE880D}"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"LocDescription" = "@oem13.inf,%sbfwimcl_desc%;GFI Software Firewall NDIS IM Filter"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Ndi]
"Service" = "SBFWIMCLMP"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"Export" = "\Device\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"UpperBind" = "Wanarp"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"Export" = "\Device\NdisWanIpv6"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"NetCfgInstanceId" = "{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"LowerExclude" = "ndisatm, ndiscowan, ndiswan, ndiswanasync, ndiswanipx, ndiswannbf"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007]
"NetCfgInstanceId" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"NetLuidIndex" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"FilterList" = "{E73BBB69-B487-482C-A52B-439651CE880D}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000, {E73BBB69-B487-482C-A52B-439651CE880D}-{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"NewDeviceInstall" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"FilterList" = "{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Parameters]
"Param1" = "4"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"Export" = "\Device\NdisWanBh"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 92 02"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"FilterClass" = "failover"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 1B 01"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 E6 01"
[HKLM\System\CurrentControlSet\Control\Network]
"Config" = "00 00 00 00 00 00 00 00 2B 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"FilterClass" = "failover"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 38 00 3F 03"
"Characteristics" = "17424"
[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"AdapterNotificationDisabled" = "0"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"ComponentID" = "sb_sbfwimclmp"
[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Bind" = "\Device\{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\{CFCD29B3-A836-426F-8329-8362EC941293}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"UpperBind" = ""
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"UpperBind" = "Wanarpv6"
[HKLM\System\CurrentControlSet\services\SbFw]
"AlwaysSecure" = "0"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"InfPath" = "C:\Windows\INF\oem13.inf"
[HKLM\System\CurrentControlSet\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017\Ndi]
"Service" = "SBFWIMCLMP"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}\Connection]
"DefaultNameResourceId" = "1801"
[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"TypesSupported" = "7"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"Export" = "\Device\NdisWanIp"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 60 00"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006]
"NetCfgInstanceId" = "{B1422D78-82BA-4FD0-B38A-6203899A1A72}"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"rascfg.dll,-32010" = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"InfSection" = "SBFWIMCL.ndi"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"NetCfgInstanceId" = "{E73BBB69-B487-482C-A52B-439651CE880D}"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}\Connection]
"DefaultNameIndex" = "12"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"RootDevice" = "NdisWanIpv6"
[HKLM\System\CurrentControlSet\services\sbapifs]
"SupportedFeatures" = "3"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005]
"NetCfgInstanceId" = "{0D252192-084F-4C37-8DED-14986BA82F63}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"NetCfgInstanceId" = "{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"NewDeviceInstall" = "1"
[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
"UpperBindings" = "\Device\{E73BBB69-B487-482C-A52B-439651CE880D}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"NetLuidIndex" = "0"
[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\NdisWanIp]
"UpperBindings" = "\Device\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{E73BBB69-B487-482C-A52B-439651CE880D}\Connection]
"DefaultNameResourceId" = "1801"
[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Route" = "{D720734D-0C14-4C25-829D-F6B4814978B3}, {50CD5E3E-0F08-4519-A9EF-B9802ED12701}, {5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, {B22E8C55-CC74-4FBE-B907-F46D25953BEC}, {CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, {CFCD29B3-A836-426F-8329-8362EC941293}"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Content Screener" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"AlwaysSecure" = "0"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"*IfType" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"RootDevice" = "{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}, NdisWanIpv6"
[HKLM\System\CurrentControlSet\services\sbapifs\Instances]
"DefaultInstance" = "ActiveProtection"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"NetCfgInstanceId" = "{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}"
[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"StatInspEnabled" = "1"
[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.dev.log" = "4096"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"ComponentID" = "sb_sbfwimclmp"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"Export" = "\Device\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}"
[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000200000100" = "AE 01 84 04 32 00 4C 00 6F 00 63 00 61 00 6C 00"
[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]
"(Default)" = "SBFWIM_Installer"
[HKLM\System\CurrentControlSet\services\NDIS\IfTypes\1]
"IfType" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0000"
[HKLM\System\CurrentControlSet\Control\Network\NDISTempKey\Ndi]
"Service" = "SBFWIMCLMP"
[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\NdisWanBh]
"UpperBindings" = "\Device\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "56"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"tcpipcfg.dll,-50001" = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"ComponentID" = "sb_SBFWIMcl"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"FilterInfId" = "sb_sbfwimcl"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"RootDevice" = "{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}, NdisWanIp"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"GFI Software Firewall NDIS IM Filter Miniport" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"lltdres.dll,-4" = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth."
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}\Connection]
"DefaultNameResourceId" = "1801"
[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}\Connection]
"DefaultNameResourceId" = "1801"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008]
"NetCfgInstanceId" = "{360A33D7-AC4E-4F80-8799-45E95D991A99}"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"UpperRange" = "noupper"
[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Flags" = "2"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"FilterDeviceInfId" = "sb_SBFWIMclmp"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"*IfType" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"FilterList" = "{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"
[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0003\Device Parameters]
"InstanceIndex" = "4"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"TimeStamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 38 00 3F 03"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"lltdres.dll,-3" = "Allows this PC to be discovered and located on the network."
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\services\WfpLwf\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
[HKLM\System\CurrentControlSet\Control\Network\NDISTempKey\Ndi]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{360A33D7-AC4E-4F80-8799-45E95D991A99}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{360A33D7-AC4E-4F80-8799-45E95D991A99}]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{B1422D78-82BA-4FD0-B38A-6203899A1A72}]
[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{B1422D78-82BA-4FD0-B38A-6203899A1A72}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{0D252192-084F-4C37-8DED-14986BA82F63}]
[HKLM\System\CurrentControlSet\services\WfpLwf\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}\{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
[HKLM\System\CurrentControlSet\Control\Network\NDISTempKey]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{0D252192-084F-4C37-8DED-14986BA82F63}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"FilterList"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"Route"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"Bind"
"BindPath"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"Bind"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"FilterList"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"FilterList"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"Route"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"Route"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"Route"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"FilterList"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"BindPath"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"BindPath"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"Bind"
"BindPath"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PnPSysprep\ServiceStartTypeBackup]
"SBFWIMCLMP"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"Bind"
The process SBAMSvc.exe:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5A1C102CCFDFDB5468E601489DB25A5E\Usage]
"STOPzilla_Files" = "1184432146"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"sbamui"
The process %original file name%.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 27 AC 93 69"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates]
"27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"
The process runonce.exe:3092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"
The process runonce.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"
The process DrvInst.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The process DrvInst.exe:1680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The process STOPzilla.exe:3836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5A1C102CCFDFDB5468E601489DB25A5E\Usage]
"STOPzilla_Files" = "1184432178"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "STOPzilla.exe"
The process RUNDLL32.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Altitude" = "268000"
[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"EventMessageFile" = "%SystemRoot%\System32\drivers\sbapifs.sys"
[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Flags" = "2"
[HKLM\System\CurrentControlSet\services\sbapifs]
"SupportedFeatures" = "3"
[HKLM\System\CurrentControlSet\services\sbapifs\Instances]
"DefaultInstance" = "ActiveProtection"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Content Screener" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"TypesSupported" = "7"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PnPSysprep\ServiceStartTypeBackup]
"sbapifs"
The process regsvr32.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{9284DD19-028C-4588-8FC1-E8E0E7EEDC8F}]
"(Default)" = "_ISBRegistrationEvents"
[HKCR\Interface\{AE2DC33B-E9FD-42E6-BFAC-F3B43306FE52}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{B322F428-C4DA-45A8-95AE-AA9A3C785067}\NumMethods]
"(Default)" = "29"
[HKCR\Interface\{0DEADC83-C6F7-4DAC-B89E-EF9F7D1EEF51}]
"(Default)" = "_ISBThreatDefinitionsEvents"
[HKCR\Interface\{141E16A7-2474-4DF3-9BE1-3D3D489DC327}]
"(Default)" = "ISBWebFilter"
[HKCR\Interface\{6220D30C-21D3-48CC-9C64-A3DD5A87E763}]
"(Default)" = "_ISBScanControlEvents"
[HKCR\Interface\{4BDB78E2-477D-4F6C-96AC-FBF1E125115B}]
"(Default)" = "_ISBLanGuardEvents"
[HKCR\Interface\{8C01622E-EBAD-409A-A748-A68F3CB9C538}]
"(Default)" = "ISBHIPS"
[HKCR\Interface\{6220D30C-21D3-48CC-9C64-A3DD5A87E763}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{4BDB78E2-477D-4F6C-96AC-FBF1E125115B}\NumMethods]
"(Default)" = "5"
[HKCR\Interface\{B322F428-C4DA-45A8-95AE-AA9A3C785067}]
"(Default)" = "ISBService"
[HKCR\Interface\{E426C725-B8CE-406A-9171-F59471F9600B}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{BBED8229-EB89-4853-B66A-391DA146CECE}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{0720C092-F3DA-46F7-BDC9-74863B797A07}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{E0E5ADF1-2D68-4A49-A67E-02D1156A1A42}]
"(Default)" = "ISBLogger"
[HKCR\Interface\{EECD4897-DD51-476D-9913-B9C808885F03}]
"(Default)" = "_ISBWebFilterEvents"
[HKCR\Interface\{0A0F62CD-9519-44AC-9327-E6E737448D07}]
"(Default)" = "_ISBFirewallEvents"
[HKCR\Interface\{F4198087-BE24-4537-98B7-5310A4A6FA8A}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{F4198087-BE24-4537-98B7-5310A4A6FA8A}]
"(Default)" = "ISBActiveProtection"
[HKCR\Interface\{0B3304B4-917A-4F54-AAC4-73EECFB20C53}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{B322F428-C4DA-45A8-95AE-AA9A3C785067}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{91C0198E-F2FD-4CC7-8858-C2272DC99C75}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{245A13CA-25A4-4408-B9FD-5E5A17716023}\NumMethods]
"(Default)" = "11"
[HKCR\CLSID\{C2582700-05E6-4FD2-9EF9-80B13128624C}\InProcServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\sbamsvcps.dll"
[HKCR\Interface\{4BDB78E2-477D-4F6C-96AC-FBF1E125115B}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{9284DD19-028C-4588-8FC1-E8E0E7EEDC8F}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{BF68F090-4866-4B78-A67E-41FA18C93090}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{BBED8229-EB89-4853-B66A-391DA146CECE}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{A9CA66D5-6D45-469F-83DB-B713E4BF3B95}]
"(Default)" = "ISBRegistration"
[HKCR\Interface\{46E40214-7877-40F1-8F13-6E57FD213D13}]
"(Default)" = "ISBWSC"
[HKCR\Interface\{5973BE92-0338-4FFA-BF58-1B0082BEAFD3}]
"(Default)" = "_ISBEmailAVEvents"
[HKCR\Interface\{8C01622E-EBAD-409A-A748-A68F3CB9C538}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{A9CA66D5-6D45-469F-83DB-B713E4BF3B95}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{BF68F090-4866-4B78-A67E-41FA18C93090}\NumMethods]
"(Default)" = "19"
[HKCR\Interface\{0720C092-F3DA-46F7-BDC9-74863B797A07}]
"(Default)" = "_ISBActiveProtectionEvents"
[HKCR\Interface\{245A13CA-25A4-4408-B9FD-5E5A17716023}]
"(Default)" = "ISBQuarantine"
[HKCR\Interface\{E0E5ADF1-2D68-4A49-A67E-02D1156A1A42}\NumMethods]
"(Default)" = "13"
[HKCR\Interface\{E426C725-B8CE-406A-9171-F59471F9600B}]
"(Default)" = "ISBThreatDefinitions"
[HKCR\Interface\{5973BE92-0338-4FFA-BF58-1B0082BEAFD3}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{0A0F62CD-9519-44AC-9327-E6E737448D07}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{EECD4897-DD51-476D-9913-B9C808885F03}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{0B3304B4-917A-4F54-AAC4-73EECFB20C53}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{BBED8229-EB89-4853-B66A-391DA146CECE}]
"(Default)" = "ISBScanControl"
[HKCR\Interface\{0A0F62CD-9519-44AC-9327-E6E737448D07}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{0B3304B4-917A-4F54-AAC4-73EECFB20C53}]
"(Default)" = "_ISBQuarantineEvents"
[HKCR\Interface\{BF68F090-4866-4B78-A67E-41FA18C93090}]
"(Default)" = "ISBLanGuard"
[HKCR\Interface\{F4198087-BE24-4537-98B7-5310A4A6FA8A}\NumMethods]
"(Default)" = "14"
[HKCR\Interface\{84D3A41D-769C-4190-94CD-CEBDA3EA4F33}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{46E40214-7877-40F1-8F13-6E57FD213D13}\NumMethods]
"(Default)" = "5"
[HKCR\Interface\{EECD4897-DD51-476D-9913-B9C808885F03}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{91C0198E-F2FD-4CC7-8858-C2272DC99C75}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{5973BE92-0338-4FFA-BF58-1B0082BEAFD3}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{0720C092-F3DA-46F7-BDC9-74863B797A07}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{84D3A41D-769C-4190-94CD-CEBDA3EA4F33}]
"(Default)" = "_ISBServiceEvents"
[HKCR\CLSID\{C2582700-05E6-4FD2-9EF9-80B13128624C}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{C2582700-05E6-4FD2-9EF9-80B13128624C}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{82C4A34B-7E1A-4AA6-9948-29F5616FB7DF}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{AE2DC33B-E9FD-42E6-BFAC-F3B43306FE52}]
"(Default)" = "_ISBHIPSEvents"
[HKCR\Interface\{0DEADC83-C6F7-4DAC-B89E-EF9F7D1EEF51}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{6220D30C-21D3-48CC-9C64-A3DD5A87E763}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{C2582700-05E6-4FD2-9EF9-80B13128624C}]
"(Default)" = "ISBEmailAV"
[HKCR\Interface\{82C4A34B-7E1A-4AA6-9948-29F5616FB7DF}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{B3566D12-5895-4511-ADB2-125BFF23891E}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{5C3CCE0F-2E3E-485A-B9C8-5E66C2282F43}\NumMethods]
"(Default)" = "4"
[HKCR\CLSID\{C2582700-05E6-4FD2-9EF9-80B13128624C}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{245A13CA-25A4-4408-B9FD-5E5A17716023}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{E426C725-B8CE-406A-9171-F59471F9600B}\NumMethods]
"(Default)" = "15"
[HKCR\Interface\{F60343A9-2C06-49DB-8853-97234E477918}]
"(Default)" = "ISBFirewall"
[HKCR\Interface\{F60343A9-2C06-49DB-8853-97234E477918}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{141E16A7-2474-4DF3-9BE1-3D3D489DC327}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{5C3CCE0F-2E3E-485A-B9C8-5E66C2282F43}]
"(Default)" = "_ISBWSCEvents"
[HKCR\Interface\{B3566D12-5895-4511-ADB2-125BFF23891E}]
"(Default)" = "ISBVipre"
[HKCR\Interface\{AE2DC33B-E9FD-42E6-BFAC-F3B43306FE52}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{9284DD19-028C-4588-8FC1-E8E0E7EEDC8F}\NumMethods]
"(Default)" = "5"
[HKCR\Interface\{E0E5ADF1-2D68-4A49-A67E-02D1156A1A42}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{46E40214-7877-40F1-8F13-6E57FD213D13}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{C2582700-05E6-4FD2-9EF9-80B13128624C}\NumMethods]
"(Default)" = "18"
[HKCR\Interface\{84D3A41D-769C-4190-94CD-CEBDA3EA4F33}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{A9CA66D5-6D45-469F-83DB-B713E4BF3B95}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{82C4A34B-7E1A-4AA6-9948-29F5616FB7DF}]
"(Default)" = "_ISBSoftwareUpdatesEvents"
[HKCR\Interface\{B3566D12-5895-4511-ADB2-125BFF23891E}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{5C3CCE0F-2E3E-485A-B9C8-5E66C2282F43}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
[HKCR\Interface\{F60343A9-2C06-49DB-8853-97234E477918}\NumMethods]
"(Default)" = "27"
[HKCR\Interface\{91C0198E-F2FD-4CC7-8858-C2272DC99C75}]
"(Default)" = "ISBSoftwareUpdates"
[HKCR\Interface\{141E16A7-2474-4DF3-9BE1-3D3D489DC327}\NumMethods]
"(Default)" = "9"
[HKCR\Interface\{0DEADC83-C6F7-4DAC-B89E-EF9F7D1EEF51}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{8C01622E-EBAD-409A-A748-A68F3CB9C538}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"
The process regsvr32.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\TypeLib]
"Version" = "1.0"
[HKCR\SBAMOutlook.SBOutlookPlugIn\CLSID]
"(Default)" = "{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}"
[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}]
"(Default)" = "ISBOutlookPlugIn"
[HKCR\CLSID\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}]
"(Default)" = "PSFactoryBuffer"
[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\ProgID]
"(Default)" = "GFI.SBOEPlugIn.1"
[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\ProgID]
"(Default)" = "SBAMOutlook.SBOutlookPlugIn.1"
[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\VersionIndependentProgID]
"(Default)" = "GFI.SBOEPlugIn"
[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"
[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\TypeLib]
"Version" = "1.0"
[HKCR\GFI.SBWLMailPlugIn\CLSID]
"(Default)" = "{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}"
[HKCR\GFI.SBOEPlugIn.1\CLSID]
"(Default)" = "{926195BB-EF79-4201-A585-57E8CA8B9260}"
[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Nektra\OEAPI\Plugins]
"GFI" = "GFI.SBOEPlugIn"
[HKCR\SBAMOutlook.SBOutlookPlugIn.1]
"(Default)" = "SBOutlookPlugIn Class"
[HKCR\AppID\{AC7CD0E2-273C-4EAC-B873-904CE5E01472}]
"(Default)" = "SBOutlookExpress"
[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"
[HKCR\GFI.SBOEPlugIn]
"(Default)" = "SBOEPlugIn Class"
[HKCR\SBAMOutlook.SBOutlookPlugIn]
"(Default)" = "SBOutlookPlugIn Class"
[HKCR\GFI.SBOEPlugIn\CLSID]
"(Default)" = "{926195BB-EF79-4201-A585-57E8CA8B9260}"
[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\ProgID]
"(Default)" = "GFI.SBWLMailPlugIn.1"
[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}]
"(Default)" = "ISBOEPlugIn"
[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\NumMethods]
"(Default)" = "7"
[HKCR\SBAMOutlook.SBOutlookPlugIn\CurVer]
"(Default)" = "SBAMOutlook.SBOutlookPlugIn.1"
[HKCR\GFI.SBWLMailPlugIn.1\CLSID]
"(Default)" = "{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}"
[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\NumMethods]
"(Default)" = "7"
[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"
[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"
[HKCR\GFI.SBOEPlugIn.1]
"(Default)" = "SBOEPlugIn Class"
[HKCR\TypeLib\{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}\1.0\0\win64]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"
[HKCR\AppID\SBOutlookExpress.DLL]
"AppID" = "{AC7CD0E2-273C-4EAC-B873-904CE5E01472}"
[HKCR\SBAMOutlook.SBOutlookPlugIn.1\CLSID]
"(Default)" = "{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}"
[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\TypeLib]
"Version" = "1.0"
[HKCR\GFI.SBWLMailPlugIn]
"(Default)" = "SBWLMailPlugIn Class"
[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\VersionIndependentProgID]
"(Default)" = "SBAMOutlook.SBOutlookPlugIn"
[HKCR\CLSID\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\InProcServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"
[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"
[HKCR\CLSID\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"
[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\InprocServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"
[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\VersionIndependentProgID]
"(Default)" = "GFI.SBWLMailPlugIn"
[HKLM\SOFTWARE\Nektra\WLMAILAPI\Plugins]
"GFI" = "GFI.SBWLMailPlugIn"
[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}]
"(Default)" = "SBOEPlugIn Class"
[HKCR\GFI.SBOEPlugIn\CurVer]
"(Default)" = "GFI.SBOEPlugIn.1"
[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\SBAMOutlook.SBOutlookPlugIn.1]
"LoadBehavior" = "3"
[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}]
"(Default)" = "SBWLMailPlugIn Class"
[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}]
"(Default)" = "ISBWLMailPlugIn"
[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}]
"AppID" = "{AC7CD0E2-273C-4EAC-B873-904CE5E01472}"
[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\SBAMOutlook.SBOutlookPlugIn.1]
"FriendlyName" = "VIPRE Outlook AntiVirus Object"
[HKCR\GFI.SBWLMailPlugIn.1]
"(Default)" = "SBWLMailPlugIn Class"
[HKCR\GFI.SBWLMailPlugIn\CurVer]
"(Default)" = "GFI.SBWLMailPlugIn.1"
[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\NumMethods]
"(Default)" = "7"
[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}]
"(Default)" = "SBOutlookPlugIn Class"
[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\InprocServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\InprocServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"
The process SZNetAssistant.exe:3916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 27 AC 93 69"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 80 3A BC 22"
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"47BEABC922EAE80E78783462A79F45C254FDE68B"
[HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates]
"27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"
The process mobsync.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"SyncTime" = "00 00 00 00 00 00 00 00"
"Connected" = "1"
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr]
"StartAtLogin" = "0"
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"Enabled" = "1"
The process SZServer.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5A1C102CCFDFDB5468E601489DB25A5E\Usage]
"STOPzilla_Files" = "1184432147"
The process MsiExec.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\HELPDIR]
"(Default)" = ""
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\0\win32]
"(Default)" = "C:\Windows\SysWOW64\msxml4.dll"
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0]
"(Default)" = "Microsoft XML, v4.0"
The Trojan deletes the following registry key(s):
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\0\win32]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\HELPDIR]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\FLAGS]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\0]
Dropped PE files
MD5 | File path |
---|---|
b161d2688806d6b7a93a79e325be8066 | c:\Program Files (x86)\STOPzilla\Definitions\IncompatiblePrograms.dll |
3f20b1f14617ebe8cf3c7316b62c71e5 | c:\Program Files (x86)\STOPzilla\Definitions\gfiark.dll |
fe4d369172ac1cc19c876bdb5bdc31a3 | c:\Program Files (x86)\STOPzilla\Definitions\gfiark32.sys |
4ea5458fca8518344686c543749365b1 | c:\Program Files (x86)\STOPzilla\Definitions\gfiark64.sys |
7604c69f910e7087d6323b6fc1c8c482 | c:\Program Files (x86)\STOPzilla\Definitions\gfiarkup.dll |
d5034f1c940065cbe9febbde733a3e36 | c:\Program Files (x86)\STOPzilla\Definitions\gfiutil.dll |
3eaeb9143a5dbc1082785bbbe8d8cfea | c:\Program Files (x86)\STOPzilla\Definitions\gfiutl32.sys |
16a23ff8621929adc5b18dccd5e206ee | c:\Program Files (x86)\STOPzilla\Definitions\gfiutl64.sys |
5960bad9ff184dcd8f032c7d909cee7e | c:\Program Files (x86)\STOPzilla\Definitions\kbu.dll |
218b5eda2be90c6de35896779a451e63 | c:\Program Files (x86)\STOPzilla\Definitions\lgpl.dll |
00e66576a6546fdbcd8d69fa9a341c90 | c:\Program Files (x86)\STOPzilla\Definitions\lib7zip.dll |
98dbc4ee648e95b2da496d530645bca2 | c:\Program Files (x86)\STOPzilla\Definitions\libBase64.dll |
ed02af97b3b634366ab3a95d01db0e2e | c:\Program Files (x86)\STOPzilla\Definitions\libCHM.dll |
99668910cee4edc6b4b0f85c509b8f53 | c:\Program Files (x86)\STOPzilla\Definitions\libEmail.dll |
ad9b286c561f8003d7c72ac5619c3b4e | c:\Program Files (x86)\STOPzilla\Definitions\libMachoUniv.dll |
71ac4c5a866dd478b2738bed4db9de90 | c:\Program Files (x86)\STOPzilla\Definitions\libMsCab.dll |
02ab09d06f7ce435debac7ef8acf19ae | c:\Program Files (x86)\STOPzilla\Definitions\libMsi.dll |
396dfe4a9cd641e7434f33506ece790b | c:\Program Files (x86)\STOPzilla\Definitions\libNSIS.dll |
c7566f4c1047997d86883a28d3ed02a7 | c:\Program Files (x86)\STOPzilla\Definitions\libOleA.dll |
e44a1d3a2204080d64cacd126206b9ba | c:\Program Files (x86)\STOPzilla\Definitions\libRTF.dll |
4585f5837ab43866580cf92c4cf4ed62 | c:\Program Files (x86)\STOPzilla\Definitions\libRar.dll |
9200387ed2757b65872be3d44dd3bbd8 | c:\Program Files (x86)\STOPzilla\Definitions\libVvs.dll |
d7a8e954cbff33e2c22d2c97d05f0112 | c:\Program Files (x86)\STOPzilla\Definitions\libZip.dll |
e69e80320e3dd4a95e0bcac115a1737c | c:\Program Files (x86)\STOPzilla\Definitions\libtd.dll |
7b293f4b7fba99a8fe190e8263abda17 | c:\Program Files (x86)\STOPzilla\Definitions\patchw32.dll |
592133b8c71bf389fb02ae0d983f1b15 | c:\Program Files (x86)\STOPzilla\Definitions\remediation.dll |
81544235fa6fbe909aa45480ceb4b28e | c:\Program Files (x86)\STOPzilla\Definitions\updater.dll |
58cd98421f7cc9b85764f8d55ef421cf | c:\Program Files (x86)\STOPzilla\Definitions\vcore.dll |
7b7505f8674ac9c8418b55f807a06f1d | c:\Program Files (x86)\STOPzilla\Drivers\amd64\sbapifs.sys |
c2d6ea33266fcd9a08003b91e24344c9 | c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\SBTIS.sys |
97ecce37dbaa0a871b4504cef53ee76b | c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\SBWTIS.sys |
1b1ae5f447175d4b0b32b959b1adb287 | c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\sbfw.sys |
4a5f19b271f147d93a596a920db267d2 | c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\sbhips.sys |
f1a634ec4c67ae3a73a45e8889a50a7b | c:\Program Files (x86)\STOPzilla\Drivers\amd64\wnet\SBTIS.sys |
9aef0f267553fd9c900e9449b61586b7 | c:\Program Files (x86)\STOPzilla\Drivers\amd64\wnet\SbFwIm.sys |
562b2169b40a26c261fe8825ec7bafe0 | c:\Program Files (x86)\STOPzilla\Drivers\amd64\wnet\sbfw.sys |
22b224ab09f7756ee84219be38a4a6d5 | c:\Program Files (x86)\STOPzilla\Drivers\i386\sbaphd.sys |
56a449846631a90acd4c585adcdaf30f | c:\Program Files (x86)\STOPzilla\Drivers\i386\sbapifs.sys |
f581f124ca70b2e1272cfd16a46a3332 | c:\Program Files (x86)\STOPzilla\Drivers\i386\sbapifsl.sys |
e6b0078dd3243517d287ad603d9d530f | c:\Program Files (x86)\STOPzilla\Drivers\i386\w2k\SBTIS.sys |
9b60012f6212d87ad4c3a87f66fd5608 | c:\Program Files (x86)\STOPzilla\Drivers\i386\w2k\SbFwIm.sys |
e3a663da49929a172c4a70deeb63f364 | c:\Program Files (x86)\STOPzilla\Drivers\i386\w2k\sbfw.sys |
23e0af9ad52a479e6a03a2f37c0d3251 | c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\SBTIS.sys |
804ea0e614b340bdd40c8ef4662698bf | c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\SBWTIS.sys |
d43f30ac7ba8f5c42bd80640d9369fcf | c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\sbfw.sys |
da12cd4cc9f5894c1627d4f5f6eb23c2 | c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\sbhips.sys |
1b4acddfe18b30c51f624734b1d98f3a | c:\Program Files (x86)\STOPzilla\Drivers\i386\wxp\SbFwIm.sys |
25d11986a7553b2419f841b45a4ec812 | c:\Program Files (x86)\STOPzilla\GFI.Tools.Run64.exe |
9639e9f51b79467aceead299a10aaeb2 | c:\Program Files (x86)\STOPzilla\IncompatiblePrograms.dll |
1c5a13ce6a6aef0002eee3be451e36df | c:\Program Files (x86)\STOPzilla\SBAMOutlook.dll |
d15b5914ef9bdfdf8258d49a28fab665 | c:\Program Files (x86)\STOPzilla\SBAMSvc.exe |
93ca0d75c20b8573168fe66f2ff1471f | c:\Program Files (x86)\STOPzilla\SBAMSvcPS.dll |
cb80af4b93622279bc19e84e98f92d1a | c:\Program Files (x86)\STOPzilla\SBArva.dll |
372746a478f9418e05dcc9da4a6aa6e5 | c:\Program Files (x86)\STOPzilla\SBCA.dll |
e6b695bc8bfdae023fc456550fa818f3 | c:\Program Files (x86)\STOPzilla\SBRC.exe |
5e18c431d340e8635578ac6c1ee4e56a | c:\Program Files (x86)\STOPzilla\SBSetupDrivers.exe |
b5e8fcea8b777a272dcdf2a5eef951ea | c:\Program Files (x86)\STOPzilla\SBTE.dll |
8e997e071e69f84b4f4a5593b6105ae8 | c:\Program Files (x86)\STOPzilla\SBTIS.dll |
6bf9fa1f744484cb75875cbb1ed9e0cf | c:\Program Files (x86)\STOPzilla\STOPzilla.exe |
4120a8388a98f15ea4e924d5723755cb | c:\Program Files (x86)\STOPzilla\SZFileAssistant.exe |
976e0317dde869d6b9df27d35ae85580 | c:\Program Files (x86)\STOPzilla\SZNetAssistant.exe |
3855f9938aa8efeb260aa7ea7dfedf1a | c:\Program Files (x86)\STOPzilla\SZServer.exe |
6f83bdd5d8037dbc4822c8dc52f92c34 | c:\Program Files (x86)\STOPzilla\SZWSC.exe |
d1a1adc701fe30c14865ed1175566d49 | c:\Program Files (x86)\STOPzilla\SbFwe.dll |
86a9b72debf646ee577acc3f92267155 | c:\Program Files (x86)\STOPzilla\SbHips.dll |
0f7951b5e9059986f8d86d3bd051255a | c:\Program Files (x86)\STOPzilla\SbWebFilter.dll |
441fb58a8d6dab39e7ce05e501d81163 | c:\Program Files (x86)\STOPzilla\SpursDownload.dll |
3f20b1f14617ebe8cf3c7316b62c71e5 | c:\Program Files (x86)\STOPzilla\gfiark.dll |
fe4d369172ac1cc19c876bdb5bdc31a3 | c:\Program Files (x86)\STOPzilla\gfiark32.sys |
4ea5458fca8518344686c543749365b1 | c:\Program Files (x86)\STOPzilla\gfiark64.sys |
93b9a6f54844e1da1806f56f3f054ac7 | c:\Program Files (x86)\STOPzilla\gfiarksh.dll |
d5034f1c940065cbe9febbde733a3e36 | c:\Program Files (x86)\STOPzilla\gfiutil.dll |
3eaeb9143a5dbc1082785bbbe8d8cfea | c:\Program Files (x86)\STOPzilla\gfiutl32.sys |
16a23ff8621929adc5b18dccd5e206ee | c:\Program Files (x86)\STOPzilla\gfiutl64.sys |
5960bad9ff184dcd8f032c7d909cee7e | c:\Program Files (x86)\STOPzilla\kbu.dll |
9ce7bd04edf43a81685030ff09e7f4d7 | c:\Program Files (x86)\STOPzilla\mimepp.dll |
0dc41cc978fd05152390174b95851e3e | c:\Program Files (x86)\STOPzilla\oeapiinitcom.dll |
2a769418ed33aa3e702c7327a6699e17 | c:\Program Files (x86)\STOPzilla\oecom.dll |
5fa9b930e89b8cbbb51c4daacc002207 | c:\Program Files (x86)\STOPzilla\oehook.dll |
7a4d7e803857225e1b6bbccfce3e3d23 | c:\Program Files (x86)\STOPzilla\oestore.dll |
55ff4d566ab4561d2fbc3d9bf4fb0c26 | c:\Program Files (x86)\STOPzilla\sbap.dll |
a5fe51b8ce661a935a165803c65a4bf1 | c:\Program Files (x86)\STOPzilla\unrar.dll |
c610485022bdaf12f3836b6955470b69 | c:\Program Files (x86)\STOPzilla\vipre.dll |
a8686b335519e7cc14dfeeebb0cb3d9c | c:\Program Files (x86)\STOPzilla\x32\sbbd.exe |
2b27f39cd22a9bad7b6e433d0233b68e | c:\Program Files (x86)\STOPzilla\x64\SBAMOutlook.dll |
a6767bed03486826014fb47875bbed6c | c:\Program Files (x86)\STOPzilla\x64\SBAMSvcPS.dll |
b97ad2bcd333f82776d7ff1ead919ce2 | c:\Program Files (x86)\STOPzilla\x64\sbbd.exe |
44d101190beacc0bacc8af12ee16c7fe | c:\Windows\Installer\{C201C1A5-FDFC-45BD-866E-1084D92BA5E5}\ARPPRODUCTICON.exe |
44d101190beacc0bacc8af12ee16c7fe | c:\Windows\Installer\{C201C1A5-FDFC-45BD-866E-1084D92BA5E5}\NewShortcut1_E1495BBB3B6443E69DBFB09B3D0691D2.exe |
966cdbb7fec5242b2552d55fcd2a3c12 | c:\Windows\Installer\{C201C1A5-FDFC-45BD-866E-1084D92BA5E5}\UninstallSTOPzilla_14DDE1424B2549418BFF0B4BDBBB0762.exe |
df9a5545501a2442ca54c73c6f4de827 | c:\Windows\SysWOW64\mfc120.dll |
f4f2a4c459dd3aa22dd3984d13b15746 | c:\Windows\SysWOW64\mfc120u.dll |
832cc047743469082fae5e3cc830cd8c | c:\Windows\SysWOW64\mfcm120.dll |
ab8766067bb26d7ab4061b0e4fc7d2c0 | c:\Windows\SysWOW64\mfcm120u.dll |
fd5cabbe52272bd76007b68186ebaf00 | c:\Windows\SysWOW64\msvcp120.dll |
034ccadc1c073e4216e9466b720f9849 | c:\Windows\SysWOW64\msvcr120.dll |
44e45bd9327abc0540593e809b32f3ca | c:\Windows\SysWOW64\msxml4.dll |
cf34eec288a4c53e71602d5e0d65ef89 | c:\Windows\SysWOW64\msxml4r.dll |
b97ad2bcd333f82776d7ff1ead919ce2 | c:\Windows\SysWOW64\sbbd.exe |
69837e50c50561a083a72a5f8ea1f6a2 | c:\Windows\SysWOW64\vccorlib120.dll |
9aef0f267553fd9c900e9449b61586b7 | c:\Windows\System32\DriverStore\FileRepository\sbfwim.inf_amd64_neutral_09abe461a7fb864d\amd64\wnet\SBFWIM.sys |
df9a5545501a2442ca54c73c6f4de827 | c:\Windows\System32\mfc120.dll |
f4f2a4c459dd3aa22dd3984d13b15746 | c:\Windows\System32\mfc120u.dll |
832cc047743469082fae5e3cc830cd8c | c:\Windows\System32\mfcm120.dll |
ab8766067bb26d7ab4061b0e4fc7d2c0 | c:\Windows\System32\mfcm120u.dll |
fd5cabbe52272bd76007b68186ebaf00 | c:\Windows\System32\msvcp120.dll |
034ccadc1c073e4216e9466b720f9849 | c:\Windows\System32\msvcr120.dll |
44e45bd9327abc0540593e809b32f3ca | c:\Windows\System32\msxml4.dll |
cf34eec288a4c53e71602d5e0d65ef89 | c:\Windows\System32\msxml4r.dll |
b97ad2bcd333f82776d7ff1ead919ce2 | c:\Windows\System32\sbbd.exe |
69837e50c50561a083a72a5f8ea1f6a2 | c:\Windows\System32\vccorlib120.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
SBSetupDrivers.exe:3152
SBSetupDrivers.exe:1812
%original file name%.exe:1912
runonce.exe:3092
runonce.exe:2736
GFI.Tools.Run64.exe:1928
DrvInst.exe:2212
DrvInst.exe:1680
STOPzilla.exe:3836
RUNDLL32.exe:3528
regsvr32.exe:3500
regsvr32.exe:1496
SZNetAssistant.exe:3916
mobsync.exe:3264
SZServer.exe:3384
SZServer.exe:992
SZWSC.exe:3788
SZWSC.exe:2612
MsiExec.exe:2456
MsiExec.exe:2624 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\drivers\sbwtis.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wnet\SbFwIm.sys (122 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\sbapifs.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbhips.sys (65 bytes)
C:\Windows\System32\drivers\sbhips.sys (65 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\SBWTIS.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbfw.sys (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DRVSetup\SetupDrv.log (17489 bytes)
C:\Windows\System32\drivers\sbapifs.sys (90 bytes)
C:\Windows\System32\drivers\SbFw.sys (1543 bytes)
C:\Windows\System32\drivers\SETEAAC.tmp (601 bytes)
C:\Windows\System32\drivers\SbFwIm.sys (601 bytes)
C:\Windows\System32\DriverStore\infpub.dat (496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB51.tmp (3 bytes)
C:\Windows\System32\config\SYSTEM (6769 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB5.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB4.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB31.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\amd64\wnet\SETDB62.tmp (601 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1764 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (9355 bytes)
C:\Windows\System32\catroot2\dberr.txt (1248 bytes)
C:\$Directory (768 bytes)
C:\Windows\inf\oem13.PNF (8464 bytes)
C:\Windows\inf\oem14.PNF (4811 bytes)
C:\Windows\System32\drivers\SETED8A.tmp (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\elf_hash.dat (5280 bytes)
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a81bb17e1f5dc49a730b06b63f6d28e9_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (61 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libNSIS.dll (3729 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504170900.xml (414 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ih.vdx (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\EPSigs.vdx (65 bytes)
C:\ProgramData\STOPzilla!\ThreatNetConfig.xml (810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\mime0.std (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMsCab.dll (6049 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libRar.dll (5729 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiarkup.dll (6010 bytes)
%Program Files% (x86)\STOPzilla\gfiark.dll (61 bytes)
%Program Files% (x86)\STOPzilla\Definitions\white0.std (15 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMsi.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\cblk.vtd (1236324 bytes)
%Program Files% (x86)\STOPzilla\Definitions\networkrules.dat (4 bytes)
%Program Files% (x86)\STOPzilla\Definitions\fsigs.vdx (192 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl64.sys (310 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\DefVer.txt (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libtd.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bhsl.vtd (22430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libtd.dll (2377 bytes)
%Program Files% (x86)\STOPzilla\gfiark32.sys (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\adsrules.dat (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\SBTS.dat (3280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libEmail.dll (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\SBTS.dat (328 bytes)
%Program Files% (x86)\STOPzilla\Definitions\macroptn.std (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\macroptn.std (7306 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\smim0.std (50 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CatDesc.vdx (673 bytes)
C:\ProgramData\STOPzilla!\ServiceConfig.xml (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\hcol.wtd (226 bytes)
%Program Files% (x86)\STOPzilla\Definitions\lgpl.dll (7345 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\apincl.dat (7140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libCHM.dll (1873 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\sdll0.std (223360 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\updater.dll (3665 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatDT.vdx (392 bytes)
%Program Files% (x86)\STOPzilla\Definitions\smim0.std (5 bytes)
%Program Files% (x86)\STOPzilla\Definitions\elf_hash.dat (528 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\IncompatiblePrograms.dll (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\api0.std (3073 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ip.vtd (824 bytes)
%Program Files% (x86)\STOPzilla\SBTE.dll (49 bytes)
C:\ProgramData\STOPzilla!\History\20150425042029.xml (38 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libNSIS.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\api0.std (524 bytes)
%Program Files% (x86)\STOPzilla\Definitions\DefVer.txt (26 bytes)
C:\ProgramData\STOPzilla!\FirewallConfig.xml (1434 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\heur0.std (20 bytes)
%Program Files% (x86)\STOPzilla\mimepp.dll (212 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\remediation.dll (7961 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libRTF.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\incompats.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\updater.dll (849 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libBase64.dll (7025 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\dnrl.vdx (1513 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\AdviceTx.vdx (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xsd (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\TImem.vdx (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\sdll0.std (64896 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libVvs.dll (12217 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\networkrules.dat (40 bytes)
C:\ProgramData\STOPzilla!\RegistrationConfig.xml (2408 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\whsl.wtd (41850 bytes)
C:\ProgramData\STOPzilla!\ThreatDefinitionsConfig.xml (2236 bytes)
%Program Files% (x86)\STOPzilla\gfiutl64.sys (63 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dex_hash.dat (132706 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RegDT.vdx (36934 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FastSigs.vdx (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RTmem.vdx (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\unpck0.std (55 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiarkup.dll (2537 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FolderDT.vdx (1953 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libZip.dll (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dnrl.vdx (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CoreVer.txt (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\dex_hash.dat (378000 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libZip.dll (3441 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xsd (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CatDesc.vdx (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FileDT.vdx (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\qscnf.vdx (541 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\VVSSigs.vdx (360 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ih.vdx (11863 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CoreVer.txt (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bhmem.vtd (484 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Cookies.vdx (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\dnrl.vdx (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutil.dll (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\AdviceTx.vdx (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CatID.vdx (9 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libOleA.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatDT.vdx (545890 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libOleA.dll (4497 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ihmem.vtd (540 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMachoUniv.dll (2337 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\mime0.std (26 bytes)
%Program Files% (x86)\STOPzilla\Definitions\whsl.wtd (4185 bytes)
%Program Files% (x86)\STOPzilla\Definitions\remediation.dll (2449 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libOleA.dll (2105 bytes)
%Program Files% (x86)\STOPzilla\Definitions\kbu.dat (84216 bytes)
%Program Files% (x86)\STOPzilla\Definitions\heur0.std (2 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\patchw32.dll (3226 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\qscnr.vdx (8 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libCHM.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\networkrules.dat (4 bytes)
C:\Windows\System32\drivers\gfiark.sys (86 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\WebFilterExceptions.dat (1840 bytes)
%Program Files% (x86)\STOPzilla\Definitions\EPSigs.vdx (65 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\hstn.vtd (1369 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libZip.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\hstn.vtd (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\hstn.vtd (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\incompats.dat (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMachoUniv.dll (673 bytes)
C:\ProgramData\STOPzilla!\SoftwareUpdateConfig.xml (1244 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark64.sys (41 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\adsrules.dat (281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cmem.vtd (692 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\mime0.std (26 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\EPSigs.vdx (650 bytes)
%Program Files% (x86)\STOPzilla\Definitions\kbu.dll (62 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ip.vtd (8240 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\remediation.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\comp0.std (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\SBTS.dat (328 bytes)
%Program Files% (x86)\STOPzilla\Definitions\pack0.std (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\IncompatiblePrograms.dll (2281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\whsl.wtd (5041 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libNSIS.dll (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CatID.vdx (90 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\acertdefs0.std (4770 bytes)
%Program Files% (x86)\STOPzilla\Definitions\idsrules.dat (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\WebFilterExceptions.dat (184 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark.dll (955 bytes)
%Program Files% (x86)\STOPzilla\Definitions\script0.std (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FileDT.vdx (3227 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\patchw32.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\lgpl.dll (13065 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\bhsl.vtd (224300 bytes)
%Program Files% (x86)\STOPzilla\Definitions\HistoryCleaner.xml (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\smim0.std (5 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\RegDT.vdx (74330 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\cname.wtd (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\JSSigs.vdx (8281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libEmail.dll (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\lib7zip.dll (4425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\VVSSigs.vdx (36 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark.dll (29 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FastSigs.vdx (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libVvs.dll (2105 bytes)
%Program Files% (x86)\STOPzilla\Definitions\qscnf.vdx (541 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RegDT.vdx (7433 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libEmail.dll (6505 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\pack0.std (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RTA84430 (5516 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dat (86490 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\SBBIN.RTP (405 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bmem.vtd (708 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FolderDT.vdx (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libBase64.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\apprules.dat (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\lgpl.dll (73450 bytes)
%Program Files% (x86)\STOPzilla\Definitions\hcol.wtd (50 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dnrlmem.vtd (554 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\cname.wtd (905 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dexmem.vtd (348 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl64.sys (31 bytes)
%Program Files% (x86)\STOPzilla\Definitions\sel.dat (6 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnf.vdx (5410 bytes)
%Program Files% (x86)\STOPzilla\SBAMConfig.bin (20 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ctid.vtd (2001852 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\JSSigs.vdx (1 bytes)
C:\ProgramData\STOPzilla!\HIPSConfig.xml (3056 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl32.sys (240 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\DefVer.txt (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\qscnr.vdx (8 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMsCab.dll (2321 bytes)
%Program Files% (x86)\STOPzilla\Definitions\WebFilterExceptions.dat (184 bytes)
%Program Files% (x86)\STOPzilla\Definitions\patchw32.dll (1514 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\white.wtd (3903230 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\defs0.std (50348 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\vcore.dll (395060 bytes)
%Program Files% (x86)\STOPzilla\Definitions\vcore.dll (40233 bytes)
%Program Files% (x86)\STOPzilla\Definitions\VVSSigs.vdx (36 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libRar.dll (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark64.sys (410 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ih.vdx (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\script0.std (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xml (470 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\JSSigs.vdx (82810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark32.sys (823 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsCab.dll (23210 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\idsrules.dat (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FileDT.vdx (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\comp0.std (430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\IncompatiblePrograms.dll (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\dex_hash.dat (1327060 bytes)
%Program Files% (x86)\STOPzilla\gfiark64.sys (86 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libRTF.dll (1761 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\Cookies.vdx (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\updater.dll (6730 bytes)
C:\ProgramData\STOPzilla!\APConfig.xml (592 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\acertdefs0.std (477 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\RootCA.wtd (340 bytes)
%Program Files% (x86)\STOPzilla\Definitions\rem0.std (9605 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\pack0.std (140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsi.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\white.wtd (492846 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutl64.sys (31 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\hcol.wtd (500 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dll (450 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\idsrules.dat (136 bytes)
C:\ProgramData\STOPzilla!\HttpServerConfig.xml (624 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiarkup.dll (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libRTF.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libVvs.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RootCA.wtd (34 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xml (47 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RootCA.wtd (34 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\apincl.dat (714 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatID.vdx (8632 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\white0.std (150 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ckmem.vdx (412 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\defs0.std (852280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\HistoryCleaner.xml (6730 bytes)
%Program Files% (x86)\STOPzilla\SbHips.dll (90 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dll (620 bytes)
C:\ProgramData\STOPzilla!\CountScans.XML (338 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\AdviceTx.vdx (100 bytes)
%Program Files% (x86)\STOPzilla\gfiutil.dll (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xml (47 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\fsigs.vdx (192 bytes)
%Program Files% (x86)\STOPzilla\Definitions\apprules.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\rem0.std (57449 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\sel.dat (6 bytes)
C:\ProgramData\STOPzilla!\Logs\SBAMThreatEngineLog.csv (1134046 bytes)
C:\Windows\System32\drivers\gfiutil.sys (63 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cblk.vtd (998680 bytes)
%Program Files% (x86)\STOPzilla\Definitions\comp0.std (43 bytes)
%Program Files% (x86)\STOPzilla\kbu.dll (127 bytes)
%Program Files% (x86)\STOPzilla\FSSC.dat (12 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CatID.vdx (9 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dat (842160 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMachoUniv.dll (6730 bytes)
C:\ProgramData\STOPzilla!\WSCConfig.xml (1330 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutil.dll (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libtd.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\lib7zip.dll (6730 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504171201.xml (370 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark64.sys (41 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504202902.xml (370 bytes)
%Program Files% (x86)\STOPzilla\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\heur0.std (2 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutil.dll (140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\sdll0.std (22336 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark.dll (290 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libRar.dll (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\lib7zip.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark32.sys (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xsd (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatID.vdx (8281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ip.vtd (824 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatDT.vdx (54589 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\bhsl.vtd (40124 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark32.sys (430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\api0.std (30730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\unpck0.std (55 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libCHM.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\sel.dat (60 bytes)
%Program Files% (x86)\STOPzilla\Definitions\defs0.std (85228 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\script0.std (5374 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ctid.vtd (3413080 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\vcore.dll (76554 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\macroptn.std (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\rem0.std (96050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\apincl.dat (714 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\apprules.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMsi.dll (3761 bytes)
C:\ProgramData\STOPzilla!\EmailAVConfig.xml (205 bytes)
%Program Files% (x86)\STOPzilla\Definitions\incompats.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CatDesc.vdx (180 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\white0.std (15 bytes)
C:\ProgramData\STOPzilla!\ScanConfig.xml (2932 bytes)
%Program Files% (x86)\STOPzilla\SBTIS.dll (114 bytes)
%Program Files% (x86)\STOPzilla\Definitions\white.wtd (390323 bytes)
%Program Files% (x86)\STOPzilla\Definitions\acertdefs0.std (477 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\Cookies.vdx (3097 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CoreVer.txt (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\cblk.vtd (9985728 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\fsigs.vdx (1920 bytes)
%Program Files% (x86)\STOPzilla\Definitions\adsrules.dat (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\unpck0.std (550 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FolderDT.vdx (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libBase64.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatID.vdx (82810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FastSigs.vdx (280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\HistoryCleaner.xml (5951 bytes)
C:\ProgramData\STOPzilla!\Logs\SBAMSvcLog.csv (1383028 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ctid.vtd (341308 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cname.wtd (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\elf_hash.dat (528 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnr.vdx (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarF5E3.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabF5E2.tmp (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\STOPzilla7.msi (1643823 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)
%Program Files% (x86)\STOPzilla\SBSetupDrivers.exe (180 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDC0D.tmp (3 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDBFC.tmp (8 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (940 bytes)
C:\Windows\inf\oem13.inf (3 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\amd64\wnet\SETDC0E.tmp (601 bytes)
C:\Windows\System32\DriverStore\FileRepository\sbfwim.inf_amd64_neutral_09abe461a7fb864d\sbfwim.PNF (8464 bytes)
C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDE0.tmp (8 bytes)
C:\Windows\inf\oem14.inf (1 bytes)
C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDF0.tmp (1 bytes)
C:\Windows\System32\DriverStore\FileRepository\sbfwim_m.inf_amd64_neutral_9058dec7bb12b258\sbfwim_m.PNF (4811 bytes)
C:\ProgramData\STOPzilla!\Logs\S-1-5-21-2858020935-2156992550-3658131804-1003.stopzilla7.log (24142 bytes)
C:\ProgramData\STOPzilla!\sz7.data-journal (4518 bytes)
C:\Windows\Temp\OLD168C.tmp (601 bytes)
C:\Windows\System32\drivers\SET169B.tmp (691 bytes)
%Program Files% (x86)\STOPzilla\x64\SBAMSvcPS.dll (69 bytes)
%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll (446 bytes)
C:\Windows\Temp\cfc791fe-c515-4b74-a3d5-bd35083fed43 (223 bytes)
C:\Windows\Temp\b547cdad-d8a5-4d61-95a2-f7616170c67e (223 bytes)
C:\Windows\Temp\ae0b2b8c-b2b5-4e50-b7ff-769522044179 (223 bytes)
C:\ProgramData\STOPzilla!\Logs\sz-net-assist.log (19768668 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
C:\Windows\Temp\fff275e4-419b-48fe-963a-c0011a05bfb9 (48733 bytes)
C:\Windows\Temp\037d4f6a-0574-4316-b003-d803b0bc2577 (24945 bytes)
C:\Windows\Temp\4c7c3001-c7cf-4f43-88e1-0f52a08e06a9 (223 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)
C:\Windows\Temp\59db4a19-a509-4b93-b854-13678662fd8f (10071 bytes)
C:\Windows\Temp\bbe27e88-1190-4118-a730-4f9519d6c74d (30169149 bytes)
C:\Windows\Temp\7f53ae67-47b8-4bf2-aad3-054d5e7e2bf1 (223 bytes)
C:\Windows\Temp\73901abc-e30f-42ed-898e-68cb9217849e (223 bytes)
C:\ProgramData\STOPzilla!\Logs\sz7.log (78551 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_o4arGwZ2LOh436Q (80 bytes)
C:\Windows\SysWOW64\msvcr120.dll (974 bytes)
C:\ProgramData\STOPzilla!\Logs\sz7-msi.log (18618 bytes)
%Program Files% (x86)\STOPzilla\GFI.Tools.Run64.exe (192 bytes)
C:\Windows\SysWOW64\msvcp120.dll (458 bytes)
C:\ProgramData\STOPzilla!\Logs\wsc.log (6794 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI16DA.tmp (159 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: iS3, Inc.
Product Name: STOPzilla
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: SZSetup.exe
Internal Name: SZSetup.exe
File Version: 1.0.0.1
File Description: SZSetup
Comments:
Language: Language Neutral
Company Name: iS3, Inc.Product Name: STOPzillaProduct Version: 1.0.0.1Legal Copyright: Copyright (C) 2015Legal Trademarks: Original Filename: SZSetup.exeInternal Name: SZSetup.exeFile Version: 1.0.0.1File Description: SZSetupComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 444320 | 444416 | 4.63553 | 01fe5975a96463c68a9730b939f9c82e |
.rdata | 450560 | 128084 | 128512 | 2.99724 | 3ed91c6d79cd15da81a5129faeb566cd |
.data | 581632 | 26316 | 12800 | 3.20506 | 18ad26b6e346363516b81415c2eedf3e |
.rsrc | 610304 | 1419844 | 1420288 | 5.24637 | 7e184cea4470ac1a14b855d48139c2d0 |
.reloc | 2031616 | 27584 | 27648 | 4.54562 | d2edca433123a76dca5a79625fbfa3ae |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://gdcrl.godaddy.com.akadns.net/repository/gdig2.crt | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?19442460aa19440e | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?a208639af14885de | |
hxxp://download.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/manifest.xml | 40.131.214.65 |
hxxp://d3ac8f3lk2h244.cloudfront.net/binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla7.msi | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?654c6292470e300a | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDNHuJ72IX1vtHJpLeSTGzQ= | |
hxxp://a1621.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1621.g.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1621.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.221.107 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?19442460aa19440e | 87.245.221.97 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?a208639af14885de | 87.245.221.97 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?654c6292470e300a | 87.245.221.97 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDNHuJ72IX1vtHJpLeSTGzQ= | 23.43.139.27 |
hxxp://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla7.msi | 54.192.46.166 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.221.107 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.221.107 |
hxxp://certificates.godaddy.com/repository/gdig2.crt | 50.63.243.228 |
home.is3.com | 40.131.214.67 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla7.msi HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain
User-Agent: SZHttp/1.0
Host: downloads.stopzilla.com
HTTP/1.1 200 OK
Content-Type: binary/octet-stream
Content-Length: 23516160
Connection: keep-alive
Date: Tue, 07 Apr 2015 16:59:38 GMT
Cache-Control: max-age=3600
Last-Modified: Tue, 07 Apr 2015 15:38:43 GMT
ETag: "0c997fa32c992c652ebd769fca552fbf"
Accept-Ranges: bytes
Server: AmazonS3
Age: 3589
X-Cache: Hit from cloudfront
Via: 1.1 e506c7e675965afaac0dc7f9ab49be60.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fOmEzwFxgAUsh_fboTv_87DqGKtSCZw6OezYV8jQcPTzGFb6Xv4tRg==
........................>...................g...............8........6..........................r...s...t...u...v...w...M...N...O...P...Q...R...@...A...B........................................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*... ... ...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*... ...,...-......./...0...1...2...3...4...5...6...7...>...M...:...<.......=.......?...@...A...B...C...D...E...F...G...H...I...J...L.......N.......O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........R.o.o.t. .E.n.t.r.y............................................................................F.............UEl.p..9.............S.u.m.m.a.r.y.I.n.f.o.r.m.a.t.i.o.n...........................(.......................................................<.......@H.?.C.A.E.D1H..................................................................................................................@H.?dA/B6H..........................................................................................................
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?19442460aa19440e HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Sat, 25 Apr 2015 01:15:56 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Sat, 25 Apr 2015 01:15:56 GMT..Connection: keep-alive......
GET /msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?a208639af14885de HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 969
Date: Sat, 25 Apr 2015 01:15:57 GMT
Connection: keep-alive
0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20.."0...*.H.............0.........qb...Y4.......IX.".... C.;....I.'....N...p..2...>.N...O/Y0"...Vk......u.9Q{..5.tN......?........j..............;F|2...f"..im6.......`.8......F...>.]|.|.. S..biQ%.a.D..,.C.#..:...)....]....0.9.....K].2..bC%4.V'...;p*?n.....}....Sm`..,.X.._F.....<..I1\iF..G......B0@0...U.......0....0...U...........0...U......:....g(.....An .....0...*.H...............]y...Yg.a.~;.1u-. .Oe......../..Z..t.s.8B..{..u...........S.~.F..... ....'....Z.7....l....=.$Oy.5._.......-.......s@.r%......h..W...:...D...7...2..8..d.,~........h..".8-z..T.i._3.z={...._9..u..v.3.,./L.....O...JT...}......~...^....C..M..k...e.z...D.\....HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..X-Powered-By: ARR/2.5..X-Powered-By: ASP.NET..Content-Length: 969..Date: Sat, 25 Apr 2015 01:15:57 GMT..Connection: keep-alive..0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Ari
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=581366, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 18:45:16 GMT
Expires: Fri, 1 May 2015 18:45:16 GMT
Date: Sat, 25 Apr 2015 01:16:04 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150424184516Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150424184516Z....20150501184516Z0...*.H.............|.k`.#..:..."...8....:Hu%.....Pf...sS.!.Og.....4.......R.Y..e......mG.-.&.Q....}..*.S......!.^.. .&S.)..o...ij.2.....^4.D.Y..N...a...a.-".p_E]..M....c..9.!8.%..u<...)........z}......R.j3B..l.................@...!......=m....<.Ep.....,...|......1.BwP.9"........0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDNHuJ72IX1vtHJpLeSTGzQ= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=578942, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 18:05:06 GMT
Expires: Fri, 1 May 2015 18:05:06 GMT
Date: Sat, 25 Apr 2015 01:16:04 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150424180506Z0s0q0I0... ...................F....0.yV......{&.K......&.......3G...!}o.ri-...4....20150424180506Z....20150501180506Z0...*.H.............rJ1. '/.m.7.b.4.....3..k...w....w$...~w.2xx...g.i.X.{...|...X.S......p..sB....g...&n.Q._.d.bK..n.?Oz?.......Q...Z..7...B.F........{.ZO1. ..e.....~..T..J.`}....>!..-.K....k........x....:.....@........ ..'..FD3..........B4.v.6.....7._.6....n~..mp..6.I....a3.....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>
GET /repository/gdig2.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: certificates.godaddy.com
HTTP/1.1 200 OK
Date: Sat, 25 Apr 2015 01:15:56 GMT
Server: Apache
Last-Modified: Wed, 21 Jan 2015 00:41:10 GMT
ETag: "6c0-50d1ecfcc3580"
Accept-Ranges: bytes
Content-Length: 1728
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Connection: close
Content-Type: application/x-x509-ca-cert
-----BEGIN CERTIFICATE-----.MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx.EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT.EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp.ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3.MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH.EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE.CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD.EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi.MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD.BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv.K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am GZHY23e.cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY.pDNO6rPWJ0 tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n.eTOvDCAHf jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB.AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV.HQ4EFgQUQMK9J47MNIMwojPX 2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv.9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v.b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n.b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG.CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv.MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz.91cxG7685C/b LrTW C05 Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2.RJ17LJ3lXubvDGGqv QqG 6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi.DsoXiWJYRBuri
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Sat, 25 Apr 2015 01:16:35 GMT
Connection: keep-alive
....
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT
If-None-Match: "dde36a309c58d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
ETag: "dde36a309c58d01:0"
Cache-Control: max-age=900
Date: Sat, 25 Apr 2015 01:16:35 GMT
Connection: keep-alive
....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT
If-None-Match: "cf2633d6957d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
ETag: "cf2633d6957d01:0"
Cache-Control: max-age=900
Date: Sat, 25 Apr 2015 01:16:35 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache-Control: max-age=900..Date: Sat, 25 Apr 2015 01:16:35 GMT..Connection: keep-alive..
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?654c6292470e300a HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Sat, 25 Apr 2015 01:16:04 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Sat, 25 Apr 2015 01:16:04 GMT..Connection: keep-alive..
GET /binaries/stopzilla/auto_installer/7.0.1.3/manifest.xml HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain
User-Agent: SZHttp/1.0
Host: download.stopzilla.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 2063
Content-Type: text/xml
Last-Modified: Tue, 07 Apr 2015 15:38:09 GMT
Accept-Ranges: bytes
ETag: "b7aa46d94871d01:6ec1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 25 Apr 2015 01:15:57 GMT
<?xml version="1.0" encoding="utf-8" ?>.<szmanifest schema="1" version="7.0.1.3">...<file name="STOPzilla7.msi" location="http://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla7.msi" size="23516160" original_size="23516160" sha256="e179bb743303e628c1e1f85c5ad4bf12a36e985d5e707b28ce83a78feac9d0e1" msi_version="7.0.1.3" min_version="7.0.1.3" incremental="0" />...<file name="SZServer.exe" location="hXXp://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/SZServer.bin" size="709858" original_size="709858" sha256="226f560ff43434b0bdf1940d86bf9ce2dc8220545ae6357275316446e1a6a7a6" encoding="zfzip" incremental="1" />...<file name="STOPzilla.exe" location="hXXp://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla.bin" size="924330" original_size="924330" sha256="eb2282a8edce7c27ef8cd285fd2c702e2936d4f7a9ededea8d5536db94f76314" encoding="zfzip" incremental="1" />...<file name="SZNetAssistant.exe" location="hXXp://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/SZNetAssistant.bin" size="1318507" original_size="1318507" sha256="3f49e7e37932dd83bb51e99230dff23f45a2fb5de21390b63c976501fb15cd76" encoding="zfzip" incremental="1" />...<file name="SZFileAssistant.exe" location="hXXp://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/SZFileAssistant.bin" size="465312" original_size="465312" sha256="1ee3f0af8e312d63bc65a518a1e94a718498dca56ab589a6353584207922e14d" encoding="zfzip" increment
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
SZServer.exe_3384:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
t.jtj
t.jtj
t.jpj
t.jpj
f;F.sA
f;F.sA
f;H.sA
f;H.sA
L$4f;P.sF3
L$4f;P.sF3
.6.78.9:;
.6.78.9:;
B.CDEFFG
B.CDEFFG
t.jTj
t.jTj
t.jXj
t.jXj
t.jLj
t.jLj
t.jhj
t.jhj
8SQLi
8SQLi
n-l}
n-l}
EUu.AUu
EUu.AUu
.ZH
.ZH
vipre.targets.
vipre.targets.
SQLite format 3
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
3.8.8.3
3.8.8.3
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
zilla.applications.stopzilla.license.volume_serial
zilla.applications.stopzilla.license.volume_serial
zilla.applications.stopzilla.license.instance_key
zilla.applications.stopzilla.license.instance_key
zilla.applications.stopzilla.license.type
zilla.applications.stopzilla.license.type
home-service.phone-home.status
home-service.phone-home.status
scan.results_xml
scan.results_xml
CSZScanStoredAction::Execute
CSZScanStoredAction::Execute
custom.all-drives
custom.all-drives
custom.known-file-types
custom.known-file-types
custom.ignore-removable
custom.ignore-removable
custom.cookies
custom.cookies
custom.processes
custom.processes
custom.deep-processes
custom.deep-processes
custom.registry
custom.registry
custom.all-users
custom.all-users
custom.derivatives
custom.derivatives
custom.root-kits
custom.root-kits
custom.archives
custom.archives
custom.common-tactics
custom.common-tactics
custom.path.
custom.path.
vipre.targets.out_of_date
vipre.targets.out_of_date
vipre.ap.
vipre.ap.
vipre.ap.unspecified
vipre.ap.unspecified
external.url_survey
external.url_survey
system.first_run
system.first_run
system.install.realtime_reboot_required
system.install.realtime_reboot_required
system.last.service.shutdown.time
system.last.service.shutdown.time
system.last_boot_time
system.last_boot_time
system.initial_ap_handled
system.initial_ap_handled
CSZSQLDatabase::ExecuteSQL
CSZSQLDatabase::ExecuteSQL
CSZSQLDatabase::CompileSQL
CSZSQLDatabase::CompileSQL
%s>
%s>
%s?>
%s?>
SQLITE_
SQLITE_
d-d-d d:d:d
d-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
failed to allocate %u bytes of memory
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
922337203685477580
922337203685477580
API call with %s database connection pointer
API call with %s database connection pointer
RowKey
RowKey
GetProcessHeap
GetProcessHeap
os_win.c:%d: (%lu) %s(%s) - %s
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict
delayed %dms for lock/sharing conflict
%s-shm
%s-shm
%s%c%s
%s%c%s
recovered %d pages from %s
recovered %d pages from %s
recovered %d frames from WAL file %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
cannot limit WAL size: %s
invalid page number %d
invalid page number %d
2nd reference to page %d
2nd reference to page %d
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
failed to get page %d
failed to get page %d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
Page %d:
Page %d:
unable to get the page. error code=%d
unable to get the page. error code=%d
btreeInitPage() returns error code %d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On tree page %d cell %d:
On page %d at right child:
On page %d at right child:
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Page %d is never used
Pointer map page %d is referenced
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
unknown database %s
unknown database %s
%s(%d)
%s(%d)
%s-mjXXXXXX9XXz
%s-mjXXXXXX9XXz
MJ delete: %s
MJ delete: %s
MJ collide: %s
MJ collide: %s
-mjX9X
-mjX9X
FOREIGN KEY constraint failed
FOREIGN KEY constraint failed
unable to use function %s in the requested context
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
bind on a busy prepared statement: [%s]
zeroblob(%d)
zeroblob(%d)
FOREIGN KEY
FOREIGN KEY
abort at %d in [%s]: %s
abort at %d in [%s]: %s
%s constraint failed: %s
%s constraint failed: %s
%s constraint failed
%s constraint failed
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
no such savepoint: %s
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_temp_master
sqlite_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
database table is locked: %s
database table is locked: %s
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open value of type %s
cannot open virtual table: %s
cannot open virtual table: %s
cannot open table without rowid: %s
cannot open table without rowid: %s
cannot open view: %s
cannot open view: %s
no such column: "%s"
no such column: "%s"
foreign key
foreign key
indexed
indexed
cannot open %s column for writing
cannot open %s column for writing
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s.%s
%s: %s.%s
%s: %s.%s
%s: %s
%s: %s
%s prohibited in partial index WHERE clauses
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
%s prohibited in CHECK constraints
not authorized to use function: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many SQL variables
too many SQL variables
too many columns in %s
too many columns in %s
EXECUTE %s%s SUBQUERY %d
EXECUTE %s%s SUBQUERY %d
hex literal too big: %s
hex literal too big: %s
misuse of aggregate: %s()
misuse of aggregate: %s()
%.*s"%w"%s
%.*s"%w"%s
%s%.*s"%w"
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_parent
sqlite_rename_parent
%s OR name=%Q
%s OR name=%Q
type='trigger' AND (%s)
type='trigger' AND (%s)
sqlite_
sqlite_
table %s may not be altered
table %s may not be altered
there is already another table or index with this name: %s
there is already another table or index with this name: %s
view %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_altertab_%s
sqlite_stat1
sqlite_stat1
sqlite_stat3
sqlite_stat3
sqlite_stat4
sqlite_stat4
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
too many attached databases - max %d
too many attached databases - max %d
database %s is already in use
database %s is already in use
unable to open database: %s
unable to open database: %s
no such database: %s
no such database: %s
cannot detach database %s
cannot detach database %s
database %s is locked
database %s is locked
sqlite_detach
sqlite_detach
sqlite_attach
sqlite_attach
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
%s cannot use variables
%s cannot use variables
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
too many columns on %s
too many columns on %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
table "%s" has more than one primary key
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
PRIMARY KEY missing on table %s
PRIMARY KEY missing on table %s
CREATE %s %.*s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
sqlite_stat
table %s may not be dropped
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
cannot create a TEMP index on non-TEMP table "%s"
cannot create a TEMP index on non-TEMP table "%s"
table %s may not be indexed
table %s may not be indexed
views may not be indexed
views may not be indexed
virtual tables may not be indexed
virtual tables may not be indexed
there is already a table named %s
there is already a table named %s
index %s already exists
index %s already exists
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
table %s has no column named %s
table %s has no column named %s
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
a JOIN clause is required before %s
%s.%s
%s.%s
%s.rowid
%s.rowid
unable to identify the object to be reindexed
unable to identify the object to be reindexed
duplicate WITH table name: %s
duplicate WITH table name: %s
no such collation sequence: %s
no such collation sequence: %s
table %s may not be modified
table %s may not be modified
cannot modify %s because it is a view
cannot modify %s because it is a view
sqlite_version
sqlite_version
sqlite_source_id
sqlite_source_id
sqlite_log
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_used
sqlite_compileoption_get
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
foreign key mismatch - "%w" referencing "%w"
table %S has no column named %s
table %S has no column named %s
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
%d values for %d columns
%d values for %d columns
sqlite3_extension_init
sqlite3_extension_init
unable to open shared library [%s]
unable to open shared library [%s]
sqlite3_
sqlite3_
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
error during initialization: %s
automatic extension loading failed: %s
automatic extension loading failed: %s
defer_foreign_keys
defer_foreign_keys
foreign_key_check
foreign_key_check
foreign_key_list
foreign_key_list
foreign_keys
foreign_keys
*** in database %s ***
*** in database %s ***
NULL value in %s.%s
NULL value in %s.%s
unsupported encoding: %s
unsupported encoding: %s
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
unsupported file format
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
COMPOUND SUBQUERIES %d AND %d %s(%s)
column%d
column%d
%s:%d
%s:%d
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
no such index: %s
no such index: %s
multiple references to recursive table: %s
multiple references to recursive table: %s
circular reference: %s
circular reference: %s
table %s has %d values for %d columns
table %s has %d values for %d columns
multiple recursive references: %s
multiple recursive references: %s
recursive reference in a subquery: %s
recursive reference in a subquery: %s
sqlite_sq_%p
sqlite_sq_%p
too many references to "%s": max 65535
too many references to "%s": max 65535
%s.%s.%s
%s.%s.%s
no such table: %s
no such table: %s
SCAN TABLE %s%s%s
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such trigger: %S
-- TRIGGER %s
-- TRIGGER %s
no such column: %s
no such column: %s
cannot VACUUM - SQL statements in progress
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
no such module: %s
no such module: %s
automatic index on %s(%s)
automatic index on %s(%s)
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
ANY(%s)
ANY(%s)
SUBQUERY %d
SUBQUERY %d
TABLE %s
TABLE %s
AS %s
AS %s
PRIMARY KEY
PRIMARY KEY
COVERING INDEX %s
COVERING INDEX %s
INDEX %s
INDEX %s
USING INTEGER PRIMARY KEY
USING INTEGER PRIMARY KEY
VIRTUAL TABLE INDEX %d:%s
VIRTUAL TABLE INDEX %d:%s
%s.xBestIndex() malfunction
%s.xBestIndex() malfunction
at most %d tables in a join
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
SQL logic error or missing database
unknown operation
unknown operation
large file support is disabled
large file support is disabled
unknown database: %s
unknown database: %s
no such %s mode: %s
no such %s mode: %s
%s mode not allowed: %s
%s mode not allowed: %s
no such vfs: %s
no such vfs: %s
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
no such table column: %s.%s
no such table column: %s.%s
operator >> (CSZVinaryData& failure
operator >> (CSZVinaryData& failure
CSZApplicationPipeServer::Reply
CSZApplicationPipeServer::Reply
CSZApplicationPipeServer::GetWrapper
CSZApplicationPipeServer::GetWrapper
CSZHomeServiceComponentResult::ParseTokenKey
CSZHomeServiceComponentResult::ParseTokenKey
pipe-name
pipe-name
key-invalid
key-invalid
key-inactive
key-inactive
key-in-use
key-in-use
key-mismatch
key-mismatch
external.product
external.product
external.edition
external.edition
external.affiliate_id
external.affiliate_id
external.downloader_id
external.downloader_id
external.reseller_id
external.reseller_id
CSZStoredAction::Execute
CSZStoredAction::Execute
CSZServiceApplication::ImportExternalConfig
CSZServiceApplication::ImportExternalConfig
client.presence.interactive
client.presence.interactive
client.presence.helper
client.presence.helper
CSZAppDB::ExecuteMigrationCode
CSZAppDB::ExecuteMigrationCode
last-execute-time
last-execute-time
last-execute-result
last-execute-result
last-execute-result-text
last-execute-result-text
stored-action.saved
stored-action.saved
never-executed
never-executed
CSZApplicationPipeClient::_Execute
CSZApplicationPipeClient::_Execute
pipe.closed
pipe.closed
CSZApplicationPipeClient::GetWrapper
CSZApplicationPipeClient::GetWrapper
CSZApplicationPipeClient::OnPacket
CSZApplicationPipeClient::OnPacket
external.home_service_url
external.home_service_url
stored-action.deleted
stored-action.deleted
Support
Support
CSZHomeServiceLicense::ExtractSupport
CSZHomeServiceLicense::ExtractSupport
update.binaries.full
update.binaries.full
update.binaries.incremental
update.binaries.incremental
u-u-uTu:u:u
u-u-uTu:u:u
SMTPErrorString
SMTPErrorString
CloseEmailWindowMsg
CloseEmailWindowMsg
BadUrlReplacementText
BadUrlReplacementText
BadUrlCheckingEnabled
BadUrlCheckingEnabled
BadUrlActionEnum
BadUrlActionEnum
WindowsLiveMailClientEnabled
WindowsLiveMailClientEnabled
Port
Port
BaseURL
BaseURL
LogToWindowsEventLog
LogToWindowsEventLog
Password
Password
vipre.ap.disabled
vipre.ap.disabled
vipre.ap.enabled
vipre.ap.enabled
vipre.ap.snoozed
vipre.ap.snoozed
vipre.targets.up_to_date
vipre.targets.up_to_date
CSZPipeClient::OnReadProc
CSZPipeClient::OnReadProc
CSZPipeClient::ReadData
CSZPipeClient::ReadData
CSZPipeClient::ReadProc
CSZPipeClient::ReadProc
CSZPipeClient::WriteProc
CSZPipeClient::WriteProc
X:\sz7.0.1.3\Build7\Release\x86\SZServer.pdb
X:\sz7.0.1.3\Build7\Release\x86\SZServer.pdb
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
MSVCP120.dll
MSVCP120.dll
RPCRT4.dll
RPCRT4.dll
MPR.dll
MPR.dll
MSVCR120.dll
MSVCR120.dll
_calloc_crt
_calloc_crt
__crtGetShowWindowMode
__crtGetShowWindowMode
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
__crtUnhandledException
__crtUnhandledException
__crtTerminateProcess
__crtTerminateProcess
__crtSetUnhandledExceptionFilter
__crtSetUnhandledExceptionFilter
WTSAPI32.dll
WTSAPI32.dll
USERENV.dll
USERENV.dll
CreateNamedPipeW
CreateNamedPipeW
ConnectNamedPipe
ConnectNamedPipe
WaitNamedPipeW
WaitNamedPipeW
DisconnectNamedPipe
DisconnectNamedPipe
VERSION.dll
VERSION.dll
.?AVDelegate@CSZApplicationPipeServer@@
.?AVDelegate@CSZApplicationPipeServer@@
.?AVCSZSQLDatabase@@
.?AVCSZSQLDatabase@@
.PAVbad_cast@std@@
.PAVbad_cast@std@@
.PAVexception@std@@
.PAVexception@std@@
.PAVrange_error@std@@
.PAVrange_error@std@@
.PAVruntime_error@std@@
.PAVruntime_error@std@@
.?AVListener@CSZApplicationPipeServer@@
.?AVListener@CSZApplicationPipeServer@@
.?AVCSZPWKeyValueNotify@@
.?AVCSZPWKeyValueNotify@@
.?AVCSZSQLStatement@@
.?AVCSZSQLStatement@@
.?AVCSZPacketPipeServer@@
.?AVCSZPacketPipeServer@@
.?AVCSZPipeServer@@
.?AVCSZPipeServer@@
.?AVCSZApplicationPipeServer@@
.?AVCSZApplicationPipeServer@@
.?AVCSZPipeClient@@
.?AVCSZPipeClient@@
.?AVCSZPacketPipeClient@@
.?AVCSZPacketPipeClient@@
.?AVCSZPacketPipeConnection@@
.?AVCSZPacketPipeConnection@@
.?AVCSZPipeConnection@@
.?AVCSZPipeConnection@@
.?AVCSZApplicationPipeClient@@
.?AVCSZApplicationPipeClient@@
.?AV?$TSZThreadQueue@VCSZPWHttpRetryRequest@@@@
.?AV?$TSZThreadQueue@VCSZPWHttpRetryRequest@@@@
.?AV?$TSZThreadQueue@USSZPendingHTTPRequest@@@@
.?AV?$TSZThreadQueue@USSZPendingHTTPRequest@@@@
.?AVDelegate@?$TSZThreadQueue@VCSZPWHttpRetryRequest@@@@
.?AVDelegate@?$TSZThreadQueue@VCSZPWHttpRetryRequest@@@@
.?AVDelegate@?$TSZThreadQueue@USSZPendingHTTPRequest@@@@
.?AVDelegate@?$TSZThreadQueue@USSZPendingHTTPRequest@@@@
.?AVCSZPWHttpResponse@@
.?AVCSZPWHttpResponse@@
.?AVCSZPWHttpRetryRequest@@
.?AVCSZPWHttpRetryRequest@@
.?AVCSZPWHttpStatus@@
.?AVCSZPWHttpStatus@@
.?AVCSQLMigrationStep@@
.?AVCSQLMigrationStep@@
.?AVCSZPWHttpRequest@@
.?AVCSZPWHttpRequest@@
.?AVCSZPWHttpRetryResponse@@
.?AVCSZPWHttpRetryResponse@@
.?AVCVIPREWebFilterEvents@@
.?AVCVIPREWebFilterEvents@@
.?AU_ISBWebFilterEvents@@
.?AU_ISBWebFilterEvents@@
.?AVCSZPipeServerThread@CSZPipeServer@@
.?AVCSZPipeServerThread@CSZPipeServer@@
.?AVCSZPipeConnectionThread@CSZPipeConnection@@
.?AVCSZPipeConnectionThread@CSZPipeConnection@@
.?AVIO@CSZPipeClient@@
.?AVIO@CSZPipeClient@@
.?AVCMD5Checksum@@
.?AVCMD5Checksum@@
]]>
]]>
true
true
?%? ?1?7?
?%? ?1?7?
8%9*9:9]9
8%9*9:9]9
2-343`3*414]4
2-343`3*414]4
67P7|7
67P7|7
0.080\0|1
0.080\0|1
3:3?3^3|3
3:3?3^3|3
>(?,?0?4?
>(?,?0?4?
0014181
0014181
7 7$7(7,7074787
7 7$7(7,7074787
8 8$8(8,808
8 8$8(8,808
9&9.979=9
9&9.979=9
8Â8v8
8Â8v8
2!32373[3
2!32373[3
0&242_2{2
0&242_2{2
7‚8u8
7‚8u8
1229235:5
1229235:5
1(2,2024282
1(2,2024282
=,>0>4>8>
=,>0>4>8>
5%6U6
5%6U6
7-8}8
7-8}8
0%1U1
0%1U1
5*565[5~5
5*565[5~5
:?;|;5
:?;|;5
1%2u2
1%2u2
3 3$3(3,3
3 3$3(3,3
%hs: ApplyThreatUpdateBlocking %s; definitions unchanged from %d
%hs: ApplyThreatUpdateBlocking %s; definitions unchanged from %d
%hs: ApplyThreatUpdateBlocking %s; definitions updated from %d to %d, but expected %d
%hs: ApplyThreatUpdateBlocking %s; definitions updated from %d to %d, but expected %d
%hs: ApplyThreatUpdateBlocking %s; definitions updated from %d to %d
%hs: ApplyThreatUpdateBlocking %s; definitions updated from %d to %d
%hs: missing full update required from version %d to (at least) %d
%hs: missing full update required from version %d to (at least) %d
%hs: full update to (at least) version %d required; update to version %d found
%hs: full update to (at least) version %d required; update to version %d found
%hs: non-sequential incremental update; expected %d, got %d
%hs: non-sequential incremental update; expected %d, got %d
Legacy DB: Failed to compile statement '%s' [%u|%s]
Legacy DB: Failed to compile statement '%s' [%u|%s]
Legacy DB: Failed to get value '%hs' for user '%hs' [%d|%s]
Legacy DB: Failed to get value '%hs' for user '%hs' [%d|%s]
Legacy DB: Failed to get system value '%hs' [%d|%s]
Legacy DB: Failed to get system value '%hs' [%d|%s]
Scan Thread: Awakened with scan request (0xX).
Scan Thread: Awakened with scan request (0xX).
scan_clean.xml
scan_clean.xml
%SystemDrive%\Program Files
%SystemDrive%\Program Files
%SystemDrive%\Program Files (x86)
%SystemDrive%\Program Files (x86)
%SystemDrive%\Windows
%SystemDrive%\Windows
%SystemDrive%\programdata
%SystemDrive%\programdata
%SystemDrive%\users
%SystemDrive%\users
%SystemDrive%\documents and settings
%SystemDrive%\documents and settings
settings.scan.low-severity
settings.scan.low-severity
settings.scan.root-kits
settings.scan.root-kits
settings.scan.low-priority
settings.scan.low-priority
settings.scan.update
settings.scan.update
settings.scan.archives
settings.scan.archives
settings.scan.auto-clean
settings.scan.auto-clean
settings.scan.reboot-after-clean
settings.scan.reboot-after-clean
settings.scan.cookies
settings.scan.cookies
settings.scan.removable
settings.scan.removable
nsettings.app.battery-power
nsettings.app.battery-power
%hs: stored scan '%s' (type %d) started.
%hs: stored scan '%s' (type %d) started.
%hs: stored scan '%s' (type %d) failed to start (ERROR)
%hs: stored scan '%s' (type %d) failed to start (ERROR)
%hs: stored scan '%s' (type %d) failed to start (BUSY)
%hs: stored scan '%s' (type %d) failed to start (BUSY)
%hs: stored scan '%s' (type %d) failed to start (CHECKING_FOR_UPDATES)
%hs: stored scan '%s' (type %d) failed to start (CHECKING_FOR_UPDATES)
%hs: stored scan '%s' (type %d) failed to start (REBOOT_REQUIRED)
%hs: stored scan '%s' (type %d) failed to start (REBOOT_REQUIRED)
%hs: stored scan '%s' (type %d) failed to start (RUNNING)
%hs: stored scan '%s' (type %d) failed to start (RUNNING)
ServerAction: Action recieved (%d).
ServerAction: Action recieved (%d).
ServerAction: Unknown action (%d).
ServerAction: Unknown action (%d).
%hs: Unexpected result from wait (%u).
%hs: Unexpected result from wait (%u).
updates.vipre-targets.available
updates.vipre-targets.available
GFI.Tools.Run64.exe
GFI.Tools.Run64.exe
SBSetupDrivers.exe" /update /HIPS /ARVA /FW /AP
SBSetupDrivers.exe" /update /HIPS /ARVA /FW /AP
SBSetupDrivers.exe
SBSetupDrivers.exe
VIPRE Reporting drivers already installed.
VIPRE Reporting drivers already installed.
SBSetupDrivers.exe" /install /HIPS /ARVA /FW /AP
SBSetupDrivers.exe" /install /HIPS /ARVA /FW /AP
SBSetupDrivers.exe" /uninstall /HIPS /ARVA /FW /AP
SBSetupDrivers.exe" /uninstall /HIPS /ARVA /FW /AP
Executed: (Exit Code - %u) "%s" %s
Executed: (Exit Code - %u) "%s" %s
Failed to get exit code executing: "%s" %s
Failed to get exit code executing: "%s" %s
Wait failed executing: (0xX) "%s" %s
Wait failed executing: (0xX) "%s" %s
Error executing: "%s" %s
Error executing: "%s" %s
Session: New session (%u) (First Run: %s)
Session: New session (%u) (First Run: %s)
STOPzilla.exe
STOPzilla.exe
Session: Unable to start '%s' [%u|%s].
Session: Unable to start '%s' [%u|%s].
Session: Closed session (%u)
Session: Closed session (%u)
license.legacy_check
license.legacy_check
Licensing: Imported legacy instance key '%s'.
Licensing: Imported legacy instance key '%s'.
license.legacy_imported
license.legacy_imported
dVIPRE: Request to toggle AV (Enable: %s).
dVIPRE: Request to toggle AV (Enable: %s).
VIPRE: Request to toggle AV Executing (Enable: %s).
VIPRE: Request to toggle AV Executing (Enable: %s).
VIPRE: AP Status change (%d).
VIPRE: AP Status change (%d).
VIPRE: AP State change (%d).
VIPRE: AP State change (%d).
%d-%m-%Y %H:%M
%d-%m-%Y %H:%M
System Boot: First Boot - Local Time: %s
System Boot: First Boot - Local Time: %s
System Boot: Rebooted - Local Time: %s
System Boot: Rebooted - Local Time: %s
System Boot: System did not reboot - Local Time: %s.
System Boot: System did not reboot - Local Time: %s.
userdata.db
userdata.db
VIPRE Infection: %s
VIPRE Infection: %s
%hs(%d)
%hs(%d)
[%d/%m/%Y %H:%M:%S]
[%d/%m/%Y %H:%M:%S]
(%s%s%s%s%s):
(%s%s%s%s%s):
%hs: '%s' (0xX)
%hs: '%s' (0xX)
%hs: unable to compile empty or missing SQL statement
%hs: unable to compile empty or missing SQL statement
%hs: failed to compile '%s' [%d|%hs]
%hs: failed to compile '%s' [%d|%hs]
"%s" %s
"%s" %s
explorer.exe
explorer.exe
hkcu\software\microsoft\windows\shell\associations\urlassociations\http\userchoice
hkcu\software\microsoft\windows\shell\associations\urlassociations\http\userchoice
hkcr\http\shell\open\command
hkcr\http\shell\open\command
%hs(%d): failed [%u|%s]
%hs(%d): failed [%u|%s]
%hs(%u, %u): failed [%u|%s]
%hs(%u, %u): failed [%u|%s]
Kernel32.dll
Kernel32.dll
s%s%s
s%s%s
%s%s%s%s
%s%s%s%s
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
application-pipe-server
application-pipe-server
%hs: no wrapper for opCode %u
%hs: no wrapper for opCode %u
%hs: failed to download '%s' from '%hs' [%u|%s]
%hs: failed to download '%s' from '%hs' [%u|%s]
%hs: failed to decode '%s' from '%hs' [%u|%s]
%hs: failed to decode '%s' from '%hs' [%u|%s]
%hs: failed to open '%s' [%u|%s]
%hs: failed to open '%s' [%u|%s]
%hs: failed to get length of '%s' [%u|%s]
%hs: failed to get length of '%s' [%u|%s]
%hs: failed to verify length of '%s'; expected %I64u but got %I64u instead [%u|%s]
%hs: failed to verify length of '%s'; expected %I64u but got %I64u instead [%u|%s]
%hs: failed to compute hash of '%s' [%u|%s]
%hs: failed to compute hash of '%s' [%u|%s]
%hs: failed to verify hash of '%s'; expected '%hs' but got '%hs' instead [%u|%s]
%hs: failed to verify hash of '%s'; expected '%hs' but got '%hs' instead [%u|%s]
%hs: downloaded '%s' from '%hs' to '%s', with size %I64u
%hs: downloaded '%s' from '%hs' to '%s', with size %I64u
%hs: downloaded '%s' from '%hs' to '%s', with size %I64u and %s hash '%hs'
%hs: downloaded '%s' from '%hs' to '%s', with size %I64u and %s hash '%hs'
%hs: ENCODING_ZFZIP specified; failed to open archive '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to open archive '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; archive does not contain '%s'
%hs: ENCODING_ZFZIP specified; archive does not contain '%s'
%hs: ENCODING_ZFZIP specified; failed to create/open unique file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to create/open unique file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to extract file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to extract file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to write file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to write file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; '%s' extracted from '%s' into '%s'
%hs: ENCODING_ZFZIP specified; '%s' extracted from '%s' into '%s'
.available
.available
.timestamp
.timestamp
%hs: component '%hs' skipped with result %d
%hs: component '%hs' skipped with result %d
%hs: failed to delete file '%s' [%u|%s]
%hs: failed to delete file '%s' [%u|%s]
%hs: no token key provided
%hs: no token key provided
%hs: unexpected token key '%hs'
%hs: unexpected token key '%hs'
SetProcessAffinityMask failed [%u|%s]
SetProcessAffinityMask failed [%u|%s]
Working Directory: %s
Working Directory: %s
CSZLogManager::Initialize(0x%X) failed [%u|%s]
CSZLogManager::Initialize(0x%X) failed [%u|%s]
ConstructLogFile(%s) failed [%u|%s]
ConstructLogFile(%s) failed [%u|%s]
support.phone.%
support.phone.%
support.phone.
support.phone.
%hs: duplicate component (%d|%hs)
%hs: duplicate component (%d|%hs)
%hs: unable to parse received action content '%hs' [%u]
%hs: unable to parse received action content '%hs' [%u]
%hs: attempt to execute an action with no implementation!
%hs: attempt to execute an action with no implementation!
%hs: %hs named '%s' updated to %u
%hs: %hs named '%s' updated to %u
external.override.scheduled.updates.interval
external.override.scheduled.updates.interval
scheduled.phone-home.get.
scheduled.phone-home.get.
Error: Unexpected message loop (0xX).
Error: Unexpected message loop (0xX).
Install complete (%d).
Install complete (%d).
Upgrade complete (%d).
Upgrade complete (%d).
default_external_config.xml
default_external_config.xml
Default External Config: Document not found 'default_external_config.xml'.
Default External Config: Document not found 'default_external_config.xml'.
External Config: 'external.product' found. Bypassing default external config load.
External Config: 'external.product' found. Bypassing default external config load.
Failed to import property '%s'
Failed to import property '%s'
Unsuccessful import of SZSetup supplied external config
Unsuccessful import of SZSetup supplied external config
Rejected external property '%s' with value '%s'
Rejected external property '%s' with value '%s'
Importing external property '%s' with value '%s' as '%s'
Importing external property '%s' with value '%s' as '%s'
Importing external property '%s' with value '%s'
Importing external property '%s' with value '%s'
%s Initializing
%s Initializing
AllocConsole() failed [%u|%s]
AllocConsole() failed [%u|%s]
Unhandled exception processing console command: %s
Unhandled exception processing console command: %s
Unrecognized console command: %s
Unrecognized console command: %s
StartServiceCtrlDispatcher failed [%u|%s]
StartServiceCtrlDispatcher failed [%u|%s]
%hs(%s, %u)
%hs(%s, %u)
%hs(%u, %u)
%hs(%u, %u)
SetServiceStatus failed [%u|%s]
SetServiceStatus failed [%u|%s]
Could not create event '%s'.
Could not create event '%s'.
Unable to start pipe server.
Unable to start pipe server.
/sz_pipe
/sz_pipe
External Config: Failed to connect to SZSetup.exe '%s'. (%u)
External Config: Failed to connect to SZSetup.exe '%s'. (%u)
%s Version: %s
%s Version: %s
%s Product Version: %s
%s Product Version: %s
OS: %s
OS: %s
CPU Type: %s
CPU Type: %s
CPU Count: %d
CPU Count: %d
CPU Cores: %d
CPU Cores: %d
CPU Logical Cores: %d
CPU Logical Cores: %d
Memory Total: %d MB
Memory Total: %d MB
Memory Available: %d MB
Memory Available: %d MB
Memory Page File: %d MB
Memory Page File: %d MB
e%hs: Replacing client session information for process %u
e%hs: Replacing client session information for process %u
%hs: Caching client session information for process %u
%hs: Caching client session information for process %u
t%hs: discarding client information for terminating process %u
t%hs: discarding client information for terminating process %u
%hs: uncached client with process ID %u
%hs: uncached client with process ID %u
%hs: discarding client information for disconnected process %u
%hs: discarding client information for disconnected process %u
Failed: %s
Failed: %s
Exception: %s
Exception: %s
%s in transaction
%s in transaction
Licensing: Update License: valid(X) instance(%s) type(%d) start_date(%I64d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)
Licensing: Update License: valid(X) instance(%s) type(%d) start_date(%I64d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)
INSERT INTO migration_history (version, phase) VALUES (%d, %d)
INSERT INTO migration_history (version, phase) VALUES (%d, %d)
Failed to get value '%hs' for user '%hs' [%d|%s]
Failed to get value '%hs' for user '%hs' [%d|%s]
Failed to get system value '%hs' [%d|%s]
Failed to get system value '%hs' [%d|%s]
Failed to set value '%hs' for user '%hs' [%u|%s]
Failed to set value '%hs' for user '%hs' [%u|%s]
Failed to set system value '%hs' [%u|%s]
Failed to set system value '%hs' [%u|%s]
Failed to delete value '%hs' for user '%hs' [%u|%s]
Failed to delete value '%hs' for user '%hs' [%u|%s]
Failed to delete system value '%hs' [%u|%s]
Failed to delete system value '%hs' [%u|%s]
Failed to delete %hs keys %s %s [%u|%s]
Failed to delete %hs keys %s %s [%u|%s]
Failed to write message %d [%u|%s]
Failed to write message %d [%u|%s]
'%s' cannot be opened and cannot be set aside
'%s' cannot be opened and cannot be set aside
'%s' set aside but new file not opened
'%s' set aside but new file not opened
'%s' set aside and recreated
'%s' set aside and recreated
'%s' not created
'%s' not created
No phase %d (%hs) migration necessary; current migration is %d
No phase %d (%hs) migration necessary; current migration is %d
Phase %d (%hs) migration mismatch - DB is %d and application is %d
Phase %d (%hs) migration mismatch - DB is %d and application is %d
'%s' cannot be set aside
'%s' cannot be set aside
Migrated phase %d (%hs) from version %d to %d
Migrated phase %d (%hs) from version %d to %d
SELECT value_type, value_data FROM kv_data WHERE user=? AND key=?
SELECT value_type, value_data FROM kv_data WHERE user=? AND key=?
SELECT key, value_type, value_data FROM kv_data WHERE user=? AND key LIKE ?
SELECT key, value_type, value_data FROM kv_data WHERE user=? AND key LIKE ?
REPLACE INTO kv_data (user, key, value_type, value_data) VALUES (?, ?, ?, ?)
REPLACE INTO kv_data (user, key, value_type, value_data) VALUES (?, ?, ?, ?)
DELETE FROM kv_data WHERE user=? AND key=?
DELETE FROM kv_data WHERE user=? AND key=?
DELETE FROM kv_data WHERE user=? AND key LIKE ?
DELETE FROM kv_data WHERE user=? AND key LIKE ?
DELETE FROM kv_data WHERE user=? AND key NOT LIKE ?
DELETE FROM kv_data WHERE user=? AND key NOT LIKE ?
Failed to compile statement '%s' [%u|%s]
Failed to compile statement '%s' [%u|%s]
Failed to execute statement '%s' [%u|%s]
Failed to execute statement '%s' [%u|%s]
%hs: CreateFile('%s') failed [%u|%s]
%hs: CreateFile('%s') failed [%u|%s]
CONFIG.XML
CONFIG.XML
%hs: invalid option '%c' for component (%d/%hs)
%hs: invalid option '%c' for component (%d/%hs)
%hs: option '%c' for component (%d/%hs) requires value for variable %hs
%hs: option '%c' for component (%d/%hs) requires value for variable %hs
%hs: option '%c' for component (%d/%hs) contains unbalanced variable delimiters
%hs: option '%c' for component (%d/%hs) contains unbalanced variable delimiters
application-pipe-client
application-pipe-client
%hs: wait failed with unexpected result %u
%hs: wait failed with unexpected result %u
%hs: unhandled incoming packet - opCode(%u)
%hs: unhandled incoming packet - opCode(%u)
SZNetAssistant.exe
SZNetAssistant.exe
%hs: hang up request for incorrect context; expected %u and got %u
%hs: hang up request for incorrect context; expected %u and got %u
e%hs: request with context %u and payload '%hs' rejected by context %u
e%hs: request with context %u and payload '%hs' rejected by context %u
e%hs: no database available for SQL statement '%s'
e%hs: no database available for SQL statement '%s'
%hs: failed to compile SQL statement '%s'
%hs: failed to compile SQL statement '%s'
%hs: found duplicate name '%s' for type '%hs'
%hs: found duplicate name '%s' for type '%hs'
%hs: timer %I64u scheduled action '%s' to run in %ums
%hs: timer %I64u scheduled action '%s' to run in %ums
%hs: not scheduling action '%s' because it reported no future interval
%hs: not scheduling action '%s' because it reported no future interval
%hs: executing action '%s'
%hs: executing action '%s'
%hs: no action to execute
%hs: no action to execute
Failed to execute function '%hs' [%u|%s]
Failed to execute function '%hs' [%u|%s]
Failed to set value '%hs' [%u|%s]
Failed to set value '%hs' [%u|%s]
%hs: unsupported step '%hs'
%hs: unsupported step '%hs'
sSZFileAssistant.exe
sSZFileAssistant.exe
%hs: missing file '%s' required
%hs: missing file '%s' required
%hs: can't compute hash of '%s'; getting file
%hs: can't compute hash of '%s'; getting file
%hs: modified file '%s' required
%hs: modified file '%s' required
%hs: failed to create folder '%s' [%u|%s]
%hs: failed to create folder '%s' [%u|%s]
nexternal.type
nexternal.type
external.validation.file
external.validation.file
external.validation.version
external.validation.version
external.timestamp
external.timestamp
%hs: internal error - import failed
%hs: internal error - import failed
%hs: updated license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)
%hs: updated license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)
%hs: failed to update license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d) [%u|%s]
%hs: failed to update license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d) [%u|%s]
%hs: duplicate region key '%s'
%hs: duplicate region key '%s'
%hs: missing value for region '%s' and status '%hs'
%hs: missing value for region '%s' and status '%hs'
%hs: invalid status value '%hs' for region '%s'
%hs: invalid status value '%hs' for region '%s'
%hs: missing %d of %d expected statuses in region '%s'
%hs: missing %d of %d expected statuses in region '%s'
%hs: assistant '%s' being destroyed with %u clients
%hs: assistant '%s' being destroyed with %u clients
%hs: failed to launch assistant '%s' [%u|%s]
%hs: failed to launch assistant '%s' [%u|%s]
%hs: failure after launching assistant '%s' [%u|%s]
%hs: failure after launching assistant '%s' [%u|%s]
%hs: incremented open count (%u) for assistant '%s'
%hs: incremented open count (%u) for assistant '%s'
%hs: reusing connection for assistant '%s'
%hs: reusing connection for assistant '%s'
%hs: attempt to release unopened assistant '%s'
%hs: attempt to release unopened assistant '%s'
%hs: decrementing open count (%u) for assistant '%s'
%hs: decrementing open count (%u) for assistant '%s'
e%hs: invalid response opcode; expected %u, got %u
e%hs: invalid response opcode; expected %u, got %u
%hs: not closing assistant '%s' because its open count is %u
%hs: not closing assistant '%s' because its open count is %u
%hs: cannot reply to missing ack in assistant '%s'!
%hs: cannot reply to missing ack in assistant '%s'!
%hs: TerminateProcess failed on process %u [%u|%s]
%hs: TerminateProcess failed on process %u [%u|%s]
%hs: ExecuteUserProcess('%s', '%s', %s, %u, %d, %s, &m_process, &m_pid) failed [%u|%s]
%hs: ExecuteUserProcess('%s', '%s', %s, %u, %d, %s, &m_process, &m_pid) failed [%u|%s]
%hs: ExecuteSystemProcess('%s', '%s', %s, %s, &m_process, &m_pid) failed [%u|%s]
%hs: ExecuteSystemProcess('%s', '%s', %s, %s, &m_process, &m_pid) failed [%u|%s]
%hs: wait for '%s' interrupted by Close request
%hs: wait for '%s' interrupted by Close request
%hs: wait for '%s' interrupted by shutdown request
%hs: wait for '%s' interrupted by shutdown request
%hs: wait for '%s' interrupted by its' own termination
%hs: wait for '%s' interrupted by its' own termination
%hs: wait for '%s' interrupted for unexpected reason [%u]
%hs: wait for '%s' interrupted for unexpected reason [%u]
%hs: parse error on markup '%hs' [%u|%s]
%hs: parse error on markup '%hs' [%u|%s]
%hs: element '%hs' not supported by config object factory
%hs: element '%hs' not supported by config object factory
%hs: failed to delete '%s' [%u|%s]
%hs: failed to delete '%s' [%u|%s]
\msiexec.exe
\msiexec.exe
%hs: failed to launch msiexec [%u|%s]
%hs: failed to launch msiexec [%u|%s]
%hs: '%s' opened without an ack!
%hs: '%s' opened without an ack!
Global\update.binaries.skip_wait
Global\update.binaries.skip_wait
%hs: waiting %u ms before applying updates
%hs: waiting %u ms before applying updates
%hs: Warn did NOT timeout (%u)
%hs: Warn did NOT timeout (%u)
d%hs: file '%s' not found
d%hs: file '%s' not found
updates.binaries.
updates.binaries.
%hs: [empty original] %s
%hs: [empty original] %s
%hs: [remove] %s
%hs: [remove] %s
%hs: [missing replacement] %s
%hs: [missing replacement] %s
%hs: [add] %s
%hs: [add] %s
%hs: [replace] %s
%hs: [replace] %s
%hs: moved '%s' to '%s'
%hs: moved '%s' to '%s'
%hs: failed to move '%s' to '%s' [%u|%s]
%hs: failed to move '%s' to '%s' [%u|%s]
%hs: failed to locate '%s' [%u|%s]
%hs: failed to locate '%s' [%u|%s]
%hs: failed to reset dacl on '%s' [%u|%s]
%hs: failed to reset dacl on '%s' [%u|%s]
%hs: failed to remove '%s' [%u|%s]
%hs: failed to remove '%s' [%u|%s]
%hs: deleted '%s'
%hs: deleted '%s'
CreateInstance(CLSID_SBService) returned 0xX
CreateInstance(CLSID_SBService) returned 0xX
CreateInstance(CLSID_SBLogger) returned 0xX
CreateInstance(CLSID_SBLogger) returned 0xX
CreateInstance(CLSID_SBActiveProtection) returned 0xX
CreateInstance(CLSID_SBActiveProtection) returned 0xX
CreateInstance(CLSID_SBScanControl) returned 0xX
CreateInstance(CLSID_SBScanControl) returned 0xX
CreateInstance(CLSID_SBQuarantine) returned 0xX
CreateInstance(CLSID_SBQuarantine) returned 0xX
CreateInstance(CLSID_SBRegistration) returned 0xX
CreateInstance(CLSID_SBRegistration) returned 0xX
CreateInstance(CLSID_SBSoftwareUpdates) returned 0xX
CreateInstance(CLSID_SBSoftwareUpdates) returned 0xX
CreateInstance(CLSID_SBThreatDefinitions) returned 0xX
CreateInstance(CLSID_SBThreatDefinitions) returned 0xX
CreateInstance(CLSID_SBVipre) returned 0xX
CreateInstance(CLSID_SBVipre) returned 0xX
CreateInstance(CLSID_SBWSC) returned 0xX
CreateInstance(CLSID_SBWSC) returned 0xX
CreateInstance(CLSID_SBEmailAV) returned 0xX
CreateInstance(CLSID_SBEmailAV) returned 0xX
CreateInstance(CLSID_SBFirewall) returned 0xX
CreateInstance(CLSID_SBFirewall) returned 0xX
CreateInstance(CLSID_SBWebFilter) returned 0xX
CreateInstance(CLSID_SBWebFilter) returned 0xX
CreateInstance(CLSID_SBHIPS) returned 0xX
CreateInstance(CLSID_SBHIPS) returned 0xX
CreateInstance(CLSID_SBLanGuard) returned 0xX
CreateInstance(CLSID_SBLanGuard) returned 0xX
Released ISBFirewallWebFilter
Released ISBFirewallWebFilter
vipre.config.scan.known-apps.reset
vipre.config.scan.known-apps.reset
%hs: VIPRE failure [0xX|%s]
%hs: VIPRE failure [0xX|%s]
VIPRE: Error communicating to set back the config: %s
VIPRE: Error communicating to set back the config: %s
Incompatibles Check: Did not find program data in '%s' or '%s'
Incompatibles Check: Did not find program data in '%s' or '%s'
eEnableAP() returned 0xX
eEnableAP() returned 0xX
DisableAP() returned 0xX
DisableAP() returned 0xX
%hs: file error [%u|%s]
%hs: file error [%u|%s]
IncompatiblePrograms.dll
IncompatiblePrograms.dll
incompats.dat
incompats.dat
Incompatibles Check: Found '%s' but not '%s'
Incompatibles Check: Found '%s' but not '%s'
Incompatibles Check: Found but did not load '%s' [%u|%s]
Incompatibles Check: Found but did not load '%s' [%u|%s]
Incompatibles Check: '%s' does not contain function '%hs'
Incompatibles Check: '%s' does not contain function '%hs'
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been cleaned.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been cleaned.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been quarantined. You can unquarantine this suspicious file from the %PRODUCT% application.%CRLFÞfinition Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been quarantined. You can unquarantine this suspicious file from the %PRODUCT% application.%CRLFÞfinition Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been deleted.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been deleted.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCT% Anti-phishing removed a known bad URL from your email message. It was deleted or quarantined and replaced with this message.
%PRODUCT% Anti-phishing removed a known bad URL from your email message. It was deleted or quarantined and replaced with this message.
SZWSC.exe
SZWSC.exe
%hs: not launching '%s' - no arguments
%hs: not launching '%s' - no arguments
%hs: failed to launch '%s' with arguments '%s' [%u|%s]
%hs: failed to launch '%s' with arguments '%s' [%u|%s]
%hs: launched '%s' with arguments '%s'
%hs: launched '%s' with arguments '%s'
%hs: waiting for '%s' to finish...
%hs: waiting for '%s' to finish...
%hs: unexpected wait termination [%u]
%hs: unexpected wait termination [%u]
%hs: OpenSCManager failed [%u|%s]
%hs: OpenSCManager failed [%u|%s]
%hs: OpenService failed [%u|%s]
%hs: OpenService failed [%u|%s]
Advapi32.dll
Advapi32.dll
%hs: unable to load Advapi32.dll
%hs: unable to load Advapi32.dll
%hs: queue '%s', index %u - thread 0x%X started
%hs: queue '%s', index %u - thread 0x%X started
%hs: queue '%s', index %u - wait failed with result %u
%hs: queue '%s', index %u - wait failed with result %u
%hs: queue '%s', index %u - thread 0x%X ending
%hs: queue '%s', index %u - thread 0x%X ending
%hs: queue '%s' - attempt to start while abort is signalled
%hs: queue '%s' - attempt to start while abort is signalled
%hs: queue '%s', index %u - failed to start [%u|%s]
%hs: queue '%s', index %u - failed to start [%u|%s]
%hs: queue '%s', index %u - thread completed
%hs: queue '%s', index %u - thread completed
\\.\pipe\
\\.\pipe\
dbghelp.dll
dbghelp.dll
%s%d.dmp
%s%d.dmp
%s%d.log
%s%d.log
Unhandled Exception: Code(0xX) Addess(0xX)
Unhandled Exception: Code(0xX) Addess(0xX)
Windows 95
Windows 95
Windows 98
Windows 98
Windows ME
Windows ME
Windows NT 4.0
Windows NT 4.0
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows .Net
Windows .Net
Windows Vista
Windows Vista
Windows 7
Windows 7
Windows Server 2008
Windows Server 2008
Windows Server 2008 R2
Windows Server 2008 R2
Windows 8
Windows 8
Windows 8.1
Windows 8.1
Windows 10
Windows 10
Windows 2012 Server
Windows 2012 Server
Windows 2012 Server R2
Windows 2012 Server R2
Web Server
Web Server
%s ~%d MHZ
%s ~%d MHZ
GetLogicalProcessorInformation is not supported.
GetLogicalProcessorInformation is not supported.
Unable to determine windows version
Unable to determine windows version
%u.%u.%u
%u.%u.%u
kernel32.dll
kernel32.dll
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows 7
Windows 7
Windows Server 2008 R2
Windows Server 2008 R2
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Web Server Edition
Web Server Edition
Windows Server 2003 R2,
Windows Server 2003 R2,
Windows Storage Server 2003
Windows Storage Server 2003
Windows Home Server
Windows Home Server
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Windows Server 2003,
Windows Server 2003,
Web Edition
Web Edition
Windows XP
Windows XP
Windows 2000
Windows 2000
(build %d)
(build %d)
%hs: expected sequence number greater than or equal to %u; got %u instead
%hs: expected sequence number greater than or equal to %u; got %u instead
%hs: packet %u of request %u indicated no more data when %u packets remain.
%hs: packet %u of request %u indicated no more data when %u packets remain.
[Client]: Closing connection (0xX).
[Client]: Closing connection (0xX).
[Client]: Open connection (0xX).
[Client]: Open connection (0xX).
%hs: async read failed [%u|%s]
%hs: async read failed [%u|%s]
%hs: failed to process %u transfered bytes
%hs: failed to process %u transfered bytes
a%hs: ReadFileEx failed [%u|%s]
a%hs: ReadFileEx failed [%u|%s]
%hs: expected packet buffer of %u bytes; got %u bytes
%hs: expected packet buffer of %u bytes; got %u bytes
%hs: expected packet size in %u bytes; got %u bytes
%hs: expected packet size in %u bytes; got %u bytes
%hs: received %u bytes; 0 expected
%hs: received %u bytes; 0 expected
xx
xx
C:\ProgramData\STOPzilla!\dumps\SZServer.exefatal
C:\ProgramData\STOPzilla!\dumps\SZServer.exefatal
7.0.1.3
7.0.1.3
SZServer.exe
SZServer.exe
SBAMSvc.exe_3448:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
t SSh
t SSh
SShTZ6
SShTZ6
<.t>
<.t>
777777777
777777777
7777777
7777777
!7"77#7$%&7'()77* ,7-./017237747756
!7"77#7$%&7'()77* ,7-./017237747756
-up9}
-up9}
-ud9}
-ud9}
!"#$%&'()* ,-./01
!"#$%&'()* ,-./01
SSSSh`
SSSSh`
t.ht,
t.ht,
t2h%D
t2h%D
t.htI
t.htI
t.hk]
t.hk]
t.hjd
t.hjd
t.hgf
t.hgf
t.hDs
t.hDs
t.hN{
t.hN{
t.hQ}
t.hQ}
t.ho!
t.ho!
t.hG.
t.hG.
t.hm4
t.hm4
t.hI
t.hI
t.hq-
t.hq-
t.VhX
t.VhX
8%uvP
8%uvP
u.hp22
u.hp22
SSSht
SSSht
/u%Sj
/u%Sj
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Tu.AUu
Tu.AUu
ffff28a4-0506-49af-8a0f-dfa9a4188c50
ffff28a4-0506-49af-8a0f-dfa9a4188c50
.ZH
.ZH
SbWF_AddPort
SbWF_AddPort
SbWF_ClearPorts
SbWF_ClearPorts
SbFweIds_LogPortScans
SbFweIds_LogPortScans
SbFwe_LogPacketsToUnopenedPorts
SbFwe_LogPacketsToUnopenedPorts
Unsupported XML version
Unsupported XML version
XML character encoding not supported
XML character encoding not supported
xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance"
xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance"
line:%d-'
line:%d-'
External Entity definitions not supported
External Entity definitions not supported
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
GetProcessWindowStation
GetProcessWindowStation
portuguese-brazilian
portuguese-brazilian
operator
operator
01050;0;0
01050;0;0
( ) / / _ _
( ) / / _ _
0!0)080:0
0!0)080:0
0 0 06070>0?0
0 0 06070>0?0
# #!#|#|#
# #!#|#|#
#"#(# #{#}#
#"#(# #{#}#
'()* ,-./0123456789:;
'()* ,-./0123456789:;
&!&!*! !.!.!
&!&!*! !.!.!
unterminated entity reference s
unterminated entity reference s
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://
hXXp://
PTF://
PTF://
default%d
default%d
%.20s%d
%.20s%d
http-equiv
http-equiv
@/:=?;#%&,
@/:=?;#%&,
dot operator, U 22C5 ISOamsb
dot operator, U 22C5 ISOamsb
tilde operator = varies with = similar to, U 223C ISOtech
tilde operator = varies with = similar to, U 223C ISOtech
proportional to, U 221D ISOtech
proportional to, U 221D ISOtech
asterisk operator, U 2217 ISOtech
asterisk operator, U 2217 ISOtech
zero width joiner, U 200D NEW RFC 2070
zero width joiner, U 200D NEW RFC 2070
zero width non-joiner, U 200C NEW RFC 2070
zero width non-joiner, U 200C NEW RFC 2070
pluginurl
pluginurl
accesskey
accesskey
onkeyup
onkeyup
onkeydown
onkeydown
onkeypress
onkeypress
Memory allocation failed : %s
Memory allocation failed : %s
HTTP-EQUIV
HTTP-EQUIV
Char 0x%X out of allowed range
Char 0x%X out of allowed range
Unsupported encoding %s
Unsupported encoding %s
Bytes: 0xX 0xX 0xX 0xX
Bytes: 0xX 0xX 0xX 0xX
Bytes: 0xX
Bytes: 0xX
Opening and ending tag mismatch: %s and %s
Opening and ending tag mismatch: %s and %s
hXXp://VVV.w3.org/TR/REC-html40/loose.dtd
hXXp://VVV.w3.org/TR/REC-html40/loose.dtd
Element %s embeds close tag
Element %s embeds close tag
Invalid char in CDATA 0x%X
Invalid char in CDATA 0x%X
ParsePI: PI %s space expected
ParsePI: PI %s space expected
ParsePI: PI %s never end ...
ParsePI: PI %s never end ...
htmlParseCharRef: invalid xmlChar value %d
htmlParseCharRef: invalid xmlChar value %d
Attribute %s redefined
Attribute %s redefined
Unexpected end tag : %s
Unexpected end tag : %s
Tag %s invalid
Tag %s invalid
Couldn't find end of Start Tag %s
Couldn't find end of Start Tag %s
Internal error, xmlCopyCharMultiByte 0x%X out of bound
Internal error, xmlCopyCharMultiByte 0x%X out of bound
encoding not supported %s
encoding not supported %s
new input from entity: %s
new input from entity: %s
Cannot parse entity %s
Cannot parse entity %s
Internal entity %s without content !
Internal entity %s without content !
Internal parameter entity %s without content !
Internal parameter entity %s without content !
Predefined entity %s without content !
Predefined entity %s without content !
new input from file: %s
new input from file: %s
failed to load external entity "%s"
failed to load external entity "%s"
Found NULL content in content model of %s
Found NULL content in content model of %s
Found PCDATA in content model of %s
Found PCDATA in content model of %s
ContentModel broken for element %s
ContentModel broken for element %s
Cannot create automata for element %s
Cannot create automata for element %s
Content model of %s is not determinist: %s
Content model of %s is not determinist: %s
Redefinition of element %s
Redefinition of element %s
Element %s has too many ID attributes defined : %s
Element %s has too many ID attributes defined : %s
Attribute %s of %s: invalid default value
Attribute %s of %s: invalid default value
Attribute %s of element %s: already defined
Attribute %s of element %s: already defined
Element %s has too may ID attributes defined : %s
Element %s has too may ID attributes defined : %s
xmlAddNotationDecl: %s already defined
xmlAddNotationDecl: %s already defined
ID %s already defined
ID %s already defined
NOTATION %s is not declared
NOTATION %s is not declared
ENTITY attribute %s reference an unknown entity "%s"
ENTITY attribute %s reference an unknown entity "%s"
ENTITY attribute %s reference an entity "%s" of wrong type
ENTITY attribute %s reference an entity "%s" of wrong type
ENTITIES attribute %s reference an unknown entity "%s"
ENTITIES attribute %s reference an unknown entity "%s"
ENTITIES attribute %s reference an entity "%s" of wrong type
ENTITIES attribute %s reference an entity "%s" of wrong type
NOTATION attribute %s reference an unknown notation "%s"
NOTATION attribute %s reference an unknown notation "%s"
standalone: %s on %s value had to be normalized based on external subset declaration
standalone: %s on %s value had to be normalized based on external subset declaration
Syntax of default value for attribute %s of %s is not valid
Syntax of default value for attribute %s of %s is not valid
ID attribute %s of %s is not valid must be #IMPLIED or #REQUIRED
ID attribute %s of %s is not valid must be #IMPLIED or #REQUIRED
Element %s has %d ID attribute defined in the internal subset : %s
Element %s has %d ID attribute defined in the internal subset : %s
Element %s has %d ID attribute defined in the external subset : %s
Element %s has %d ID attribute defined in the external subset : %s
Element %s has ID attributes defined in the internal and external subset : %s
Element %s has ID attributes defined in the internal and external subset : %s
Default value "%s" for attribute %s of %s is not among the enumerated set
Default value "%s" for attribute %s of %s is not among the enumerated set
Definition of %s has duplicate references of %s
Definition of %s has duplicate references of %s
Definition of %s has duplicate references of %s:%s
Definition of %s has duplicate references of %s:%s
Definition of %s has duplicate references to %s
Definition of %s has duplicate references to %s
Definition of %s has duplicate references to %s:%s
Definition of %s has duplicate references to %s:%s
No declaration for attribute %s of element %s
No declaration for attribute %s of element %s
Syntax of value for attribute %s of %s is not valid
Syntax of value for attribute %s of %s is not valid
Value for attribute %s of %s is different from default "%s"
Value for attribute %s of %s is different from default "%s"
Value "%s" for attribute %s of %s is not a declared Notation
Value "%s" for attribute %s of %s is not a declared Notation
Value "%s" for attribute %s of %s is not among the enumerated notations
Value "%s" for attribute %s of %s is not among the enumerated notations
Value "%s" for attribute %s of %s is not among the enumerated set
Value "%s" for attribute %s of %s is not among the enumerated set
Value for attribute %s of %s must be "%s"
Value for attribute %s of %s must be "%s"
No declaration for attribute xmlns:%s of element %s
No declaration for attribute xmlns:%s of element %s
No declaration for attribute xmlns of element %s
No declaration for attribute xmlns of element %s
Syntax of value for attribute xmlns:%s of %s is not valid
Syntax of value for attribute xmlns:%s of %s is not valid
Syntax of value for attribute xmlns of %s is not valid
Syntax of value for attribute xmlns of %s is not valid
Value for attribute xmlns:%s of %s is different from default "%s"
Value for attribute xmlns:%s of %s is different from default "%s"
Value for attribute xmlns of %s is different from default "%s"
Value for attribute xmlns of %s is different from default "%s"
Value "%s" for attribute xmlns:%s of %s is not a declared Notation
Value "%s" for attribute xmlns:%s of %s is not a declared Notation
Value "%s" for attribute xmlns of %s is not a declared Notation
Value "%s" for attribute xmlns of %s is not a declared Notation
Value "%s" for attribute xmlns:%s of %s is not among the enumerated notations
Value "%s" for attribute xmlns:%s of %s is not among the enumerated notations
Value "%s" for attribute xmlns of %s is not among the enumerated notations
Value "%s" for attribute xmlns of %s is not among the enumerated notations
Value "%s" for attribute xmlns:%s of %s is not among the enumerated set
Value "%s" for attribute xmlns:%s of %s is not among the enumerated set
Value "%s" for attribute xmlns of %s is not among the enumerated set
Value "%s" for attribute xmlns of %s is not among the enumerated set
Value for attribute xmlns:%s of %s must be "%s"
Value for attribute xmlns:%s of %s must be "%s"
Value for attribute xmlns of %s must be "%s"
Value for attribute xmlns of %s must be "%s"
Element %s content does not follow the DTD, expecting %s, got %s
Element %s content does not follow the DTD, expecting %s, got %s
Element content does not follow the DTD, expecting %s, got %s
Element content does not follow the DTD, expecting %s, got %s
No declaration for element %s
No declaration for element %s
Element %s was declared EMPTY this one has content
Element %s was declared EMPTY this one has content
Element %s was declared #PCDATA but contains non text nodes
Element %s was declared #PCDATA but contains non text nodes
Element %s is not declared in %s list of possible children
Element %s is not declared in %s list of possible children
standalone: %s declared in the external subset contains white spaces nodes
standalone: %s declared in the external subset contains white spaces nodes
Element %s does not carry attribute %s
Element %s does not carry attribute %s
Element %s does not carry attribute %s:%s
Element %s does not carry attribute %s:%s
Element %s required attribute %s:%s has no prefix
Element %s required attribute %s:%s has no prefix
Element %s required attribute %s:%s has different prefix
Element %s required attribute %s:%s has different prefix
Element %s namespace name for default namespace does not match the DTD
Element %s namespace name for default namespace does not match the DTD
Element %s namespace name for %s does not match the DTD
Element %s namespace name for %s does not match the DTD
root and DTD name do not match '%s' and '%s'
root and DTD name do not match '%s' and '%s'
attribute %s line %d references an unknown ID "%s"
attribute %s line %d references an unknown ID "%s"
IDREF attribute %s references an unknown ID "%s"
IDREF attribute %s references an unknown ID "%s"
IDREFS attribute %s references an unknown ID "%s"
IDREFS attribute %s references an unknown ID "%s"
xmlValidateAttributeCallback(%s): internal error
xmlValidateAttributeCallback(%s): internal error
attribute %s: could not find decl for element %s
attribute %s: could not find decl for element %s
NOTATION attribute %s declared for EMPTY element %s
NOTATION attribute %s declared for EMPTY element %s
%s:%d:
%s:%d:
Entity: line %d:
Entity: line %d:
element %s:
element %s:
%d;
%d;
%X;
%X;
:/?_.#&;=
:/?_.#&;=
%s: out of memory
%s: out of memory
Entity(%s) document marked standalone but requires external subset
Entity(%s) document marked standalone but requires external subset
Failure to process entity %s
Failure to process entity %s
Entity(%s) already defined in the internal subset
Entity(%s) already defined in the internal subset
Entity(%s) already defined in the external subset
Entity(%s) already defined in the external subset
SAX.xmlSAX2EntityDecl(%s) called while not in subset
SAX.xmlSAX2EntityDecl(%s) called while not in subset
SAX.xmlSAX2AttributeDecl(%s) called while not in subset
SAX.xmlSAX2AttributeDecl(%s) called while not in subset
SAX.xmlSAX2ElementDecl(%s) called while not in subset
SAX.xmlSAX2ElementDecl(%s) called while not in subset
SAX.xmlSAX2NotationDecl(%s) externalID or PublicID missing
SAX.xmlSAX2NotationDecl(%s) externalID or PublicID missing
SAX.xmlSAX2NotationDecl(%s) called while not in subset
SAX.xmlSAX2NotationDecl(%s) called while not in subset
SAX.xmlSAX2UnparsedEntityDecl(%s) called while not in subset
SAX.xmlSAX2UnparsedEntityDecl(%s) called while not in subset
invalid namespace declaration '%s'
invalid namespace declaration '%s'
Avoid attribute ending with ':' like '%s'
Avoid attribute ending with ':' like '%s'
xmlns: %s not a valid URI
xmlns: %s not a valid URI
xmlns: URI %s is not absolute
xmlns: URI %s is not absolute
Empty namespace name for prefix %s
Empty namespace name for prefix %s
xmlns:%s: %s not a valid URI
xmlns:%s: %s not a valid URI
xmlns:%s: URI %s is not absolute
xmlns:%s: URI %s is not absolute
Namespace prefix %s of attribute %s is not defined
Namespace prefix %s of attribute %s is not defined
Attribute %s in %s redefined
Attribute %s in %s redefined
xml:id : attribute value %s is not an NCName
xml:id : attribute value %s is not an NCName
standalone: attribute %s on %s defaulted from external subset
standalone: attribute %s on %s defaulted from external subset
Namespace prefix %s is not defined
Namespace prefix %s is not defined
Namespace prefix %s was not found
Namespace prefix %s was not found
Attempt to load network entity %s
Attempt to load network entity %s
Operation timed out
Operation timed out
Broken pipe
Broken pipe
Operation not permitted
Operation not permitted
Inappropriate I/O control operation
Inappropriate I/O control operation
Not supported
Not supported
Operation in progress
Operation in progress
Operation canceled
Operation canceled
creating HTTP output context
creating HTTP output context
xmlIOHTTPWrite: %s
xmlIOHTTPWrite: %s
%s '%s'.
%s '%s'.
xmlIOHTTPCloseWrite: %s '%s' %s '%s'.
xmlIOHTTPCloseWrite: %s '%s' %s '%s'.
failed. HTTP return code:
failed. HTTP return code:
xmlIOHTTPCloseWrite: HTTP '%s' of %d %s
xmlIOHTTPCloseWrite: HTTP '%s' of %d %s
'%s' %s %d
'%s' %s %d
failed to load HTTP resource "%s"
failed to load HTTP resource "%s"
failed to load HTTP resource
failed to load HTTP resource
Unknown encoding %s
Unknown encoding %s
xmlRegisterCharEncodingHandler: Too many handler registered, see %s
xmlRegisterCharEncodingHandler: Too many handler registered, see %s
0xX 0xX 0xX 0xX
0xX 0xX 0xX 0xX
input conversion failed due to input error, bytes %s
input conversion failed due to input error, bytes %s
output conversion failed due to conv error, bytes %s
output conversion failed due to conv error, bytes %s
Attribute %s:%s redefined
Attribute %s:%s redefined
conditional section INCLUDE or IGNORE keyword expected
conditional section INCLUDE or IGNORE keyword expected
Pbm popping %d NS
Pbm popping %d NS
Excessive depth in document: %d use XML_PARSE_HUGE option
Excessive depth in document: %d use XML_PARSE_HUGE option
Popping input %d
Popping input %d
%s(%d):
%s(%d):
Pushing input %d : %.30s
Pushing input %d : %.30s
xmlParseCharRef: invalid xmlChar value %d
xmlParseCharRef: invalid xmlChar value %d
xmlParseStringCharRef: invalid xmlChar value %d
xmlParseStringCharRef: invalid xmlChar value %d
new blanks wrapper for entity: %s
new blanks wrapper for entity: %s
PEReference: %s
PEReference: %s
PEReference: %%%s; not found
PEReference: %%%s; not found
PEReference: %s is not a parameter entity
PEReference: %s is not a parameter entity
Name %s is not XML Namespace compliant
Name %s is not XML Namespace compliant
EntityValue: '%c' forbidden except for entities references
EntityValue: '%c' forbidden except for entities references
PCDATA invalid Char value %d
PCDATA invalid Char value %d
xmlParseComment: invalid xmlChar value %d
xmlParseComment: invalid xmlChar value %d
colon are forbidden from PI names '%s'
colon are forbidden from PI names '%s'
Catalog PI syntax error: %s
Catalog PI syntax error: %s
colon are forbidden from notation names '%s'
colon are forbidden from notation names '%s'
colon are forbidden from entities names '%s'
colon are forbidden from entities names '%s'
Invalid URI: %s
Invalid URI: %s
xmlParseEntityDecl: entity %s not terminated
xmlParseEntityDecl: entity %s not terminated
standalone: attribute notation value token %s duplicated
standalone: attribute notation value token %s duplicated
standalone: attribute enumeration value token %s duplicated
standalone: attribute enumeration value token %s duplicated
xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE
xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE
xmlParseElementChildrenContentDecl : '%c' expected
xmlParseElementChildrenContentDecl : '%c' expected
xmlParseElementContentDecl : %s '(' expected
xmlParseElementContentDecl : %s '(' expected
Entity '%s' failed to parse
Entity '%s' failed to parse
Entity '%s' not defined
Entity '%s' not defined
Entity reference to unparsed entity %s
Entity reference to unparsed entity %s
Attribute references external entity '%s'
Attribute references external entity '%s'
'
'
Attempt to reference the parameter entity '%s'
Attempt to reference the parameter entity '%s'
Internal: %%%s; is not a parameter entity
Internal: %%%s; is not a parameter entity
Reading %s entity content input
Reading %s entity content input
xmlLoadEntityContent: invalid char value %d
xmlLoadEntityContent: invalid char value %d
%%%s; is not a parameter entity
%%%s; is not a parameter entity
Specification mandate value for attribute %s
Specification mandate value for attribute %s
Malformed value for xml:lang : %s
Malformed value for xml:lang : %s
Invalid value "%s" for xml:space : "default" or "preserve" expected
Invalid value "%s" for xml:space : "default" or "preserve" expected
Opening and ending tag mismatch: %s line %d and %s
Opening and ending tag mismatch: %s line %d and %s
Failed to parse QName '%s'
Failed to parse QName '%s'
Failed to parse QName '%s:'
Failed to parse QName '%s:'
Failed to parse QName '%s:%s:'
Failed to parse QName '%s:%s:'
xmlns: '%s' is not a valid URI
xmlns: '%s' is not a valid URI
hXXp://VVV.w3.org/2000/xmlns/
hXXp://VVV.w3.org/2000/xmlns/
xmlns:%s: Empty XML namespace is not allowed
xmlns:%s: Empty XML namespace is not allowed
xmlns:%s: '%s' is not a valid URI
xmlns:%s: '%s' is not a valid URI
Namespace prefix %s for %s on %s is not defined
Namespace prefix %s for %s on %s is not defined
Namespaced Attribute %s in '%s' redefined
Namespaced Attribute %s in '%s' redefined
Namespace prefix %s on %s is not defined
Namespace prefix %s on %s is not defined
Couldn't find end of Start Tag %s line %d
Couldn't find end of Start Tag %s line %d
Premature end of data in tag %s line %d
Premature end of data in tag %s line %d
Unsupported version '%s'
Unsupported version '%s'
Free catalog entry %s
Free catalog entry %s
%s entry lacks '%s'
%s entry lacks '%s'
Found %s: '%s' '%s'
Found %s: '%s' '%s'
Found %s: '%s'
Found %s: '%s'
%s entry '%s' broken ?: %s
%s entry '%s' broken ?: %s
Invalid value for prefer: '%s'
Invalid value for prefer: '%s'
Failed to parse catalog %s
Failed to parse catalog %s
%d Parsing catalog %s
%d Parsing catalog %s
File %s is not an XML Catalog
File %s is not an XML Catalog
Found %s in file hash
Found %s in file hash
%s not found in file hash
%s not found in file hash
%s added to file hash
%s added to file hash
Detected recursion in catalog %s
Detected recursion in catalog %s
Found system match %s, using %s
Found system match %s, using %s
Using rewriting rule %s
Using rewriting rule %s
Trying system delegate %s
Trying system delegate %s
Found public match %s
Found public match %s
Trying public delegate %s
Trying public delegate %s
Found URI match %s
Found URI match %s
Trying URI delegate %s
Trying URI delegate %s
Public URN ID %s expanded to NULL
Public URN ID %s expanded to NULL
Public URN ID expanded to %s
Public URN ID expanded to %s
System URN ID %s expanded to NULL
System URN ID %s expanded to NULL
System URN ID expanded to %s
System URN ID expanded to %s
URN ID %s expanded to NULL
URN ID %s expanded to NULL
URN ID expanded to %s
URN ID expanded to %s
Resolve: pubID %s sysID %s
Resolve: pubID %s sysID %s
Resolve: pubID %s
Resolve: pubID %s
Resolve: sysID %s
Resolve: sysID %s
Resolve URI %s
Resolve URI %s
libxml2.dll
libxml2.dll
Adding document catalog %s
Adding document catalog %s
Local Resolve: pubID %s sysID %s
Local Resolve: pubID %s sysID %s
Local Resolve: pubID %s
Local Resolve: pubID %s
Local Resolve: sysID %s
Local Resolve: sysID %s
failed to compile: %s
failed to compile: %s
creating execution context
creating execution context
ftp_proxy
ftp_proxy
FTP_PROXY
FTP_PROXY
ftp_proxy_user
ftp_proxy_user
ftp_proxy_password
ftp_proxy_password
allocating FTP context
allocating FTP context
USER %s
USER %s
PASS anonymous@
PASS anonymous@
PASS %s
PASS %s
SITE %s
SITE %s
USER anonymous@%s
USER anonymous@%s
USER %s@%s
USER %s@%s
FTP server asking for ACCNT on anonymous
FTP server asking for ACCNT on anonymous
%u,%u,%u,%u,%u,%u
%u,%u,%u,%u,%u,%u
PORT %d,%d,%d,%d,%d,%d
PORT %d,%d,%d,%d,%d,%d
RETR %s
RETR %s
http_proxy
http_proxy
HTTP_PROXY
HTTP_PROXY
HTTP/
HTTP/
error connecting to HTTP server
error connecting to HTTP server
Not a valid HTTP URI
Not a valid HTTP URI
%s hXXp://%s:%d%s
%s hXXp://%s:%d%s
%s hXXp://%s%s
%s hXXp://%s%s
%s %s
%s %s
HTTP/1.0
HTTP/1.0
Host: %s
Host: %s
Host: %s:%d
Host: %s:%d
Content-Type: %s
Content-Type: %s
Content-Length: %d
Content-Length: %d
Invalid operand
Invalid operand
Missing closing curly brace
Missing closing curly brace
hXXp://relaxng.org/ns/structure/1.0
hXXp://relaxng.org/ns/structure/1.0
hXXp://VVV.w3.org/2001/XMLSchema
hXXp://VVV.w3.org/2001/XMLSchema
SupplementalMathematicalOperators
SupplementalMathematicalOperators
MathematicalOperators
MathematicalOperators
hXXp://VVV.w3.org/2001/XMLSchema-instance
hXXp://VVV.w3.org/2001/XMLSchema-instance
%d.%d.%d.%d
%d.%d.%d.%d
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
FenumOperation
FenumOperation
AllowedOperations
AllowedOperations
MonitoredURL
MonitoredURL
HttpServerConfig\HttpServerConfig.cpp
HttpServerConfig\HttpServerConfig.cpp
HttpServerConfig
HttpServerConfig
18446744073709551615
18446744073709551615
URL="
URL="
-2147483648
-2147483648
2147483647
2147483647
enumOperation="
enumOperation="
Password
Password
Port
Port
4294967295
4294967295
4.0.0
4.0.0
LanGuardConfig\LanGuardConfig.cpp
LanGuardConfig\LanGuardConfig.cpp
Port="
Port="
Password="
Password="
ProductKey
ProductKey
Web_Alerts
Web_Alerts
port
port
fileurl
fileurl
passwordHistory
passwordHistory
minimumPasswordAge
minimumPasswordAge
maximumPasswordAge
maximumPasswordAge
minimumPasswordLength
minimumPasswordLength
transport
transport
LoginShell
LoginShell
BadPasswordsCount
BadPasswordsCount
PasswordAge
PasswordAge
passworded
passworded
PrimaryKey
PrimaryKey
udp_ports
udp_ports
ports
ports
transports
transports
iswindows
iswindows
Importance
Importance
SystemUpdateScanResults\SystemUpdateScanResults.cpp
SystemUpdateScanResults\SystemUpdateScanResults.cpp
Importance="
Importance="
PrimaryKey="
PrimaryKey="
passworded="
passworded="
transport="
transport="
ProductKey="
ProductKey="
RegistrationKey
RegistrationKey
RegistrationKey="
RegistrationKey="
Telemetry\Telemetry.cpp
Telemetry\Telemetry.cpp
LanGuardToolCfg_Updates\LanGuardToolCfg_Updates.cpp
LanGuardToolCfg_Updates\LanGuardToolCfg_Updates.cpp
LanGuardResults\LanGuardResults.cpp
LanGuardResults\LanGuardResults.cpp
LogToWindowsEventLog
LogToWindowsEventLog
LogToWindowsEventLog="
LogToWindowsEventLog="
ServiceConfig\ServiceConfig.cpp
ServiceConfig\ServiceConfig.cpp
ScanConfig\ScanConfig.cpp
ScanConfig\ScanConfig.cpp
SendFileURL
SendFileURL
ThreatNetQueryURL
ThreatNetQueryURL
ThreatNetURL
ThreatNetURL
TelemetryURL
TelemetryURL
TelemetryURL="
TelemetryURL="
ThreatNetURL="
ThreatNetURL="
ThreatNetQueryURL="
ThreatNetQueryURL="
SendFileURL="
SendFileURL="
ThreatNetConfig\ThreatNetConfig.cpp
ThreatNetConfig\ThreatNetConfig.cpp
ThreatNetResponse\ThreatNetResponse.cpp
ThreatNetResponse\ThreatNetResponse.cpp
ntosExport
ntosExport
ntdllExport
ntdllExport
reportonly
reportonly
authorURL
authorURL
RegKey
RegKey
MsgID
MsgID
ThreatNetTransfer\ThreatNetTransfer.cpp
ThreatNetTransfer\ThreatNetTransfer.cpp
MsgID="
MsgID="
RegKey="
RegKey="
reportonly="
reportonly="
ntdllExport="
ntdllExport="
ntosExport="
ntosExport="
AutoGetURL
AutoGetURL
UpdateURL
UpdateURL
RegistrationURL
RegistrationURL
RegistrationURL="
RegistrationURL="
UpdateURL="
UpdateURL="
AutoGetURL="
AutoGetURL="
RegistrationConfig\RegistrationConfig.cpp
RegistrationConfig\RegistrationConfig.cpp
BaseURL
BaseURL
ThreatDefinitionsConfig\ThreatDefinitionsConfig.cpp
ThreatDefinitionsConfig\ThreatDefinitionsConfig.cpp
BaseURL="
BaseURL="
NVPairs\NVPairs.cpp
NVPairs\NVPairs.cpp
APEvent\APEvent.cpp
APEvent\APEvent.cpp
ScanResults\ScanResults.cpp
ScanResults\ScanResults.cpp
QuarantineFile\QuarantineFile.cpp
QuarantineFile\QuarantineFile.cpp
ProcessList\ProcessList.cpp
ProcessList\ProcessList.cpp
SoftwareUpdateConfig\SoftwareUpdateConfig.cpp
SoftwareUpdateConfig\SoftwareUpdateConfig.cpp
BadUrl
BadUrl
SocialWatchHistory\SocialWatchHistory.cpp
SocialWatchHistory\SocialWatchHistory.cpp
Url="
Url="
WindowsLiveMailClientEnabled
WindowsLiveMailClientEnabled
BadUrlActionEnum
BadUrlActionEnum
BadUrlCheckingEnabled
BadUrlCheckingEnabled
BadUrlReplacementText
BadUrlReplacementText
CloseEmailWindowMsg
CloseEmailWindowMsg
SMTPErrorString
SMTPErrorString
SMTPErrorString="
SMTPErrorString="
CloseEmailWindowMsg="
CloseEmailWindowMsg="
BadUrlReplacementText="
BadUrlReplacementText="
BadUrlCheckingEnabled="
BadUrlCheckingEnabled="
BadUrlActionEnum="
BadUrlActionEnum="
WindowsLiveMailClientEnabled="
WindowsLiveMailClientEnabled="
EmailAVConfig\EmailAVConfig.cpp
EmailAVConfig\EmailAVConfig.cpp
QuarantineRecord\QuarantineRecord.cpp
QuarantineRecord\QuarantineRecord.cpp
WSCConfig\WSCConfig.cpp
WSCConfig\WSCConfig.cpp
APConfig\APConfig.cpp
APConfig\APConfig.cpp
BadUrls
BadUrls
FWWebFilterHourlyStats
FWWebFilterHourlyStats
FWWebFilterHourlyStats\FWWebFilterHourlyStats.cpp
FWWebFilterHourlyStats\FWWebFilterHourlyStats.cpp
FWWebFilterStats
FWWebFilterStats
UserKnownBadUrl
UserKnownBadUrl
BadUrlBlockingException
BadUrlBlockingException
UserKnownBadUrls
UserKnownBadUrls
BadUrlBlockingExceptions
BadUrlBlockingExceptions
Ports
Ports
WebFilterStatsFreq
WebFilterStatsFreq
LogWebFilterEvents
LogWebFilterEvents
LogWebFilterEvents="
LogWebFilterEvents="
WebFilterStatsFreq="
WebFilterStatsFreq="
WebFilterConfig\WebFilterConfig.cpp
WebFilterConfig\WebFilterConfig.cpp
WebConfig
WebConfig
BadUrlRule
BadUrlRule
WebFilterEvent
WebFilterEvent
BadUrlRule="
BadUrlRule="
FWFilterHourlyStats
FWFilterHourlyStats
FWFilterHourlyStats\FWFilterHourlyStats.cpp
FWFilterHourlyStats\FWFilterHourlyStats.cpp
PortScanIntrusions
PortScanIntrusions
FWIDSHourlyStats
FWIDSHourlyStats
FWIDSHourlyStats\FWIDSHourlyStats.cpp
FWIDSHourlyStats\FWIDSHourlyStats.cpp
PortScanIntrusions="
PortScanIntrusions="
TcpOutPackets
TcpOutPackets
TcpOutBytes
TcpOutBytes
TcpInPackets
TcpInPackets
TcpInBytes
TcpInBytes
UdpOutPackets
UdpOutPackets
UdpOutBytes
UdpOutBytes
UdpInPackets
UdpInPackets
UdpInBytes
UdpInBytes
FWNetworkHourlyStats
FWNetworkHourlyStats
FWNetworkHourlyStats\FWNetworkHourlyStats.cpp
FWNetworkHourlyStats\FWNetworkHourlyStats.cpp
UdpInBytes="
UdpInBytes="
UdpInPackets="
UdpInPackets="
UdpOutBytes="
UdpOutBytes="
UdpOutPackets="
UdpOutPackets="
TcpInBytes="
TcpInBytes="
TcpInPackets="
TcpInPackets="
TcpOutBytes="
TcpOutBytes="
TcpOutPackets="
TcpOutPackets="
RemotePorts
RemotePorts
LocalPorts
LocalPorts
PortEnd
PortEnd
PortStart
PortStart
PortType
PortType
PortScanLog
PortScanLog
PortScanAllow
PortScanAllow
LogPacketsToUnopenedPorts
LogPacketsToUnopenedPorts
LogPortScans
LogPortScans
LogPortScans="
LogPortScans="
LogPacketsToUnopenedPorts="
LogPacketsToUnopenedPorts="
FirewallConfig\FirewallConfig.cpp
FirewallConfig\FirewallConfig.cpp
PortScanAllow="
PortScanAllow="
PortScanLog="
PortScanLog="
PortType="
PortType="
PortStart="
PortStart="
PortEnd="
PortEnd="
Tcp_Udp_RemotePort
Tcp_Udp_RemotePort
Tcp_Udp_LocalPort
Tcp_Udp_LocalPort
PacketToUnopenedPortEvent
PacketToUnopenedPortEvent
FWEvent\FWEvent.cpp
FWEvent\FWEvent.cpp
Tcp_Udp_LocalPort="
Tcp_Udp_LocalPort="
Tcp_Udp_RemotePort="
Tcp_Udp_RemotePort="
Msg="
Msg="
FWIDSRules\FWIDSRules.cpp
FWIDSRules\FWIDSRules.cpp
HipsConfig\HipsConfig.cpp
HipsConfig\HipsConfig.cpp
HipsHourlyStats
HipsHourlyStats
HipsHourlyStats\HipsHourlyStats.cpp
HipsHourlyStats\HipsHourlyStats.cpp
ScanResultsSummary\ScanResultsSummary.cpp
ScanResultsSummary\ScanResultsSummary.cpp
Operation
Operation
?#%X.y
?#%X.y
%S#[k
%S#[k
d:\projects\workspace\sdk-sdk\src\bin\Release\SBAMSvc.pdb
d:\projects\workspace\sdk-sdk\src\bin\Release\SBAMSvc.pdb
SpursDownload.dll
SpursDownload.dll
SBTE.dll
SBTE.dll
SBAPSetReportCallbackEx
SBAPSetReportCallbackEx
SBAPSetReportCallback
SBAPSetReportCallback
sbap.dll
sbap.dll
SBArva.dll
SBArva.dll
VERSION.dll
VERSION.dll
WinHttpSendRequest
WinHttpSendRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpSetStatusCallback
WinHttpSetStatusCallback
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpOpen
WinHttpConnect
WinHttpConnect
WinHttpWriteData
WinHttpWriteData
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpSetCredentials
WinHttpQueryAuthSchemes
WinHttpQueryAuthSchemes
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpQueryHeaders
WINHTTP.dll
WINHTTP.dll
WinHttpSetTimeouts
WinHttpSetTimeouts
WINMM.dll
WINMM.dll
PSAPI.DLL
PSAPI.DLL
SbHips.dll
SbHips.dll
WS2_32.dll
WS2_32.dll
msi.dll
msi.dll
GetExtendedTcpTable
GetExtendedTcpTable
GetExtendedUdpTable
GetExtendedUdpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
GetProcessHeap
GetProcessHeap
SetThreadExecutionState
SetThreadExecutionState
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
RegCreateKeyW
RegCreateKeyW
CryptDestroyKey
CryptDestroyKey
CryptDeriveKey
CryptDeriveKey
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
sfc.dll
sfc.dll
pdh.dll
pdh.dll
UrlGetPartW
UrlGetPartW
SHLWAPI.dll
SHLWAPI.dll
HttpAddUrl
HttpAddUrl
HttpInitialize
HttpInitialize
HttpCreateHttpHandle
HttpCreateHttpHandle
HttpReceiveHttpRequest
HttpReceiveHttpRequest
HttpSendHttpResponse
HttpSendHttpResponse
HttpReceiveRequestEntityBody
HttpReceiveRequestEntityBody
HttpRemoveUrl
HttpRemoveUrl
HTTPAPI.dll
HTTPAPI.dll
USERENV.dll
USERENV.dll
WinHttpSetOption
WinHttpSetOption
GetCPInfo
GetCPInfo
PeekNamedPipe
PeekNamedPipe
.?AV?$CAtlExeModuleT@VCSBAMSvcModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCSBAMSvcModule@@@ATL@@
.PA_W
.PA_W
.?AVISBWebFilterEvents@@
.?AVISBWebFilterEvents@@
.?AV?$CProxy_ISBWebFilterEvents@VCSBWebFilter@@@@
.?AV?$CProxy_ISBWebFilterEvents@VCSBWebFilter@@@@
.?AV?$IConnectionPointImplMT@VCSBWebFilter@@$1?_GUID_eecd4897_dd51_476d_9913_b9c808885f03@@3U__s_GUID@@BVCComDynamicUnkArray@ATL@@@ATL@@
.?AV?$IConnectionPointImplMT@VCSBWebFilter@@$1?_GUID_eecd4897_dd51_476d_9913_b9c808885f03@@3U__s_GUID@@BVCComDynamicUnkArray@ATL@@@ATL@@
.?AV?$CComClassFactorySingleton@VCSBWebFilter@@@ATL@@
.?AV?$CComClassFactorySingleton@VCSBWebFilter@@@ATL@@
.?AV?$CComObject@VCSBWebFilter@@@ATL@@
.?AV?$CComObject@VCSBWebFilter@@@ATL@@
.?AVCSBWebFilter@@
.?AVCSBWebFilter@@
.?AV?$CComCoClass@VCSBWebFilter@@$1?CLSID_SBWebFilter@@3U_GUID@@B@ATL@@
.?AV?$CComCoClass@VCSBWebFilter@@$1?CLSID_SBWebFilter@@3U_GUID@@B@ATL@@
.?AV?$IConnectionPointContainerImpl@VCSBWebFilter@@@ATL@@
.?AV?$IConnectionPointContainerImpl@VCSBWebFilter@@@ATL@@
.?AUISBWebFilter@@
.?AUISBWebFilter@@
.?AV?$CComContainedObject@VCSBWebFilter@@@ATL@@
.?AV?$CComContainedObject@VCSBWebFilter@@@ATL@@
.?AV?$CComObjectCached@VCSBWebFilter@@@ATL@@
.?AV?$CComObjectCached@VCSBWebFilter@@@ATL@@
.?AV?$CComAggObject@VCSBWebFilter@@@ATL@@
.?AV?$CComAggObject@VCSBWebFilter@@@ATL@@
.?AV?$CComObjectNoLock@V?$CComClassFactorySingleton@VCSBWebFilter@@@ATL@@@ATL@@
.?AV?$CComObjectNoLock@V?$CComClassFactorySingleton@VCSBWebFilter@@@ATL@@@ATL@@
zcÃ
zcÃ
.?AVCHttpServerConfig@SbXmlHttpServerConfig@@
.?AVCHttpServerConfig@SbXmlHttpServerConfig@@
.?AVCMonitoredURL@SbXmlHttpServerConfig@@
.?AVCMonitoredURL@SbXmlHttpServerConfig@@
.?AVCAllowedOperations@SbXmlHttpServerConfig@@
.?AVCAllowedOperations@SbXmlHttpServerConfig@@
.?AVCWeb_Alerts@SbXmlSystemUpdateScanResults@@
.?AVCWeb_Alerts@SbXmlSystemUpdateScanResults@@
.?AVCudp_ports@SbXmlSystemUpdateScanResults@@
.?AVCudp_ports@SbXmlSystemUpdateScanResults@@
.?AVCudp_ports_port@SbXmlSystemUpdateScanResults@@
.?AVCudp_ports_port@SbXmlSystemUpdateScanResults@@
.?AVCports@SbXmlSystemUpdateScanResults@@
.?AVCports@SbXmlSystemUpdateScanResults@@
.?AVCport@SbXmlSystemUpdateScanResults@@
.?AVCport@SbXmlSystemUpdateScanResults@@
.?AVCtransports@SbXmlSystemUpdateScanResults@@
.?AVCtransports@SbXmlSystemUpdateScanResults@@
.?AVCBadUrls@SbXmlEmailAvEvent@@
.?AVCBadUrls@SbXmlEmailAvEvent@@
.?AVCBadUrls@SbXmlBadUrls@@
.?AVCBadUrls@SbXmlBadUrls@@
.?AVCFWWebFilterHourlyStats@SbXmlFWWebFilterHourlyStats@@
.?AVCFWWebFilterHourlyStats@SbXmlFWWebFilterHourlyStats@@
.?AVCFWWebFilterStats@SbXmlFWWebFilterHourlyStats@@
.?AVCFWWebFilterStats@SbXmlFWWebFilterHourlyStats@@
.?AVCWebConfig@SbXmlWebFilterConfig@@
.?AVCWebConfig@SbXmlWebFilterConfig@@
.?AVCUserKnownBadUrls@SbXmlWebFilterConfig@@
.?AVCUserKnownBadUrls@SbXmlWebFilterConfig@@
.?AVCUserKnownBadUrl@SbXmlWebFilterConfig@@
.?AVCUserKnownBadUrl@SbXmlWebFilterConfig@@
.?AVCBadUrlBlockingExceptions@SbXmlWebFilterConfig@@
.?AVCBadUrlBlockingExceptions@SbXmlWebFilterConfig@@
.?AVCBadUrlBlockingException@SbXmlWebFilterConfig@@
.?AVCBadUrlBlockingException@SbXmlWebFilterConfig@@
.?AVCPorts@SbXmlWebFilterConfig@@
.?AVCPorts@SbXmlWebFilterConfig@@
.?AVCPort@SbXmlWebFilterConfig@@
.?AVCPort@SbXmlWebFilterConfig@@
.?AVCWebFilterEvent@SbXmlWebFilterEvent@@
.?AVCWebFilterEvent@SbXmlWebFilterEvent@@
.?AVCBadUrl@SbXmlWebFilterEvent@@
.?AVCBadUrl@SbXmlWebFilterEvent@@
.?AVCFWFilterHourlyStats@SbXmlFWFilterHourlyStats@@
.?AVCFWFilterHourlyStats@SbXmlFWFilterHourlyStats@@
.?AVCFWFilterStats@SbXmlFWFilterHourlyStats@@
.?AVCFWFilterStats@SbXmlFWFilterHourlyStats@@
.?AVCFWIDSHourlyStats@SbXmlFWIDSHourlyStats@@
.?AVCFWIDSHourlyStats@SbXmlFWIDSHourlyStats@@
.?AVCFWIDSStats@SbXmlFWIDSHourlyStats@@
.?AVCFWIDSStats@SbXmlFWIDSHourlyStats@@
.?AVCFWNetworkHourlyStats@SbXmlFWNetworkHourlyStats@@
.?AVCFWNetworkHourlyStats@SbXmlFWNetworkHourlyStats@@
.?AVCFWNetworkStats@SbXmlFWNetworkHourlyStats@@
.?AVCFWNetworkStats@SbXmlFWNetworkHourlyStats@@
.?AVCRemotePorts@SbXmlFirewallConfig@@
.?AVCRemotePorts@SbXmlFirewallConfig@@
.?AVCLocalPorts@SbXmlFirewallConfig@@
.?AVCLocalPorts@SbXmlFirewallConfig@@
.?AVCPort@SbXmlFirewallConfig@@
.?AVCPort@SbXmlFirewallConfig@@
.?AVCRemotePorts@SbXmlFWEvent@@
.?AVCRemotePorts@SbXmlFWEvent@@
.?AVCLocalPorts@SbXmlFWEvent@@
.?AVCLocalPorts@SbXmlFWEvent@@
.?AVCPort@SbXmlFWEvent@@
.?AVCPort@SbXmlFWEvent@@
.?AVCPacketToUnopenedPortEvent@SbXmlFWEvent@@
.?AVCPacketToUnopenedPortEvent@SbXmlFWEvent@@
.?AVCHipsHourlyStats@SbXmlHipsHourlyStats@@
.?AVCHipsHourlyStats@SbXmlHipsHourlyStats@@
.?AVCHipsStats@SbXmlHipsHourlyStats@@
.?AVCHipsStats@SbXmlHipsHourlyStats@@
'SBAMSvc.EXE'
'SBAMSvc.EXE'
SBAMSvc.SBScanControl.1 = s 'SBScanControl Class'
SBAMSvc.SBScanControl.1 = s 'SBScanControl Class'
CLSID = s '{EC88394A-429C-4DDB-91EA-570E938B79DF}'
CLSID = s '{EC88394A-429C-4DDB-91EA-570E938B79DF}'
SBAMSvc.SBScanControl = s 'SBScanControl Class'
SBAMSvc.SBScanControl = s 'SBScanControl Class'
CurVer = s 'SBAMSvc.SBScanControl.1'
CurVer = s 'SBAMSvc.SBScanControl.1'
ForceRemove {EC88394A-429C-4DDB-91EA-570E938B79DF} = s 'SBScanControl Class'
ForceRemove {EC88394A-429C-4DDB-91EA-570E938B79DF} = s 'SBScanControl Class'
ProgID = s 'SBAMSvc.SBScanControl.1'
ProgID = s 'SBAMSvc.SBScanControl.1'
VersionIndependentProgID = s 'SBAMSvc.SBScanControl'
VersionIndependentProgID = s 'SBAMSvc.SBScanControl'
'TypeLib' = s '{78FA6088-B9C6-4749-833B-4421E29E84E7}'
'TypeLib' = s '{78FA6088-B9C6-4749-833B-4421E29E84E7}'
SBAMSvc.SBQuarantine.1 = s 'SBQuarantine Class'
SBAMSvc.SBQuarantine.1 = s 'SBQuarantine Class'
CLSID = s '{8B404080-4780-4199-92ED-B05B61C657EE}'
CLSID = s '{8B404080-4780-4199-92ED-B05B61C657EE}'
SBAMSvc.SBQuarantine = s 'SBQuarantine Class'
SBAMSvc.SBQuarantine = s 'SBQuarantine Class'
CurVer = s 'SBAMSvc.SBQuarantine.1'
CurVer = s 'SBAMSvc.SBQuarantine.1'
ForceRemove {8B404080-4780-4199-92ED-B05B61C657EE} = s 'SBQuarantine Class'
ForceRemove {8B404080-4780-4199-92ED-B05B61C657EE} = s 'SBQuarantine Class'
ProgID = s 'SBAMSvc.SBQuarantine.1'
ProgID = s 'SBAMSvc.SBQuarantine.1'
VersionIndependentProgID = s 'SBAMSvc.SBQuarantine'
VersionIndependentProgID = s 'SBAMSvc.SBQuarantine'
SBAMSvc.SBLogger.1 = s 'SBLogger Class'
SBAMSvc.SBLogger.1 = s 'SBLogger Class'
CLSID = s '{24CEBDF0-E1CC-4933-893E-F1D1A4078D97}'
CLSID = s '{24CEBDF0-E1CC-4933-893E-F1D1A4078D97}'
SBAMSvc.SBLogger = s 'SBLogger Class'
SBAMSvc.SBLogger = s 'SBLogger Class'
CurVer = s 'SBAMSvc.SBLogger.1'
CurVer = s 'SBAMSvc.SBLogger.1'
ForceRemove {24CEBDF0-E1CC-4933-893E-F1D1A4078D97} = s 'SBLogger Class'
ForceRemove {24CEBDF0-E1CC-4933-893E-F1D1A4078D97} = s 'SBLogger Class'
ProgID = s 'SBAMSvc.SBLogger.1'
ProgID = s 'SBAMSvc.SBLogger.1'
VersionIndependentProgID = s 'SBAMSvc.SBLogger'
VersionIndependentProgID = s 'SBAMSvc.SBLogger'
SBAMSvc.SBService.1 = s 'SBService Class'
SBAMSvc.SBService.1 = s 'SBService Class'
CLSID = s '{FE7E09CE-BBF4-4698-8BC1-37C9002DAA43}'
CLSID = s '{FE7E09CE-BBF4-4698-8BC1-37C9002DAA43}'
SBAMSvc.SBService = s 'SBService Class'
SBAMSvc.SBService = s 'SBService Class'
CurVer = s 'SBAMSvc.SBService.1'
CurVer = s 'SBAMSvc.SBService.1'
ForceRemove {FE7E09CE-BBF4-4698-8BC1-37C9002DAA43} = s 'SBService Class'
ForceRemove {FE7E09CE-BBF4-4698-8BC1-37C9002DAA43} = s 'SBService Class'
ProgID = s 'SBAMSvc.SBService.1'
ProgID = s 'SBAMSvc.SBService.1'
VersionIndependentProgID = s 'SBAMSvc.SBService'
VersionIndependentProgID = s 'SBAMSvc.SBService'
SBAMSvc.SBSoftwareUpdates.1 = s 'SBSoftwareUpdates Class'
SBAMSvc.SBSoftwareUpdates.1 = s 'SBSoftwareUpdates Class'
CLSID = s '{2017CFB9-B2A2-4A98-BD9B-0D9D980B2193}'
CLSID = s '{2017CFB9-B2A2-4A98-BD9B-0D9D980B2193}'
SBAMSvc.SBSoftwareUpdates = s 'SBSoftwareUpdates Class'
SBAMSvc.SBSoftwareUpdates = s 'SBSoftwareUpdates Class'
CurVer = s 'SBAMSvc.SBSoftwareUpdates.1'
CurVer = s 'SBAMSvc.SBSoftwareUpdates.1'
ForceRemove {2017CFB9-B2A2-4A98-BD9B-0D9D980B2193} = s 'SBSoftwareUpdates Class'
ForceRemove {2017CFB9-B2A2-4A98-BD9B-0D9D980B2193} = s 'SBSoftwareUpdates Class'
ProgID = s 'SBAMSvc.SBSoftwareUpdates.1'
ProgID = s 'SBAMSvc.SBSoftwareUpdates.1'
VersionIndependentProgID = s 'SBAMSvc.SBSoftwareUpdates'
VersionIndependentProgID = s 'SBAMSvc.SBSoftwareUpdates'
SBAMSvc.SBWSC.1 = s 'SBWSC Class'
SBAMSvc.SBWSC.1 = s 'SBWSC Class'
CLSID = s '{157EAC4E-6E3C-419A-BDCB-546345690DEB}'
CLSID = s '{157EAC4E-6E3C-419A-BDCB-546345690DEB}'
SBAMSvc.SBWSC = s 'SBWSC Class'
SBAMSvc.SBWSC = s 'SBWSC Class'
CurVer = s 'SBAMSvc.SBWSC.1'
CurVer = s 'SBAMSvc.SBWSC.1'
ForceRemove {157EAC4E-6E3C-419A-BDCB-546345690DEB} = s 'SBWSC Class'
ForceRemove {157EAC4E-6E3C-419A-BDCB-546345690DEB} = s 'SBWSC Class'
ProgID = s 'SBAMSvc.SBWSC.1'
ProgID = s 'SBAMSvc.SBWSC.1'
VersionIndependentProgID = s 'SBAMSvc.SBWSC'
VersionIndependentProgID = s 'SBAMSvc.SBWSC'
SBAMSvc.SBVipre.1 = s 'SBVipre Class'
SBAMSvc.SBVipre.1 = s 'SBVipre Class'
CLSID = s '{C4F66612-D788-4F33-92AF-6DAC6FC80C35}'
CLSID = s '{C4F66612-D788-4F33-92AF-6DAC6FC80C35}'
SBAMSvc.SBVipre = s 'SBVipre Class'
SBAMSvc.SBVipre = s 'SBVipre Class'
CurVer = s 'SBAMSvc.SBVipre.1'
CurVer = s 'SBAMSvc.SBVipre.1'
ForceRemove {C4F66612-D788-4F33-92AF-6DAC6FC80C35} = s 'SBVipre Class'
ForceRemove {C4F66612-D788-4F33-92AF-6DAC6FC80C35} = s 'SBVipre Class'
ProgID = s 'SBAMSvc.SBVipre.1'
ProgID = s 'SBAMSvc.SBVipre.1'
VersionIndependentProgID = s 'SBAMSvc.SBVipre'
VersionIndependentProgID = s 'SBAMSvc.SBVipre'
SBAMSvc.SBThreatDefinitions.1 = s 'SBThreatDefinitions Class'
SBAMSvc.SBThreatDefinitions.1 = s 'SBThreatDefinitions Class'
CLSID = s '{05191E1B-B7D8-42DD-A52A-88011228A14F}'
CLSID = s '{05191E1B-B7D8-42DD-A52A-88011228A14F}'
SBAMSvc.SBThreatDefinitions = s 'SBThreatDefinitions Class'
SBAMSvc.SBThreatDefinitions = s 'SBThreatDefinitions Class'
CurVer = s 'SBAMSvc.SBThreatDefinitions.1'
CurVer = s 'SBAMSvc.SBThreatDefinitions.1'
ForceRemove {05191E1B-B7D8-42DD-A52A-88011228A14F} = s 'SBThreatDefinitions Class'
ForceRemove {05191E1B-B7D8-42DD-A52A-88011228A14F} = s 'SBThreatDefinitions Class'
ProgID = s 'SBAMSvc.SBThreatDefinitions.1'
ProgID = s 'SBAMSvc.SBThreatDefinitions.1'
VersionIndependentProgID = s 'SBAMSvc.SBThreatDefinitions'
VersionIndependentProgID = s 'SBAMSvc.SBThreatDefinitions'
SBAMSvc.SBActiveProtection.1 = s 'SBActiveProtection Class'
SBAMSvc.SBActiveProtection.1 = s 'SBActiveProtection Class'
CLSID = s '{5F6DA338-15AC-4927-BC8B-B8C52EEEC9EB}'
CLSID = s '{5F6DA338-15AC-4927-BC8B-B8C52EEEC9EB}'
SBAMSvc.SBActiveProtection = s 'SBActiveProtection Class'
SBAMSvc.SBActiveProtection = s 'SBActiveProtection Class'
CurVer = s 'SBAMSvc.SBActiveProtection.1'
CurVer = s 'SBAMSvc.SBActiveProtection.1'
ForceRemove {5F6DA338-15AC-4927-BC8B-B8C52EEEC9EB} = s 'SBActiveProtection Class'
ForceRemove {5F6DA338-15AC-4927-BC8B-B8C52EEEC9EB} = s 'SBActiveProtection Class'
ProgID = s 'SBAMSvc.SBActiveProtection.1'
ProgID = s 'SBAMSvc.SBActiveProtection.1'
VersionIndependentProgID = s 'SBAMSvc.SBActiveProtection'
VersionIndependentProgID = s 'SBAMSvc.SBActiveProtection'
SBAMSvc.SBRegistration.1 = s 'SBRegistration Class'
SBAMSvc.SBRegistration.1 = s 'SBRegistration Class'
CLSID = s '{15C44439-2DE8-4217-B61D-146E347199A6}'
CLSID = s '{15C44439-2DE8-4217-B61D-146E347199A6}'
SBAMSvc.SBRegistration = s 'SBRegistration Class'
SBAMSvc.SBRegistration = s 'SBRegistration Class'
CurVer = s 'SBAMSvc.SBRegistration.1'
CurVer = s 'SBAMSvc.SBRegistration.1'
ForceRemove {15C44439-2DE8-4217-B61D-146E347199A6} = s 'SBRegistration Class'
ForceRemove {15C44439-2DE8-4217-B61D-146E347199A6} = s 'SBRegistration Class'
ProgID = s 'SBAMSvc.SBRegistration.1'
ProgID = s 'SBAMSvc.SBRegistration.1'
VersionIndependentProgID = s 'SBAMSvc.SBRegistration'
VersionIndependentProgID = s 'SBAMSvc.SBRegistration'
SBAMSvc.SBEmailAV.1 = s 'SBEmailAV Class'
SBAMSvc.SBEmailAV.1 = s 'SBEmailAV Class'
CLSID = s '{DB7777B6-5C67-4C49-BD93-EE9AE1F03085}'
CLSID = s '{DB7777B6-5C67-4C49-BD93-EE9AE1F03085}'
SBAMSvc.SBEmailAV = s 'SBEmailAV Class'
SBAMSvc.SBEmailAV = s 'SBEmailAV Class'
CurVer = s 'SBAMSvc.SBEmailAV.1'
CurVer = s 'SBAMSvc.SBEmailAV.1'
ForceRemove {DB7777B6-5C67-4C49-BD93-EE9AE1F03085} = s 'SBEmailAV Class'
ForceRemove {DB7777B6-5C67-4C49-BD93-EE9AE1F03085} = s 'SBEmailAV Class'
ProgID = s 'SBAMSvc.SBEmailAV.1'
ProgID = s 'SBAMSvc.SBEmailAV.1'
VersionIndependentProgID = s 'SBAMSvc.SBEmailAV'
VersionIndependentProgID = s 'SBAMSvc.SBEmailAV'
SBAMSvc.SBWebFilter.1 = s 'SBWebFilter Class'
SBAMSvc.SBWebFilter.1 = s 'SBWebFilter Class'
CLSID = s '{2BAA4D68-DB29-40DF-806A-B392073A7EF2}'
CLSID = s '{2BAA4D68-DB29-40DF-806A-B392073A7EF2}'
SBAMSvc.SBWebFilter = s 'SBWebFilter Class'
SBAMSvc.SBWebFilter = s 'SBWebFilter Class'
CurVer = s 'SBAMSvc.SBWebFilter.1'
CurVer = s 'SBAMSvc.SBWebFilter.1'
ForceRemove {2BAA4D68-DB29-40DF-806A-B392073A7EF2} = s 'SBWebFilter Class'
ForceRemove {2BAA4D68-DB29-40DF-806A-B392073A7EF2} = s 'SBWebFilter Class'
ProgID = s 'SBAMSvc.SBWebFilter.1'
ProgID = s 'SBAMSvc.SBWebFilter.1'
VersionIndependentProgID = s 'SBAMSvc.SBWebFilter'
VersionIndependentProgID = s 'SBAMSvc.SBWebFilter'
SBAMSvc.SBFirewall.1 = s 'SBFirewall Class'
SBAMSvc.SBFirewall.1 = s 'SBFirewall Class'
CLSID = s '{F2C6E6BB-C773-4941-B61B-3CBEFD46F64D}'
CLSID = s '{F2C6E6BB-C773-4941-B61B-3CBEFD46F64D}'
SBAMSvc.SBFirewall = s 'SBFirewall Class'
SBAMSvc.SBFirewall = s 'SBFirewall Class'
CurVer = s 'SBAMSvc.SBFirewall.1'
CurVer = s 'SBAMSvc.SBFirewall.1'
ForceRemove {F2C6E6BB-C773-4941-B61B-3CBEFD46F64D} = s 'SBFirewall Class'
ForceRemove {F2C6E6BB-C773-4941-B61B-3CBEFD46F64D} = s 'SBFirewall Class'
ProgID = s 'SBAMSvc.SBFirewall.1'
ProgID = s 'SBAMSvc.SBFirewall.1'
VersionIndependentProgID = s 'SBAMSvc.SBFirewall'
VersionIndependentProgID = s 'SBAMSvc.SBFirewall'
SBAMSvc.SBHIPS.1 = s 'SBHIPS Class'
SBAMSvc.SBHIPS.1 = s 'SBHIPS Class'
CLSID = s '{4BB09156-340D-491A-B86B-A0C2A7BA26A9}'
CLSID = s '{4BB09156-340D-491A-B86B-A0C2A7BA26A9}'
SBAMSvc.SBHIPS = s 'SBHIPS Class'
SBAMSvc.SBHIPS = s 'SBHIPS Class'
CurVer = s 'SBAMSvc.SBHIPS.1'
CurVer = s 'SBAMSvc.SBHIPS.1'
ForceRemove {4BB09156-340D-491A-B86B-A0C2A7BA26A9} = s 'SBHIPS Class'
ForceRemove {4BB09156-340D-491A-B86B-A0C2A7BA26A9} = s 'SBHIPS Class'
ProgID = s 'SBAMSvc.SBHIPS.1'
ProgID = s 'SBAMSvc.SBHIPS.1'
VersionIndependentProgID = s 'SBAMSvc.SBHIPS'
VersionIndependentProgID = s 'SBAMSvc.SBHIPS'
SBAMSvc.SBLanGuard.1 = s 'SBLanGuard Class'
SBAMSvc.SBLanGuard.1 = s 'SBLanGuard Class'
CLSID = s '{85300480-82AD-4892-9043-35D62E097D66}'
CLSID = s '{85300480-82AD-4892-9043-35D62E097D66}'
SBAMSvc.SBLanGuard = s 'SBLanGuard Class'
SBAMSvc.SBLanGuard = s 'SBLanGuard Class'
CurVer = s 'SBAMSvc.SBLanGuard.1'
CurVer = s 'SBAMSvc.SBLanGuard.1'
ForceRemove {85300480-82AD-4892-9043-35D62E097D66} = s 'SBLanGuard Class'
ForceRemove {85300480-82AD-4892-9043-35D62E097D66} = s 'SBLanGuard Class'
ProgID = s 'SBAMSvc.SBLanGuard.1'
ProgID = s 'SBAMSvc.SBLanGuard.1'
VersionIndependentProgID = s 'SBAMSvc.SBLanGuard'
VersionIndependentProgID = s 'SBAMSvc.SBLanGuard'
3 373
3 373
6e6%7s8
6e6%7s8
4%5u5
4%5u5
(12171
(12171
6)73787=7
6)73787=7
5"546>6`6|6
5"546>6`6|6
3>~?
3>~?
7%8S8i8
7%8S8i8
3?7u7
3?7u7
0S0^1u1
0S0^1u1
: :$:(:,:0:4:8:
: :$:(:,:0:4:8:
7!7(7/787
7!7(7/787
1$2-2*3/3
1$2-2*3/3
=$=*=/=}=
=$=*=/=}=
>-?2?7?{?
>-?2?7?{?
9,:1:6:}:
9,:1:6:}:
= =0=5=:=
= =0=5=:=
>'>5>:>?>_>
>'>5>:>?>_>
9$:0:5:::
9$:0:5:::
0050:0[0
0050:0[0
2!252:2?2
2!252:2?2
<.>
<.>
;!;(;/;8;
;!;(;/;8;
94999>9}9
94999>9}9
0 0%0*1/141
0 0%0*1/141
: ;$;(;,;
: ;$;(;,;
4O4S4
4O4S4
: :':,:1:
: :':,:1:
0#0*01080
0#0*01080
1/141:1{1
1/141:1{1
6!6&676=6
6!6&676=6
5 5_5x5
5 5_5x5
3 3=3I3N3{3
3 3=3I3N3{3
4O4
4O4
5%5U5^5g5
5%5U5^5g5
6%6U6^6g6
6%6U6^6g6
7%7U7^7g7
7%7U7^7g7
8%8U8^8g8
8%8U8^8g8
9%9U9^9g9
9%9U9^9g9
00C0[0k0p0u0
00C0[0k0p0u0
3
1%2*2/2~2
5_5a5
7#868[9`9
0?0D0,3t3
2 2$2(2,2
6!676?6{6
191>1!232
1,252@2{2
: :$:(:,:0:4:8:<:>> ?$?(?,?0?4?8?@?5 5$5(5,50545= >$>(>,>0>4>9 9492$2,282\2|2>,>8>@>`>? ?(?0?`?:$:<:>0 0@0\0|03VIPREHttpServerFailed in starting process commandLineWaitForSingleObject returned WAIT_ABANDONED commandLineWaitForSingleObject returned WAIT_TIMEOUT commandLinefullCmd waitTime milsFailed to open Registry key, regRc.Failed to read registry key , regRc.HttpServer Thread stopped.Couldn't terminate HttpServer thread.SBHttpServerCSBHttpServerImpl::StopThreadCouldn't stop HttpServer thread. Attempting to Terminate Thread.CSBHttpServerImpl::StopControllerHttpServer controller stopped.127.0.0.1Config file may not exist or is corrupted. Creating default config file for the HttpServer controller.HttpServer Thread quit event set.Unknown return status from WaitForMultipleObjects() [%u].Waiting for HttpServer events.Registering %s failed with %luhXXp:// :53911/WOT/Query/CSBHttpServerImpl::HttpServerThreadHttpInitialize failed with %luHttpServer thread succesfully startedFailed starting HttpServer thread.The HttpServer thread is already running.CSBHttpServerImpl::StartThreadStarting HttpServer thread.the HttpServer config fileCSBHttpServerImpl::SaveConfigToDiskHttpServerConfig.xmlCSBHttpServerImpl::GetConfigObjectFromDiskCouldn't start HttpServer controller's thread.HttpServer thread started successfully.HttpServerConfig not loaded successfully. Using default values, changes not persisted.HttpServerConfig Loaded successfully.HttpServer thread already started, exiting StartController.CSBHttpServerImpl::StartControllerEntering HttpServer module StartController.HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_DYN_DATAHKEY_CURRENT_CONFIGCSBLanGuard::StopAllRemediationOperationsCSBLanGuard::GetWindowsUpdateSettingsCSBLanGuard::SetWindowsUpdateSettingsSetting the this pointer for the LanGuard CoClass [%x].An error occurred attempting to get the Windows Update ScheduledInstallationTime setting hr=[%x].An error occurred attempting to get the Windows Update ScheduledInstallationDay setting hr=[%x].An error occurred attempting to get the Windows Update ReadOnly setting hr=[%x].An error occurred attempting to get the Windows Update Required setting hr=[%x].An error occurred attempting to get the Windows Update notification level setting hr=[%x].An error occurred attempting to get the Windows Update settings hr=[%x].An error occurred attempting to set the Windows Update ServiceEnabled setting hr=[%x].CSBLanGuardImpl::GetWindowsUpdateSettingsUnable to CoCreateInstance for AutomaticUpdateSettings, hr=[%x].Enabled the Windows Update service.An error occurred attempting to enable the Windows Update service hr=[%x].Unable to set Windows Updates settings because they are ReadOnly. This may be caused by a GroupPolicy setting that prevents this user from changing the settings.An error occurred attempting to save the current Windows Update settings hr=[%x].An error occurred attempting to set the Windows Update ScheduledInstallationTime setting to [%d], hr=[%x].An error occurred attempting to set the Windows Update ScheduledInstallationDay setting to [%d], hr=[%x].An error occurred attempting to set the Windows Update notification level setting to [%d], hr=[%x].An error occurred attempting to read the current Windows Update setting hr=[%x].CSBLanGuardImpl::SetWindowsUpdateSettingsIDispatch error #%dAdding System Update schedule item. The last scan was run on (%s), the ScanInterval is [%d] hours.Adding System Update schedule item. The last definition update check was run on (%s), the UpdateInterval is [%d] hours.Unable to locate an item in the HiddenUpdates collection while trying to remove an item from the HiddenUpdates collection. The update ID (%s) may not be removed from the Hidden Updates collection and may NOT be show to the user.Found Update name (%s), with matching Digest of (%s).Last successful scan results path is .An error occurred attempting to initialize LanGuard; com error(0x%x) : (%s)An error occurred attempting to initialize LanGuard; return code (0x%x)Got current thread state (%s) and reboot required is (%s).Error creating the MantleServer object; com error: (%s). Unable to communicate with the LanGuard process.Failed connecting to the MantleServer object; com error: (%s)Error creating the MantleServer object; com error: (%s). Unable to communicate with the LanGuard process.We were unable to Create an instance of the LanGuard interface and the result returned was [0x%x]. We are NOT connected to the LanGuard interface.An error occurred attempting to StopAllScans; com error(0x%x) : (%s)An error occurred attempting to StopAllRemediationOperations; com error(0x%x) : (%s)Stopped all LanGuard RemediationOperations successfully.CSBLanGuardImpl::StopAllRemediationOperationsUnable to stop all LanGuard RemediationOperations. This may be because there are no RemediationOperations currently running.An error occurred attempting to configure the System Update proxy settings; com error(0x%x) : (%s)The System Update ProxySettings are (%s) in the configuration file. The LanGuard system will be configured to use (%s) Proxy settings.An error occurred attempting to ResetProxyToAutomatic; return code (0x%x)An error occurred attempting to SetProxyServer; return code (0x%x)An error occurred attempting to SetProxyCredentials; return code (0x%x)Couldn't find the product element for this patch (%s) in the scan results. Unable to populate the telemetry data.DownloadFileUrlFound the product element for this patch (%s) in the scan results. Will populate the telemetry data.An error occurred attempting to get Languard Build; com error(0x%x) : (%s)Languard version is , build isMantleServer build returned: (%s)ERROR: error geting the MantleServer Build; hr: (%x)An error occurred attempting to get Languard Version; com error(0x%x) : (%s)MantleServer version returned: (%s)ERROR: error geting the MantleServer Version; hr: (%x)Could not create volatile registry key after update.Created volatile registry key after update.Languard Definitions version is , install date isAn error occurred trying to read the version file (%s) for System Update definitions version.\toolcfg_updates.xmlMantleServer GetDataDir returned: (%s)ERROR: error geting the Languard DataDir; hr: (%x)An error [%d] (%s) occurred de-serializing System Update Scan from the file . Unable to determine if a postreboot scan is required.Failed to serialize %s.Error serializing %s--%sBad argument; pXmlBuf is NULL. %s.Failed to deserialize %s.Error deserializing %s--%sWhile trying to write LanGuard Config File (%s), received error.Unable change attributes on the config file: %sLanGuardConfig.xmlWhile trying to write a default LanGuard Config File (%s), received error.While reading the LanGuard Config File (%s). Config file may not exist or is corrupted. Creating default config file for the LanGuard controller.There are [%u] total updates, [%u] hidden updates and [%u] critical updates.Update name (%s) is a Microsoft Update. SkippingThe LMX Error [%d] occurred trying to add a blank Update item to the Updates collection. LMX errors are listed in ..\vendor\LMX\include\lmxinternals.hAdded Update name (%s), with Importance of (%s).Adding [%d] Updates for Product name (%s).Added dateTimeStamp start: (%s) and end: (%s).Adding Updates for [%d] Products to the Updates collection.An error [%d] (%s) occurred de-serializing System Update Scan from the file . Unable to calculate the Update counts for these scan results.The most recent System Updates scan results file is (%s). We will calculate the counts for Updates using this scan results file.\LG*.xmlInitialized m_sbxmlTelemetry object from %s%s\%steltempfile.tmp\telemetryfile.xmlTransferred telemetry data file named (%s) to the service as (%s).SbXml::SaveToFileSimply returned false trying to save (%s).An error occurred attempting to RemediatePatches; com error(0x%x) : (%s)RemediatePatches returned an unknown error [%u] (%s).RemediatePatches returned [%u] remediation was successfull, but some patch requires a reboot to be effective.RemediatePatches returned an error [%u] remediation engine error (timeout expired while executing patches, default 6 hours) (%s).RemediatePatches returned an error [%u] unexpected exception (%s).RemediatePatches returned an error [%u] failure while reading the scanresults database (%s).RemediatePatches returned an error [%u] one of the patch digests passed for deployment was not found in the scan results (%s).RemediatePatches returned an error [%u] command XML is invalid (%s).%s: hr = %dAn error occurred attempting to RemediatePatches; return code (0x%x)Will remediate using the Patches collection provided (%s).An error [%d] (%s) occurred de-serializing System Update Scan from the file . Unable to remediate these scan results.Remediation input file moved from to .Failed copying file from to . System Updates unable to complete the remediation operation.The System Updates scan results file is (%s). We will build the list of updates to apply using this scan results file.An error occurred attempting to LaunchScan; com error(0x%x) : (%s)An error occurred attempting to LaunchScan; return code (0x%x)Couldn't deserialize LanGuard Scan results , unable to process the scan results.An error [%d] (%s) occurred saving the System Update Scan results to . The results of this scan will not be available.Successfully updated System Update Scan results from .Launching (%s) Scan. Directing scan output to (%s).LG%Y%m%d%H%M%S.xmlAn error occurred attempting to UpdateAgent; com error(0x%x) : (%s)An error occurred attempting to UpdateAgent; return code (0x%x)Couldn't deserialize LanGuard Scan results , unable to process the post remediation scan results.Successfully updated System Update Post Remediation Scan results from .Unexpected return status from WaitForMultipleObjects() [%u]. Will ignore and wait for next event.System Update is set to auto apply patches after a scan. Setting the event to start the remediation process using the scan results file (%s).It has been [%d] days since our last check for System Update definitions. Definitions update before scan starting._pt-BR.dll_it-IT.dll_en-US.dll_de-DE.dllLoaded resource fileUnable to load resource file\SBRES_*_*.dllUI Default Language is: %dLazy scan stopping at folder=, file=Lazy scan stopping at folder=Lazy scan root folder=User is %sUserIdleTime=CPU is %s, Disk is %sSBWinHttp callback returned result: %dError sending file to BD: [%u].Adding File to cache: %sCould not open MIMETypes.txtInvalid word on MIMEtype.txt for ON/OFF field: (%s)SiteID is in range. The Enabled flag is .SiteID=, Enable=, MinID=, MaxID=\MIMETypes.txtUnable to get file handle for: (%s)Could not create ThreatNetTransfer XML for: (%s)Could not crack the ThreaNet URL nothing will be getting sent. URL=%sCould not create temp file for transfer. Skipping: %sSaving query list to %s%s\Query-%d.xmlReceived action response from query: %uSend file queue max reached in SENDFILE. Dropping file: (%s)Send file queue max reached in SENDFILEANDCACHE. Dropping file: (%s)Response file path not found in Query: (%s)ThreatNetConfig.xmlSetting Threatnet send URL to: (%s).Setting Threatnet URL to: (%s).Setting Threatnet query URL to: (%s).Failed starting ThreatNet thread. Windows Security Center status will not be updated.Error opening reg key Software\Microsoft\Windows\CurrentVersion\Run.Sucessfully read keys from Software\Microsoft\Windows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\RunError opening reg key SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.Sucessfully read keys from SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run%d.%dThreatNetFileCache.txtRegOpenKeyEx failed deleting sbamui run key value.RegDeleteValue failed with return code [%ld] deleting sbamui run key value. Key will not exist after first run.DeleteRunKeyValueSBAMUI run key value not found.AdjustTokenPrivileges (%s) failed.LookupPrivilegeValue (%s) failed.{31463A1D-577C-4D78-A9C8-0A65C17727B5}OnPowerEvent dwEeventType=[%d].Updated checkpoint [%d] and ServiceStatus is [%d].OLEAUT32.DLLFailed starting update_status_thread_handle thread. The service status may not be reported correctly during shutdown process.HandlerEx dwEeventType=[%d].HandlerEx dwOpcode=[%d].Waiting for the Threat Engine Open thread to finish, current CheckPoint is (%d). CheckPoints occur every five seconds until the Threat Engine open completes.Renamed the old scan history folder (%s) to (%s).CoInitializeSecurity() failed. HR=0xxMscoree.dllCProxy_ISBServiceEvents::Fire_SendMsgToClientsCBCSBService::SendMsgToClientsCSBService::OnSendMsgToClientsCBSetting the this pointer for the Service CoClass [%x].SERVICE_CONTROL_STOP control message has been sent to the service (%s)OpenService for (%s) failed. Unable to send the Stop command to the Service.Set the Service thread priority to %d. This should be THREAD_PRIORITY_NORMAL.The power status is %d.Service ErrorState is currently [%s].CSBServiceImpl::SendMsgToClientsA client is sending a message of type %d, parameters [%u], [%u] to all other clients.The Embassy Trust Suites wxvault.dll was successfully unloaded from our process space.Couldn't unload the Embassy Trust Suites wxvault.dll from our process space.Found the Embassy Trust Suites wxvault.dll loaded into our process space. Attempting to unload it.wxvault.dllFailed to OpenService on (%s).Couldn't read "HKLM\Software" key.Couldn't read "HKLM\Software\SBAMSvc" key.Retrieved Enterprise Product Code value [%d] under HKLM\Software\SBAMSvc key. This is an Enterprise agent.CSBServiceImpl::RetrieveEnterpriseRegKeysCouldn't get Enterprise Product Code value under "HKLM\Software\SBAMSvc" key. This is not an Enterprise agent.Couldn't read (%s) key.CSBServiceImpl::CreateVolatileSystemUpdateRestartKeyCouldn't open "HKLM\Software" key.Couldn't open "HKLM\Software\SBAMSvc" key.couldn't set "Company" value under "HKLM\Software\SBAMSvc" keycouldn't set "Product" value under "HKLM\Software\SBAMSvc" keycompany and product names persistedCould not write TypesSupported registry key, error [%ld].TypesSupportedCould not write EventMessageFile registry key, error [%ld], path (%s).Could not write CategoryMessageFile registry key, error [%ld], path (%s).Could not write CategoryCount registry key, error [%ld].Could not open CurrentControlSet\Services\EventLog\Application\SBAMSvc registry key, error [%ld].CSBServiceImpl::WriteEventLogKeyToRegistryCould not open HKLM\System registry key.Scheduled update or scan is starting now (%s), the last time we woke from sleep was (%s), tNow - tWakeTime = [%d].Have not already sent this Threat file to ThreatNet.Threat file with no MD5 was already sent to ThreatNet. Threat file will not be sent to ThreatNet again.Threat file with MD5 was already sent to ThreatNet. Threat file will not be sent to ThreatNet again.Unable to save company and product names. There may be problem with the registry. Application data may be written to a different folder.Saved company and product names.version isUnable to set the service startup type to delayed auto start. Non Vista OS doesn't support that setting.ChangeServiceConfig2 called with service type of delayed SERVICE_AUTO_START for the service (%s)ChangeServiceConfig2 for (%s) failed. Unable to set the service startup type to delayed auto start.ChangeServiceConfig called with service type of SERVICE_AUTO_START for the service (%s)ChangeConfigService for (%s) failed. Unable to send the ChangeServiceConfig command to set the service startup type to auto start.OpenService for (%s) failed. Unable to send the ChangeServiceConfig command to set the service startup type to auto start.HTTP Error:%ld%ld:%swinhttp.dllCouldn't create "HKLM\Software\SBAMSvc" key.Couldn't create default "Product" value under "HKLM\Software\SBAMSvc" keyCouldn't create default "Company" value under "HKLM\Software\SBAMSvc" key.Created default "(%s)" value under "HKLM\Software\SBAMSvc" key.Couldn't get "Company" value under "HKLM\Software\SBAMSvc" key. Creating default values.Company and product names retrieved.Unable to create folder. AppDataFolder specified but the path (%s) was invalid.Wrote data of length into file path .Wrote but expected to write . Write file operation failed, file incomplete.Failed writing data into file . Write file operation failed.Failed writing BOM into file path . Write file operation failed.Couldn't open file path . Write file operation failed.-X.xml\%Y%m%d%H%M%S.xml\AP-%Y%m%d%H%M%SknownType=%d MD5= csOriginalThreatFilepath=.Threw an error trying to launch one or more Trays with the path of %s.An error occured launching one or more Trays with a path of %s.Tray ExecuteThe Tray(s) were successfully executed %s.SBAMTray.exe"Converted Threat Name (%s) to valid file name.Checking (%s) to make sure it is valid file name./\:?"*|Couldn't get the installation folder. Unable to set environment variable.Exceeded max %d in m_AlreadySentToTN. Removing the first in the collection .Remembering file path so we don't send it to ThreatNet again.Remembering MD5 for threat so we don't send it to ThreatNet again.Unable to transfer suspicious file (%s) from APEventID (%s). One or both of the parameters is empty.Error encrypting Suspicious file to . ThreatNet will not be updated.Error removing file .Suspicious threat file transfered to ThreatNet.File transfer operation failed sending Suspicious file to ThreatNet. ThreatNet will not be updated.Could not remove old Threatnet file . File is orphaned on the disk.%Y/%m/%dquarantine\QR{*.xmlCouldn't set threat engine's Quarantine callback. Operation failed.Couldn't set threat engine's log callback. Operation failed.Setting quarantine path to .Setting Threat engine definitions folder location to .Created TEL zip file (%s) for transfer to ThreatNet.Deleted temp TEL zip file (%s).Error renaming the temp TEL zip file (%s) to (%s).Improperly formatted file path passed in. Unable to transfer file [%s].TEL-{%s}Created FPF zip file (%s) for transfer to ThreatNet.Deleted temp FPQ zip file (%s).Error renaming the temp FPF zip file (%s) to (%s).Error adding FP file (%s) to zip file (%s). FP file will not be sent to ThreatNet.FPF-{%s}GetQuarantineFilePathFromID didn't return a path for Quarantine ID (%s). Threat file will not be sent to ThreatNet.Quarantined threat file transfered to ThreatNet.File transfer operation failed sending file to ThreatNet. ThreatNet will not be updated.Error copying file to . ThreatNet will not be updated.There wasn't a Quarantine item for APEventID (%s) might be a suspicious item that wasn't quarantined.Error adding FP Quarantine trace file (%s) to zip file (%s). FP file will not be sent to ThreatNet. Will attempt to get remaining traces.Error adding FP Quarantine Meta Data file (%s) to zip file (%s). FP file will not be sent to ThreatNet.FPQ-%Y%m%d%H%M%S_While saving the Private Config File (%s), InitObjectFromXmlBufferAndLog failed.While saving the Private Config File (%s), SaveToFileAndLog failed.While trying to write Service Config File (%s), received error.ServiceConfig.xmlIncremented the %s counter to %d.%Y-%m-%dFailed to exec Process64.exe to enumerate the 64 bit processes.Failed to retreive the RunningProcsList at (%s).Retreived the RunningProcsList at (%s).Exec'd Process64.exe to enumerate the 64 bit processes.Path to program for reading 64 bit OS process list is (%s).\x64\Process64.exe"Error while reading the Private Config File (%s). Config file may not exist or is corrupted.While trying to write a default Service Config File (%s), received error.While reading the Service Config File (%s). Config file may not exist or is corrupted. Creating default config file for the Service controller.CountScans.XMLCountCleanedScans.XMLCountCleanedAP.XMLCountCleanedEmailAV.XMLCountBlockedByFirewall.XMLInternet access is %sSBAMUIConfig.xmlSocialWatchConfig.xmlError [%d] (%s) occurred saving the Social Watch History to . The history of this scan will not be available.\SW{%s}.xmlNot opted in to ThreatNet bypassing ThreatNet processing.Setting Long Product Name from Short Product Name (%s).Did not find the Email AV Bad Url Replacement message text. Cannot set sku specific config values.Did not find the Email AV SMTP error string. Cannot set sku specific config values.Did not find the SPURS Base URL string resource. Cannot set software update sku specific config values.Did not find the ThreatNet telemetry Enterprise URL string resource. Cannot set sku specific config values.Did not find the ThreatNet Send Enterprise URL string resource. Cannot set sku specific config values.Did not find the ThreatNet Query Enterprise URL string resource. Cannot set sku specific config values.Did not find the ThreatNet Enterprise URL string resource. Cannot set sku specific config values.Did not find the SPURS base URL string resource. Cannot set sku specific config values.Did not find the AutoGet URL string resource. Cannot set sku specific config values.Did not find the Registration Update URL string resource. Cannot set sku specific config values.Did not find the Registration URL string resource. Cannot set sku specific config values.Setting Long Product Name (%s).Setting Enterprise Long Product Name (%s).Error setting Company (%s) Product (%s). Cannot set sku specific config values.Firing System error state changed event. Error State is now [%s].%u: %s\EV%s%.02d.xml%Y-%m-%dT%H:%M:%SA client is logging a system event of type %d for subsystem %d.APEvent transfered to ThreatNet.File transfer operation failed sending APEvent: to ThreatNet. ThreatNet will not be updated.FindFirstFile returned an error when we tried to find . There are no FP files to send to ThreatNet.Could not delete FP file . File is orphaned on the disk but will be cleaned by the 30 day purge.File transfer operation failed sending FP file to ThreatNet.Found FP file to send to ThreatNet .FP*.zipFindFirstFile returned an error when we tried to find . There are no telemetry files to send to ThreatNet.Found telemetry file to send to ThreatNet .TEL*.xmlFindFirstFile returned an error when we tried to find . There are no Scan History file to send to ThreatNet.Could not unlink Threatnet file . File is orphaned on the disk.Could not process Suspicious Threat file for APEvent .Could not process Quarantine Threat file for APEvent . Looking for Suspicious file.Found APEvent xml file to send to ThreatNet .Error removing file . Exceeded %d APEvent xml files to send to ThreatNet.Exceeded %d APEvent xml files to send to ThreatNet. Removed APEvent xml file .Found scan results file to send to ThreatNet .20*.xmlFindFirstFile returned an error when we tried to find . There are no AP Event XML files to send to ThreatNet.AP*.xmlSet the Service thread priority to %d. This should be THREAD_PRIORITY_LOWEST to minimize the impact of ThreatNet transfers on other applications.Preparing to purge the quarantine. Days to keep = %d.Delete of quarantined item with QId = [%s] failed.Deleted quarantine item with QId = [%s].Preparing to delete QId = [%s].The results for quarantining a file isThe results for quarantining a file areThe results for quaranting a buffer areCouldn't get quarantine record. QId=Successfully got the quarantine record. QId=Got size of quarantined record. quarantineItemSize=[%d]Couldn't get quarantine item following szQID=Successfully queried next quarantined item szQID=Unkown quarantine action type [%d].Found a full path trace to update in known bad apps = [%s], MoveToAlwaysAllowed = %s.Found a threat to add to the always allow [%d].The bulk trojan or AP Holding threat was asked to be added to the ignored threats list from QId = [%s]. That would be bad so adding to known good collection by path instead.Checking threat traces for a file trace to unquarantine for QId = [%s], MoveToAlwaysAllowed = [%s].Could NOT desrialize the quarantine data from the service for ID [%s]. Will not remove quarantine item from always blocked list.Could NOT get the quarantine date for ID [%s]. Will not remove quarantine item from always blocked list.Unquarantined failed, no client PID provided, QId = [%s], folder = [%s], MoveToAlwaysAllowed = [%s].Unquarantined failed because impersonation failed, QId = [%s], folder = [%s], MoveToAlwaysAllowed = [%s].Unquarantined with impersonation failed QId = [%s], folder = [%s], MoveToAlwaysAllowed = [%s].Unquarantined with impersonation succeeded, QId = [%s], folder= [%s], MoveToAlwaysAllowed = [%s].Unquarantined QId = [%s], folder= [%s], MoveToAlwaysAllowed = [%s].Preparing to unquarantine QId = [%s], folder= [%s], MoveToAlwaysAllowed = [%s].Processed %d quarantine queue items.Invalid quarantine item action if %d.3.0.11.0.0.1Unable to delete file (%s).Removing old software update download (%s).\*.exeReturning path to software update: (%s).SoftwareUpdateConfig.xmlThe configuration information was saved to file .Just retrieved the SPURS latest version number of %sGot software update file=.Couldn't find any executables in the Download folder. Software update isn't available.Software update enabled flag %s.Current local software version is (%s).Exception thrown by SPURS SDK on download: , continuing anyway. Thread will wait for next event.Exception thrown by SPURS SDK on scheduled download: , continuing anyway. Thread will wait for next event.Unknown dwWaitStatus [%u]. Ignoring this wait return.Wait for event to start operation.Vipre dll version isdefinitions\vcore.dll0.0.0.0CSBThreatDefinitions::ReportClientUpdateStatusSetting the this pointer for the ThreatDefinitions CoClass to .Did not get the mutex but the wait returned with %d, so go ahead and scan.Error retrieving Proxy values (Server = %s, Username %s, Password = %s or Port = %ld) from registry.ProxyPortProxyPasswordSetting the event to wake up the threat definitions controller thread to check for threat defs. Is manual %s.Undefined known state for file .Couldn't get known state for file from threat engine. Leaving now.Successfully added a one time schedule item for pre-scan threat defs update check at %s. The timer %s wake up the computer.Deleted defs version file [%s] to force an update to a compatible definitions version.Could not delete defs version file [%s]. The system may run with incompatible definitions until the next update.Definitions\DefVer.txtCurrent defs are version %d, which are newer than or equal to the min needed of %d, definitions version file was not deleted and we will not force an update.Checking to see if this machine has the minimum required defs version needed. Minimum version required is %d, local version is %d.%d (%s)SBCSApplyDefinitionUpdate called back to see if we want to continue and returned (%s). Updates applied %d, total updates to apply %d, reload is (%s).While trying to write the ThreatDefinitions Config File (%s).Error while reading the Config File (%s). Config file may not exist or is corrupted, creating default config file.ThreatDefinitionsConfig.xmlCouldn't save config data, dwError=. New settings were NOT saved into the file.Error converting the config buffer from the client. Unable to save the configuration information to file . Error code was %d.Threat definitions enabled flag %s.CSBThreatDefinitionsImpl::ReportClientUpdateStatusUsing threat defs file in folder .Performing a check for Threat definitions updates. Is manual %s.Unable to apply update .Apply of threat definitions update file succeeded.Unable to manually apply update. There may be a problem with the definitions file (%s).Unknown dwWaitStatus [%d]. Ignoring this wait return.The event to check for a threat definition update before a scan was signalled for schedule item . Checking if an update is needed.The scheduled check for a threat definition update event was signalled for schedule item . Checking if an update is needed.Failed starting worker thread. Threat definitions controller is inoperable.Error encountered deserializing the config information .Unable to open the WSC / Action Center service using Service Control Manager, the WSC / Action Center service is not installed and our status will not be reported.Unable to OpenService wscsvc. Vipre features may not be reported correctly in WSC.Unable to OpenSCManager. Vipre features may not be reported correctly in WSC.Unable to get Service settings config object. Vipre features will not be reported in WSC.IsVipre returning %s.QueryStatus returned apState [%d], apStatus [%d].QueryStatus returned fwStatus [%d].Couldn't terminate WSC thread. Windows Security Center status may not correctly reflect the state of the service.Removed Firewall instance from WSC, hr=[%x].Unable to Uninstall Firewall Class from WSC, hr=[%x].Removed AntiSpyware instance from WSC, hr=[%x].Unable to Uninstall AntiSpyware Class from WSC, hr=[%x].Removed AntiVirus instance from WSC, hr=[%x].Unable to Uninstall AntiVirus Class from WSC, hr=[%x].CoCreateInstance for Firewall interface failed, hr=[%x]. Unable to remove our instance from WSCUninstalled Firewall from WSC, hr=[%x].Unable to Uninstall Firewall from WSC, hr=[%x].CoCreateInstance for AntiVirus interface failed, hr=[%x]. Unable to remove our instance from WSCUninstalled AntiVirus from WSC, hr=[%x].Unable to Uninstall AntiVirus from WSC, hr=[%x].CoCreateInstance for AntiSpyware interface failed, hr=[%x]. Unable to remove our instance from WSCUninstalled AntiSpyware from WSC, hr=[%x].Unable to Uninstall AntiSpyware from WSC, hr=[%x].Windows type is Vista or newer so we updated AntiSpyware state [%d] and (%s) to WSC.Unable to write AS status to WSC, hr=[%x].IsFirewallSKU returned true so we updated Firewall state [%d] to WSC, hr=[%x].Unable to write FW status to WSC, hr=[%x].IsVipreSKU returned true so we updated AntiVirus state [%d] and (%s) to WSC.Unable to write AV status to WSC, hr=[%x].IsFirewallSKU returned true so we updated Firewall state [%d] to WSC API.Unable to write FW status to WSC, Failed UpdateStatus hr=[%x].Unable to CoCreateInstance for FW with WSC, hr=[%x].IsVipreSKU returned true so we updated AntiVirus state [%d] and (%s) to WSC API.Unable to write AV status to WSC, Failed UpdateStatus hr=[%x].Unable to CoCreateInstance for AV with WSC, hr=[%x].Windows type is Vista or newer so we updated AntiSpyware state [%d] and (%s) to WSC API.Unable to write AS status to WSC, Failed UpdateStatus hr=[%x].Unable to CoCreateInstance for AS with WSC, hr=[%x].SBAMWSC.EXEUnable to update Windows Security Center with current status.Registered FW product [%s] with display name [%s] with WSC, hr=[%x].Unable to Register FW [%s] with display name [%s] with WSC, hr=[%x].Registered AV product [%s] with display name [%s] with WSC, hr=[%x].Unable to Register AV [%s] with display name [%s] with WSC, hr=[%x].Registered AS product [%s] with display name [%s] with WSC, hr=[%x].Unable to Register AS [%s] with display name [%s] with WSC, hr=[%x].WSCConfig.xmlInvalid UpdateCheckIntervalHours value [%d] in WSC Config File.FW state did not change. Current state is [%d]FW state changed. Current state is [%d], new state is [%d]AP state did not change. Current state is [%d]AP state changed. Current state is [%d], new state is [%d]WSC Controller is disabled and we tried to remove ourself from WSC and failed, maybe we were never installed into WSC [%x].Note: Versions of Windows before Vista don't support AntiSpyware in Windows Security Center.UpdateCheckInterval timer expired after [%d] hours.Failed starting WSC thread. Windows Security Center status will not be updated.CProxy_ISBActiveProtectionEvents::Fire_APReportingCBCSBActiveProtection::OnAPReportingCBAdd of PID [%d] to AP failed with error %d.Added PID [%d] to AP.APConfig.xml\Logs\ap.etlWrong user known type %d.Couldn't encode the Hash for passing to the scan controller.Received prompt ACK for msg_id [%s].Message %s has been answered by the userCSBActiveProtectionImpl::ReportCallbackreport event has been received.Extension in list is NOT in file. Removing it from the collection; Extension = [%s].Adding file extension to collection; File ext = [%s].Unable to decrypt extensions file [%s]. The extensions collection was NOT updated.\apincl.datAP%s.xmlRegistration Code Status is [%d], Enabled is [%s].RegistrationConfig.xmlInstall date is invalid. Deleting the SBAMConfig.dll file. This file determines the evaluation period.File deletedCould not delete file: %sCheckInstallDateFile unable to get install date. Deleting the SBAMConfig.dll file. This file determines the evaluation period.SBAMConfig.binThere is a Registration Key in the config file or in the Registry. We don't need to request one from SKMS.The registration key we received from SKMS returned an invalid status when we sent it back for an Update check. Will try request a key again on next check.CheckRegistration returned (%s).Couldn't get pointer to CSBRegistrationImpl instance. Will not be able to start Check Registration thread or check users regisrtration key status for the application.There is a Registration Key in the Registry but not in the config file. Update the Config file, and get the key status from SKMS.Failed starting thread. Application will not be able to verify registration key status.Failed creating CheckRegistration event. Application will not be able to verify registration key status.Failed creating m_hQuitCheckRegistrationThread event. Application will not be able to verify registration key status.Registration thread DIDN'T start. Application will not be able to verify registration key status.Registration Code Status is [%d].Setting log level to %d.Setting log roll over size to %d.Setting log file count to %d.Url contains a known %s domain.Couldn't replace bad url link node; search and replace will be aborted and HTML will not be modified.SBAntiPhishing::ProcessHTMLElementBad url link node successfully replaced.HTML document successfully processed; no bad url link nodes were found.HTML document successfully processed; %d bad url link nodes were replaced.Exception occurred while trying to process the text; text will not be modified. (%S)Text successfully processed; no bad urls were found.Text successfully processed; %d bad urls were replaced.Bad url successfully replaced.{(((https?)|(ftp)://)|(www\.)|(ftp\.))([-A-Z0-9 &@#/%?=~_|!:,.;]*)([-A-Z0-9 &@#/$=~_|])}CSBEmailAV::BadUrlActionCSBEmailAV::IsBadUrlCheckingEnabledCloseEmailWindowMsgText is NULLCSBEmailAV::GetCloseEmailWindowMsgTextInvalid parameter: MessageAttachment = [%p], OriginalBufferSize = [%d], AttachmentName = [%p], DateTime = [%p], Subject = [%p]Invalid parameter: Subject = [%p], Extension = [%p], Buffer = [%p], BufferSize = [%d]CSBEmailAV::ScanTextForBadUrlspriority=, msg=Expanding %%CRLF%%...%CRLF%Invalid %%PRODUCTVERSION%% [%s]Replacing %%PRODUCTVERSION%% with [%s]Invalid %%ATTACHMENTNAME%% [%s]Replacing %%ATTACHMENTNAME%% with [%s]Invalid %%THREATNAME%% [%s]Invalid %%THREATDEFVERSION%% [%d]Replacing %%THREATNAME%% with [%s]Replacing %%THREATDEFVERSION%% with [%s]Invalid %%VIPREVERSION%% [%s]Replacing %%VIPREVERSION%% with [%s]Invalid %%COMPANY%% [%s] or %%PRODUCT%% [%s]Replacing %%COMPANY%% with [%s], %%PRODUCT%% with [%s]Expanding %%COMPANY%% and %%PRODUCT%%...%COMPANY%Invalid %%PRODUCTLONG%% [%s]Replacing %%PRODUCTLONG%% with [%s]Expanding tokenized string; Text = [%s], Threat Name = [%s], Attachment Name = [%s]cmclient1.dllFailed to open file; key=, error=Failed to read file; key=, error=Failed to create file; key=, error=Failed to write data; key=, error=Failed to delete file; key=, error=op=, key=, success=EmailAVConfig.xmlBad url definition file could not be loaded.LoadBadUrlDefsBad url definition file was successfully loaded.Couldn't copy known bad url dll from defs folder to install folder; will continue using previous dll.Successfully copied known bad url dll from defs folder to install folder.kbu.dllEmailAV released known bad url dll.Definitions were updated; we need to unload the known bad url dll, copy it from the defs to the install dir, and then reload it.Returning undelivered subject prefix [%s]Returning undelivered body text [%s]CSBEmailAVImpl::GetCloseEmailWindowMsgTextReturning close email window message text [%s]CSBEmailAVImpl::GetBadUrlReplacementTextReturning text to replace bad urls [%s]Failed to quarantine the email message; subject=, filename=Successfully quarantined the email message; subject=, filename=, cleaner result=, quarantine id=Failed to create client; error=Failed to set client persist callback; error=Failed to create client description; error=Failed to set client description; error=Failed to start client; error=Failed to wait for client ready; error=Failed to create catalog session; error=IFailed to parse message; error=Failed to query catalog session; error=Failed getting threat id [%d] nameGot name for threat id [%d]BadUrls collectionCSBEmailAVImpl::ScanTextForBadUrlsReturning text to append [%s]Returning inbound text to append [%s]Cloudmark scan %s; message %s spamSender= is not in the address list; scan the message for spamSender= is in the address list as allow; do not mark the message as spamSender= is in the address list as block; mark the message as spamScanning message for spam; subject=, date=, sender=No threat definitions; attachment = [%s] will not be scannedBuffer contains threat; nThreatId=[%u]Unknown buffer; will attempt to %s it if a threat is detectedFailed to quarantine buffer; passing through unmodifiedDetected non-cleanable pseudo threat; will attempt to %s itScanning attachment; MessageBuffer = [%p], OriginalBufferSize = [%d], strAttachmentName = [%s]State changed from [%s] to [%s]Arva failed to start : [%d]Could not enable monitor [%d] on port [%d] : [%d]WindowsLiveMail Support: [%s]SHELL Executed to register WlMailApiCom.dll-s WLMailApiCom.dllSHELL Executed to register WlMailApiStore.dll-s WLMailApiStore.dllFailed to register [%s],WindowsLiveMail support Will not workSHELL Executed to register WlMailApiInit.dll-s WLMailApiInit.dllregsvr32.exe{93ABC5F0-879F-4400-9AE9-F2742A03A229}EmailAV is configured to quarantine messages containing bad urls; make a backup of the original message now.EmailAV is not configured to quarantine messages containing bad urls; do not make a backup of the original message.Pseudo-bad url successfully replaced.VIPRE_PSEUDO_BAD_URLUnexpected result= while waiting for eventsUnexpected result= waiting for config thread to stop; config thread will be terminatedBody did not contain bad urlBody contained bad url and was replacedBad url checking is disabled; message body will not be scanned.Incorrect date/time passed [%s]. Cannot convert to a time_t value.An invalid length or invalid buffer was passed into ReadFromFile.Read all data from file .
d:d:d %d/%d/%d
%x %X
FindFirstFile did not succeed on path . No files were found.
Deleted (%s) - [%d] files remaining.
Error removing file (%s).
The (%s) list has (%d) items.
List is empty adding files (%s) to list.
%s\%s*.xml
SBAM.Common
Env var value too big(>%u)!
GetProcAddress('%s') failed
LoadLibrary('%s') failed
Failed to read env var
We have an error trying to build the envPath from %s
Rpcrt4.dll
Programmer error! The size of PIDs is NOT large enough! (index) %d > %u (size).
PID[d] = d .
Found process - d hTask16 (%d).
Found process - d .
NTVDM.EXE
VDMDBG.DLL
Kernel32.DLL
Successfully launched for user u .
DuplicateTokenEx 0xX dup(0xX).
OpenProcessToken 0xX token 0xX.
OpenProcess %u HANDLE 0xX.
OpenProcess failed for PID %d. Cannot run the command as a logged on user.
Trying to launch for user u .
Only handling the first %u users.
%u users found.
explorer.exe
CmdLine = .
ISBWebFilterEvents
CProxy_ISBWebFilterEvents::Fire_ConfigChangeCB
CProxy_ISBWebFilterEvents::Fire_WebFilterStateChangeCB
CProxy_ISBWebFilterEvents::Fire_WebFilterStatsCB
CProxy_ISBWebFilterEvents::Fire_WebFilterPublishingCB
CProxy_ISBWebFilterEvents::Fire_WebFilterReportingCB
#SBWebFilter
Web Filter CoClass
CSBWebFilter::GetConfig
CSBWebFilter::SetConfig
WebFilterStatus is NULL
CSBWebFilter::GetWebFilterStatus
CSBWebFilter::EnableWebFilter
CSBWebFilter::DisableWebFilter
CSBWebFilter::WFResetToDefaults
CSBWebFilter::OnConfigChangeEvent
CSBWebFilter::OnWebFilterStateChangeEvent
CSBWebFilter::OnWebFilterStatsEvent
CSBWebFilter::OnPublishingEvent
CSBWebFilter::OnReportingEvent
CSBWebFilterImpl::StopThread
CSBWebFilterImpl::SetCoClassPtr
Failed to add the Port to the WebFilter collection. This Port will not be available.
Failed to clear the Ports in the WebFilter. The Ports collection could not be loaded in the WebFilter.
The Dirty flag is set for the Ports collection in the WebFilter Config file. The Ports collection will be reloaded in the WebFilter.
ApplyConfigPorts
The Dirty Flag was not set on the Ports Collection from the WebFilter Config file. Will NOT update the Ports settings in the WebFilter.
CSBWebFilterImpl::GetWebFilterStatus
This is a Firewall SKU and this function requires the WebFilter SDK, but WebFilter dll is not loaded! Unable to proceed.
SbWF:WebFilter
Event received from WebFilter module; adding to event queue
CSBWebFilterImpl::NotificationCB
Stats received from WebFilter module; adding to stats queue
CSBWebFilterImpl::StatsCB
Resetting all Web Filter settings back to the defaults for VIPRE Premium SKU.
Resetting all Web Filter settings back to the default settings for Enterprise SKU.
CSBWebFilterImpl::ResetDefaultSiteValues
Resetting all Web Filter settings back to the default settings for (%s) mode.
Unknown:%d
SbWebFilter.dll
WebFilterConfig.xml
CSBWebFilterImpl::SetDefaultConfigValues
Config file may not exist or is corrupted. Creating default config file for the Webfilter controller.
Web filter notification callback didn't include valid data pointer.
staticUrlInspectionCB
Web filter notification callback didn't include valid context pointer.
Web filter stats callback didn't include valid data pointer.
Web filter stats callback didn't include valid context pointer.
Failed to add the BadUrlBlockingException (%s) to the KnownGoodDomain collection. This BadUrlBlockingException will not be available.
The Dirty flag is set for the BadUrlBlockingExceptions collection in the WebFilter Config file. The BadUrlBlockingExceptions collection will be reloaded in the WebFilter.
ApplyConfigBadUrlBlockingExceptions
The Dirty Flag was not set on the BadUrlBlockingExceptions Collection from the WebFilter Config file. Will NOT update the BadUrlBlockingExceptions settings in the WebFilter.
Failed to add the UserKnownBadUrl (%s) to the KnownBadDomain collection. This UserKnownBadUrl will not be available.
The Dirty flag is set for the UserKnownBadUrls collection in the WebFilter Config file. The UserKnownBadUrls collection will be reloaded in the WebFilter.
ApplyConfigUserKnownBadUrls
The Dirty Flag was not set on the UserKnownBadUrls Collection from the WebFilter Config file. Will NOT update the UserKnownBadUrls settings in the WebFilter.
Updated WebFilter Info system configuration.
CSBWebFilterImpl::UpdateInfoConfig
SbWFInfo_UpdateConfig failed. Unable to update Web Filter Info system configuration, statistics may not be reported correctly.
SbWF_UpdateConfig failed. The WebFilter configuration was not correctly updated. The WebFilter may not function as expected.
Called SbWF_SetBlockPage(SbWF_BlockPage_BadUrl) with path (%s). The WebFilter will now use the blocked web page html.
CSBWebFilterImpl::LoadBlockPages
SbWF_SetBlockPage(SbWF_BlockPage_BadUrl) failed with path (%s). The WebFilter will not use the blocked web page html.
BlockedWebPage.htm
SbWF_Stop failed. The WebFilter may not function as expected.
CSBWebFilterImpl::StopWebFilter
SbWFInfo_Stop failed. The WebFilter may not function as expected.
Web Filter controller stopped.
CSBWebFilterImpl::StopController
WebFilter dll is not loaded!
the Webfilter config file
CSBWebFilterImpl::SaveConfigToDisk
the default webfilter config file
the webfilter config file
CSBWebFilterImpl::GetConfigObjectFromDisk
SbWFInfo_Start failed. Unable to start WebFilter.
Unable to read WebFilter Config information. Unable to start WebFilter.
CSBWebFilterImpl::StartWebFilter
SbWF_Start failed. Unable to start WebFilter.
CSBWebFilterImpl::ResetInfoConfig
Unable to read WebFilter Config information. Unable to reset the WebFilter Info Stats Update Frequency.
Out. WebFilter status = %u
Calling OnWebFilterStateChangeEvent().
WebFilter is already stopped.
Failed to stop the WebFilter.
Stopped the WebFilter.
The config file says to turn OFF the WebFilter.
UpdateInfoConfig failed. The WebFilter Info System frequency configuration was not correctly updated. The WebFilter may not report statistics as expected.
WebFilter is already running.
Failed to start the WebFilter.
Started the WebFilter.
The config file says to turn ON the WebFilter.
In. WebFilter status = %u
CSBWebFilterImpl::ApplyConfig
SbWF_SetLoggerCallback failed. Unable to configure WebFilter logging callback.
Resetting all Web Filter settings, user defined Ad Rules and predefined web sites back to the default settings.
CSBWebFilterImpl::WFResetToDefaults
Unable to read WebFilter Config information can't %s the WebFilter.
CSBWebFilterImpl::EnableWebFilter
the webfilter config object
CSBWebFilterImpl::GetConfig
CSBWebFilterImpl::SetConfig
Failed to get webfilter config object from disk; webfilter settings will not be updated
Failed to apply webfilter config settings; webfilter settings may be in an inconsistent state
Successfully applied webfilter config settings
Successfully loaded webfilter config from disk; applying its settings
CSBWebFilterImpl::DoConfigThread
Invalid hour %u. There are only 24 hours in a day. Did not accumulate webfilter statistics.
%Y-%m-%dT00:00:00
%s\%sWS_%s.xml
%Y%m%d
Couldn't add to %s. Folder is NULL.
web filter hourly stats file
WebFilter Stats XML
No listeners for Reporting event
Firing Reporting event
WebFilter event file
WF{%s}.xml
WebFilter Event XML
CSBWebFilterImpl::WebFilterThread
Failed starting the thread. Web filtering will not be operational.
CSBWebFilterImpl::StartThread
WebFilter dll successfully loaded
Could not load WebFilter dll; controller not started.
CSBWebFilterImpl::StartController
CProxy_ISBFirewallEvents::Fire_FWReportingCB
CSBFirewall::OnReportingEvent
Unknown event type in callback type = (%d)
Callback type = (%d) %s.
Packet To Unopened Port event type
SbFweIds_DeleteUserIDSRule for ID [%d] returned [%d]. Unable to delete user IDS rule.
Failed to add the Application Rule for [%s] to the firewall collection. This Rule will not be loaded into the Firewall.
Failed to add the Network rule (%s) to the firewall collection. This rule will not be loaded into the Firewall.
Failed to add the gateway address %s (%s) to the firewall collection. The gateway collection will not be loaded into the Firewall.
Failed to add the Zone (%s) to the firewall collection. The Zones collection will not be loaded into the Firewall.
Invalid or unknown Address type for zone (%s). This zone will not have any Address Addresses.
Product version %s
Dequeued the data object for dispatch for msgId %s. EventDispatcherThread did not handle this.
Event signaled 0xX. Received the data dequeue for msgId %s.
Timeout while waiting for the data dequeue event 0xX for msgId %s.
Error while waiting for the data dequeue event 0xX for msgId %s. Wait result: %u.
Waiting for data dequeue event 0xX for msgId %s.
Failed to signal the dispatch event 0xX for msgId %s. Not notifying the user.
Signaling the dispatch event 0xX for msgId %s.
Queued the data object for dispatch for msgId %s.
Failed to signal the dispatch event 0xX for msgId %s. Not reporting to the user.
Failed to create EventData object. Unable to process the Report Callback.
There is no dispatch event. Cannot report to the user.
CSBFirewallImpl::ReportCB
Network event report callback didn't include valid data pointer.
Threat Def version %s
Threat Def version %d, release date %s
Firewall event Report callback.
staticReportCB
Network event report callback didn't include valid context pointer.
Failed to add the firewall filter rule--id application description . This rule will not be available.
Unable to allocate the RemotePorts array from the Firewall Config file. The RemotePorts collection was not be loaded into the Firewall.
Unable to allocate the LocalPorts array from the Firewall Config file. The LocalPorts collection was not be loaded into the Firewall.
Setting Basic Firewall default IDS Rules to the settings for (%s) mode.
Setting Basic Firewall default Network Rules to the settings for (%s) mode.
sbagentdiagnostictool.exe
winlogon.exe
lsass.exe
sbamsvc.exe
Setting Basic Firewall default Application Rules to the settings for (%s) mode.
Setting Basic Firewall settings back to the settings for (%s) mode.
direc=out & (proto=TCP | proto=UDP) & (rport=137 | rport=138 | rport=139 | rport=445)
direc=in & (proto=TCP | proto=UDP) & (lport=137 | lport=138 | lport=139 | lport=445)
(proto=UDP & rport=88 & direc=out)
(proto=UDP & lport=88 & direc=in)
(proto=TCP | proto=UDP) & (rport=389 | rport=636) & direc=out
(proto=TCP | proto=UDP) & (lport=389 | lport=636) & direc=in
(direc=out & proto=47) | (proto=TCP & rport=1723 & direc=out) | (direc=out & proto=50) | (direc=out & proto=108)
(direc=in & proto=47) | (proto=TCP & lport=1723 & direc=in) | (direc=in & proto=50) | (direc=in & proto=108)
proto=UDP & rport=53 & direc=out
proto=UDP & lport=53 & direc=in
((lport=68 & rport=67) | (lport=67 & rport=68)) & proto=UDP & direc=out
((rport=68 & lport=67) | (rport=67 & lport=68)) & proto=UDP & direc=in
Ping and Tracert
Failed to signal the dispatch event (0xX).
Signaling the dispatch event 0xX.
kSbFwe.dll
Unable to create a blank app rule in the config object. Not setting the app rule for svchost.exe.
%WINDIR%\system32\svchost.exe
Unable to create a blank app rule in the config object. Not setting the app rule for winlogon.exe.
%WINDIR%\system32\winlogon.exe
Unable to create a blank app rule in the config object. Not setting the app rule for services.exe.
%WINDIR%\system32\services.exe
Unable to create a blank app rule in the config object. Not setting the app rule for lsass.exe.
%WINDIR%\system32\lsass.exe
%PROGRAMFILES%\Internet Explorer\iexplore.exe
SBPIMSvc.EXE
SBAgentDiagnosticTool.EXE
SBAMUI.EXE
SBAMSvc.EXE
Resetting all Basic Firewall settings back to the default settings for (%s) mode.
FirewallConfig.xml
FW SDK Version "%s"
%u.%u.%u
SbFwe_GetVersion returned SDK %u.%u.%u IDS %u.%u.%u
Loaded the Event Object for %s data from firewall.
Packet To Unopened Port Event.
SbFweInfo_UpdateConfig failed. Unable to update Firewall Info system configuration, statistics may not be reported correctly.
Failed to add the Disabled IDS Rule [%d] in the firewall. This rule will not be available.
Failed to update the Rules Path (%s). The Firewall may not be able to locate the correct Rules files.
SbFwe_EnableFilterRules failed. Filter Rules may not be (%s) as expected.
SbFwe_EnableNetworkRules failed. Network Rules may not be (%s) as expected.
SbFwe_EnableApplicationRules failed. Appplication Rules may not be (%s) as expected.
Failed to update the LogPacketsToUnopenedPorts setting. Packets To Unopened Ports may not be logged correctly.
Failed to update the Log Port Scans setting. Port Scan may not be logged correctly.
SbFweIds_Start failed. Unable to start IDS because the IDS system didn't have all the required data. Most likely the IDSRules.dat file is missing.
Unable to read Firewall Config information can't %s the Basic Firewall.
Updated HIPS Config information to %s the Firewall HIPS controller.
Updated WebFilter Config information to %s the Firewall WebFilter controller.
Updated Firewall Config information to %s the Firewall controller.
Failed to allocate the buffer for (%d) IDS items. Unable to read Firewall IDS Rules information.
SbFweIds_CreateUserIDSRule returned [%d]. Unable to create user IDS rule.
SbFweIds_UpdateUserIDSRule returned [%d]. Unable to create user IDS rule.
Called SbFweIds_GetDefinitionsRules with path (%s). The Firewall will now use the updated definition rules.
SbFweIds_GetDefinitionsRules failed with path (%s). The Firewall will not use the updated definition rules.
\idsrules.dat
No such data object stored for msgId %s. Cannot remove nor destroy the data object.
Removed the data object from the map for msgId %s.
Event signaled 0xX. Received the prompt answer for msgId %s. Returning answer in Result back to FW SDK.
Timeout while waiting for the prompt answer event 0xX for msgId %s. Allowing.
Error while waiting for the prompt answer event 0xX for msgId %s. Wait result %u.
Waiting for prompt answer event 0xX for msgId %s.
Event signaled 0xX. Received the prompt ACK for msgId %s. Prompt is being displayed to the user.
Timeout while waiting for the prompt ACK event 0xX for msgId %s. Maybe no clients. Allowing.
Error while waiting for the prompt ACK event 0xX for msgId %s. Wait result: %u.
Waiting for prompt ACK event 0xX for msgId %s.
Timeout while waiting for the data dequeue event 0xX for msgId %s. Allowing.
Failed to signal the dispatch event 0xX for msgId %s. Allowing.
Stored the data object in the map for msgId %s.
Prompt for outbound traffic for the any other app rule for known good app (%s); allow the event instead of prompting.
An error occurred trying to updated rule information in the config file for Rule Id (%d) from event related to application (%s).
Updated rule information saved in the config object for Rule Id (%d) from event related to application (%s).
Found an existing rule for application [%s] in the config object. Only changing the action enum for the application.
No existing Network or Application rule found for RuleID [%d], application [%s]. Creating a new Application rule with ID [%d].
Found an existing network rule for rule id [%d] in the config object. Only changing the action enum for the network rule.
We need to create rule for Rule ID [%d] related to application (%s).
Received a request to disable a rule for a (%s) event type.
Unable to read Firewall Config. Not able to disable the rule (ID %d).
Unable to create a new DisabledDefinitionIDSRule in the config object. DisabledDefinitionIDSRule for Rule Id (%d) was not saved to the config file.
Error saving the Firewall Config file. DisabledDefinitionIDSRule for Rule Id (%d) was not saved to the config file.
Found an existing DisabledDefinitionIDSRule for rule [%d] in the config object. No need to disable the rule.
DisabledDefinitionIDSRule saved in the config object for Rule Id (%d).
No existing DisabledDefinitionIDSRule found for rule [%d]. Creating a new DisabledDefinitionIDSRule.
Expecting an adapter event, but received a %s event. Not adding adapter or zone.
Unable to read Firewall Config. Not adding the adapter or zone to the collection for adapter (ID %s).
Unable to create a blank zone in the config object for adapter (ID %s). Not saving the added adapter.
Zone not found in config object for adapter (ID %s). Adding a new zone to the collection.
Unable to create a blank adapter (ID %s) in the config object. Not adding zone either.
Adapter not found in config object. Adding a new adapter (ID %s) to the collection.
Adapter found in config object for adapter (ID %s).
Received a request to disable the notifications for (%s) event type.
Unknown request enum (%d). Cannot figure out request.
Received a request from a client in response to a Firewall event, but we are unable to serialize the event xml data.Cannot figure out request.
sbpimsvc.exe
sbamui.exe
Added default application rule for SBAgentDiagnosticTool.EXE to firewall configuration.
Invalid hour %u. There are only 24 hours in a day. Did not accumulate network statistics.
%s\%sNS_%s.xml
network hourly stats file
Invalid hour %u. There are only 24 hours in a day. Did not accumulate IDS statistics.
%s\%sIS_%s.xml
IDS hourly stats file
Invalid hour %u. There are only 24 hours in a day. Did not accumulate Filter statistics.
%s\%sFS_%s.xml
Filter hourly stats file
More items on the event dispatch queue so NOT resetting the dispatch event. Keep processing more messages until the queue is empty. Queue size = %d.
Failed to reset the event dispatch event (0xX).
Resetting the dispatch event because the queue is empty. This will allow this thread to wait for the next event. Queue size = %d.
Finished processing the event and determining if we need to reset the dispatch event. Only reset it if the queue is empty. Queue size = %d.
No listeners for Reporting event for msgId %s. The COM event to notify any interested client apps of a firewall report event was NOT fired.
Calling OnReportingEvent() for msgId %s. This is the COM event to notify any interested client apps of a firewall report event.
%s\%s%s.xml
Invalid or unknown ClientRuleData value for event type (%s). Unable to determine which list of event files to pass to ManageEventFiles.
%s%s.xml
FWPORT
No client apps listening for Publishing event for msgId %s. The user will not receive any pop up for this event.
Calling OnPublishingEvent() for msgId %s. The COM event is being fired to alert any listening clients of the event that is ready for publishing.
Failed to signal the data dequeued event 0xX for msgId %s.
Event signaled, handle = 0xX. Dequeued and dispatching the queued firewall event for msgId %s. Signaling the data dequeued event so the firewall SDK callback can return, handle = 0xX.
While dequeueing the data object for dispatch for msgId %s, found an uknown event type (%d). Whatever event caused this to occur is discarded.
Failed to reset the stats dispatch event (0xX).
Event signaled 0xX. Dispatch the queued firewall stats.
Error while waiting for dispatch event 0xX. Wait result: %u.
Waiting for dispatch event 0xX and 0xX.
Out. Firewall status = %u
In. Firewall status = %u
Failed to signal the prompt answer event 0xX for msgId %s.
Signaling the prompt answer event 0xX for msgId %s.
No such data object stored for msgId %s. Not found. Not sending the answer to the prompt to the Firewall SDK.
No such data object stored for msgId %s. iter->second was NULL. Not sending the answer to the prompt to the Firewall SDK.
Saving the prompt answer for msgId %s in the map.
Received prompt answer for msgId %s.
Failed to signal prompt ACK event 0xX for msgId %s.
Signaling prompt ACK event 0xX for msgId %s.
No such data object queued for msgId %s. Not found. Not signaling prompt ACK.
No such data object stored for msgId %s. iter->second was NULL. Not signaling prompt ACK.
Received prompt ACK for msgId %s.
Failed starting the event dispatcher thread. Firewall will not be operational.
Failed creating the dispatch the firewall stats...event. Event dispatcher thread start failed.
Failed creating the dispatch the firewall event...event. Event dispatcher thread start failed.
This %s a Firewall SKU and the Firewall dll was successfully loaded.
This %s a Firewall SKU but we could not load Firewall dll, the controller will not be started.
Unable to get the Enterprise Agent (%s) start function (%s) address. Unable to stop the Enterprise Agent.
Enterprise Agent (%s) start function (%s) returned %s.
Calling the Enterprise Agent (%s) start function (%s).
SBEAgent.dll
Unable to get the Enterprise Agent (%s) stop function (%s) address. Unable to stop the Enterprise Agent.
Calling the Enterprise Agent (%s) stop function (%s).
Unable to get the Enterprise Agent (%s) reset firwall function (%s) address. Unable to reset the firewall.
Calling the Enterprise Agent (%s) reset firewall to policy function (%s).
CProxy_ISBHIPSEvents::Fire_HIPSReportingCB
CSBHIPS::OnReportingEvent
Unexpected result= waiting for worker thread to stop; worker thread will be terminated
Resetting all HIPS settings back to the default settings for (%s) mode.
HIPSConfig.xml
Added program=, md5=, authority=, protection=
Failed to add program=, md5=, authority=, protection=
Couldn't compute the MD5 for program= with authority=; error=. May not be able to add it to HIPS.
ApplyConfig %s; PrevState=, State=
Unable to read HIPS Config information can't %s the Firewall HIPS.
Invalid hour %u. There are only 24 hours in a day. Did not accumulate HIPS statistics.
%s\%sHS_%s.xml
hips hourly stats file
Processed %d event(s) from the queue
There was an error adding to the HIPS Hourly Stats buckets. This HIPS event may not have been added to the stats correctly.
No listeners for Publishing/Reporting events
Firing Publishing/Reporting events
HIPS{%s}.xml
Unexpected result= waiting for controller events; ignore it
Got current thread state and reboot statuses.
Boot time scanner REGISTRATION .
Boot time scanner UNREGISTRATION .
Couldn't get boot time scanner status. Operation failed.
Current boot time scanner registration status is .
Threat engine returned an unsupported state: %d. Scan state event won't fire event to subscribed clients.
Scan thread change to state.
Failed scanning file . Didn't get any result.
File has threat id (0 - not a threat).
File %s good.
Invalid source buffer pointer or length. Write file operation failed.
Couldn't open file on path . Write file operation failed.
Failed writing data into file path . Write file operation failed.
Unexpected length written into file pat . Write file operation failed, file incomplete.
Data completely written into file .
File successfully opened on path to write data.
Couldn't open file path . Couldn't read file.
Read data of length from file on path .
Failed reading data from file on path . Couldn't read file.
Failed reading BOM from file path . Couldn't read file.
Successfully retrieved file length .
File successfully opened on path to read data.
Invalid file length . Couldn't read file.
Last successful scan results path generated .
Couldn't get signature for file from threat engine.
Threat Engine returned (%s) signature for file from threat engine.
Failed to purge history because this is an unknown history type %d.
File deleted since it's older than days.
Could not delete file on path . Search for the next history file.
Delete history events for (%s) older than days.
SW*.xml
LG*.xml
FWCHG*.xml
FWPUP*.xml
FWADP*.xml
FWIDS*.xml
FWADV*.xml
FWNET*.xml
Port Events
FWPORT*.xml
FWAPP*.xml
HIPS*.xml
FW*.xml
Web Filter Events
WF*.xml
FW Hourly Stats
*.xml
Deleting quarantine items older than days.
EV*.xml
EM*.xml
2*.xml
Delete is enabled. HistoryType=[%d]
Delete is disabled. HistoryType=[%d]
Firing the cleaner control using as the input file.
Cleaner input file moved from to .
Failed copying file from to . Cleaning operatation won't proceed.
Got input scan results file name the cleaner will use .
Checking for a user known entity [%s] and signature [%s].
Unknown trace type detected iuTraceType=[%d].
Scan thread resumed to previous state.
Non-cookie trace from was deleted or quarantined. Send it to threat net.
Cleaner results didn't meet criteria. File NOT sent to threat net.
Got trace of threat from . Test if there are non-cookie threats deleted or quarantined.
Got threat from . Test if there are non-cookie threats deleted or quarantined.
Threats from were quarantined or deleted. Proceed calculating criteria.
Successfully got cleaner results summary from . Proceed calculating criteria.
Couldn't deserialize scan results . Clean ends and thread waits for next event.
Cleaner results %s meet deep after quick criteria.
Got trace of threat from . Test if there are non-cookie threats.
Got threat level [%d] from . Test if there are non-cookie threats.
Threats from were detected. Proceed checking criteria.
Successfully got cleaner results summary from . Proceed checking deep after quick criteria.
Couldn't deserialize scan results . Thread waits for next event.
Scan results criteria applied successfully to .
Couldn't apply scan results criteria successfully to . Clean ends and thread waits next event.
Wrote cleaner results file on path successfully.
Couldn't write clean results file on path . Clean ends and thread waits next event.
Got cleaner results lenght on path
Cleaner operation completed successfully.
Cleaner returns unknown state . Clean ends and thread waits for the next event.
Scan results data on path successfully read.
Couldn't read scan results data on path . Clean ends and thread waits for next event.
Got scan results file size of length on path successfully.
Coulnd't read scan results size on path . Clean ends and thread waits for next event.
Current clean input file on path .
CSBScanControlImpl::ExecuteCleaner
Couldn't serialize default scan config file on path . Serialize operation failed.
Threat engine max and min file lengths.
Default quarantine folder path .
Default system events folder path .
Default history folder path .
Couldn't serialize scan config file path . Config file may not exist or is corrupted, it will try to create a default scan config file. Will try to create a default scan config file.
ScanConfig.xml
Scan type %s found.
Couldn't get scan config object. Operation failed.
Adding the randomized scheduled definitions update before the next scheduled scan for (%s) failed. Scheduled update before the next scheduled scan will not occur.
d:d
Randomized the scheduled definitions update before the next scheduled scan by [%d] seconds to (%s).
Current time is (%s).
Couldn't get application data folder . Unable to convert any user knowns by signature, crc8 to fullpath.
Couldn't find scan schedule ; unable to determine scan type.
Scan configuration name is invalid OR empty. Scan thread won't start a scan.
Scan config is valid. Scan thread is starting a scan now.
Couldn't delete Social Watch history older than [%d] days. Wait for the next event.
Couldn't delete System Update Scan history older than [%d] days. Wait for the next event.
Couldn't delete hips event files older than [%d] days. Wait for the next event.
Couldn't delete webfilter event files older than [%d] days. Wait for the next event.
Couldn't delete firewall event files older than [%d] days. Wait for the next event.
Couldn't delete firewall stats files older than [%d] days. Wait for the next event.
Couldn't delete quarantined files older than [%d] days. Wait for the next event.
Couldn't delete system events events older than [%d] days. Wait for the next event.
Couldn't delete EmailAV events older than [%d] days. Wait for the next event.
Couldn't delete AP events older than [%d] days. Wait for the next event.
Couldn't delete Scan history older than [%d] days. Wait for the next event.
Couldn't set scheduled scan for scan type . This scheduled scan will not happen.
Successfully set scheduled scan for scan type .
Invalid cleanerAction= (categoryName=, categoryId=). Threat category action was not pushed into the threat engine.
Threat categoryName=, categoryId=, and cleanerAction= added to threat engine.
Failed adding threat categoryName=, categoryId=, and cleanerAction= to threat engine. Threat category action was not pushed into the threat engine.
Invalid categoryId= (categoryName=, cleanerAction=). Threat category action was not pushed into the threat engine.
Couldn't add threat id to ignore list . One or more ignored threat was not pushed into the threat engine.
Threat id added to ignore list .
Failed setting SBCSEnableRootkitEngine . Value may be incorrect in the threat engine.
Failed setting SBCSSetLowRiskThreatDetection . Value may be incorrect in the threat engine.
Couldn't get application data folder . It won't set new content for scan config file.
Scan config data %ssaved.
Scan config data %s saved.
Saved current total scan elapsed time of seconds.
Add a user known entity [%s] of type %d to scan config. Item Type is %d.
Adding file [%s] to known good because MoveToAlwaysAllowed is true.
Removing known bad file [%s] from Always Blocked list.
Moving file [%s] from Always Blocked list to Always Allowed list.
Couldn't exclude path from scan. Leaving now.
Scan settings for type successfully applied to the threat engine.
User has invalid or expired registration state.Disabling the auto disposition.
Added path to scan.
Failed setting EnableFileCache to ; scan will NOT use file cache.
Set EnableFileCache to ; scan %s use file cache.
Set SBCS_OPT_SCAN_ROOTKITS to .
Failed setting SBCS_OPT_SCAN_ROOTKITS . Leaving now.
Set SBCS_OPT_SCAN_VIPRE_SUSPICIOUS to .
Failed setting SBCS_OPT_SCAN_VIPRE_SUSPICIOUS . Leaving now.
Set SBCS_OPT_SUSPEND_ACTIVE_THREATS to .
Failed setting SBCS_OPT_SUSPEND_ACTIVE_THREATS . Leaving now.
Set SBCS_OPT_SCAN_REGISTRY to .
Failed setting SBCS_OPT_SCAN_REGISTRY . Leaving now.
Set SBCS_OPT_SCAN_PROCESSES_DEEP to .
Failed setting SBCS_OPT_SCAN_PROCESSES_DEEP . Leaving now.
Set SBCS_OPT_SCAN_PROCESSES to .
Failed setting SBCS_OPT_SCAN_PROCESSES . Leaving now.
Set SBCS_OPT_SCAN_KNOWN_FILE_TYPES_ONLY to .
Failed setting SBCS_OPT_SCAN_KNOWN_FILE_TYPES_ONLY . Leaving now.
Set SBCS_OPT_SCAN_FILES to .
Failed setting SBCS_OPT_SCAN_FILES . Leaving now.
Set SBCS_OPT_SCAN_FILENAME_AND_CHECKSUM to .
Failed setting SBCS_OPT_SCAN_FILENAME_AND_CHECKSUM . Leaving now.
Set SBCS_OPT_SCAN_DONT_CALC_CHECKSUM to .
Failed setting SBCS_OPT_SCAN_DONT_CALC_CHECKSUM . Leaving now.
Set SBCS_OPT_SCAN_DERIVATIVES to .
Failed setting SBCS_OPT_SCAN_DERIVATIVES . Leaving now.
set SBCS_OPT_SCAN_COOKIES to
Failed setting SBCS_OPT_SCAN_COOKIES . Leaving now.
Set SBCS_OPT_SCAN_COMMON_TACTICS to .
Failed setting SBCS_OPT_SCAN_COMMON_TACTICS . Leaving now.
Set SBCS_OPT_SCAN_ARCHIVES to .
Failed setting SBCS_OPT_SCAN_ARCHIVES . Leaving now.
Set SBCS_OPT_SCAN_ALL_USERS to .
Failed setting SBCS_OPT_SCAN_ALL_USERS . Leaving now.
Set SBCS_OPT_EXCLUDE_REMOVABLE_DRIVES to .
Failed setting SBCS_OPT_EXCLUDE_REMOVABLE_DRIVES . Leaving now.
Set SBCS_OPT_SCAN_ALL_LOCAL_DRIVES to .
Failed setting SBCS_OPT_SCAN_ALL_LOCAL_DRIVES . Leaving now.
Set SBCS_OPT_RECURSIVE_FILE_SCAN to .
Failed setting SBCS_OPT_RECURSIVE_FILE_SCAN . Leaving now.
Set SBCS_OPT_KEEP_SCAN_RECORD to .
Failed setting SBCS_OPT_KEEP_SCAN_RECORD . Leaving now.
Thread priority successfully set to .
Failed setting thread priority to . Still applying other settings.
Scan type successfully applied to Threat Engine.
Couldn't set scan description . Still applying other settings to Threat Engine.
%d - %s, %d - %s
Found settings for scan type .
Did not find scan schedule to get scan settings from for this Scheduled Custom Scan . Leaving now.
Did not find settings for scan type . Leaving now.
Set SBCSSetLowRiskThreatDetection() to .
Failed setting SBCSSetLowRiskThreatDetection(). Value may be incorrect in the threat engine.
%s initialized loop. Scan will %s
Removing missed scheduled scan item after its timer was fired. Scan name [%s], Id [%d], start time [%s].
Looking for missed scheduled scan items to remove. Scan name [%s], Id [%d], start time [%s], now [%s].
Scanner returned unknown state . Scan ends and thread waits for the next event.
Scan executed successfully, user feedback is expected.
A scan was executed successfully and no threats were found. Performing the clean to set the clean results and fire the appropriate events.
The system is configued to perform cleaning without user dispositioning of threats found. Results file is .
Last scan type SAVED. Wait for the next event.
Couldn't save last scan type . Wait for the next event.
Config data for scan type SAVED. Wait for the next event.
Couldn't save config data for scan type . Wait for the next event.
Saved scan results file .
Couldn't save scan results into . Scan ends and thread waits for the next event.
%Y%m%d%H%M%S.xml
Config data for the next scheduled scan date/time SAVED. Proceed with scan operation.
Couldn't save the next scheduled scan date/time. Proceed with scan operation.
CSBScanControlImpl::ExecuteScanner
Added a new missed scheduled scan to the schedules collection with start time of [%s]. Persisting silently to the scan config file.
Last scheduled scan was missed, schedule a one time scan in %d minutes.
We missed a scheduled scan. The action to take is %d.
Checking to see if we missed a scheduled scan. Next scheduled scan is [%s].
Thread initialization failed. Cannot execute clean, will wait for the next one.
It's NOT valid to execute a clean operation, but no threats were found. Proceed with cleaning process in order to advance the state of the scan controller.
It's VALID to execute a clean operation. Proceed with cleaning process.
It's INVALID to executed a clean operation. Abort the cleaning process.
Unexpected scan type [%d] updating system event log. Will wait for the next event.
Thread initialization failed. Cannot execute scan, will wait for the next one.
Scan thread is waiting for event, current state is .
Couldn't create scan thread, scan operations will not happen.
Pre-loop actions executed successfully. Procced with scan thread execution.
Failed executing action taken BEFORE starting loop. Scan thread will end now.
Scan thread already running. Leaving operation now!
%s:%s
SBWinHttp
Failed opening session with proxy: proxy server=%s
SBWinHttp::CSBWinHttpSession::Initialize
Opened session with proxy: proxy server=%s
Failed opening connection: server=%s, port=%d
SBWinHttp::CSBWinHttpConnection::Initialize
Opened connection: server=%s, port=%d
Got unexpected WINHTTP_CALLBACK_STATUS_xxx. Status code: %d
Got WINHTTP_CALLBACK_STATUS_REQUEST_ERROR. dwResult=%d dwError=%d
OnReadComplete returned: %d
Completed sending request. WinHttpReceiveResponse returned error: %d
Error after sending request. OnWriteDAta returned: %d
SBWinHttp::CSBWinHttpRequest::OnCallback
Request returned %d
Unable to send the user credentials to the Web service.
WinHttpSetCredentials failed GetLastError returned [%d].
Request returned HTTP_STATUS_PROXY_AUTH_REQ.
Request returned HTTP_STATUS_NOT_FOUND.
Request returned HTTP_STATUS_BAD_REQUEST.
Request returned HTTP_STATUS_SERVICE_UNAVILABLE
SBWinHttp::CSBWinHttpRequest::OnHeadersAvailable
VIPREHttpServer::CSBHttpMonitor::SendHttpResponse
HttpSendHttpResponse failed with %lu
HttpReceiveRequestEntityBody failed with %lu
VIPREHttpServer::CSBHttpMonitor::SendHttpPostResponse
VIPREHttpServer::CSBHttpMonitor::DoReceiveRequests
[Error %u, %s].
%s\%s*.csv
%s%s_%d.csv
d-d-d d:d:d
\\.\root\SecurityCenter
pathToSignedProductExe
FirewallProduct.instanceGuid="
AntiVirusProduct.instanceGuid="
AntiSpywareProduct.instanceGuid="
Cancelled waitable timer for item .
Cancel of waitable timer failed for item . Timer may still be set.
Deleting schedule item object.
Closing timer handle 0xX.
Sun - Sat [%d, %d, %d, %d, %d, %d, %d]
Created waitable timer; handle 0xX.
Waitable timer already exists; here is the handle 0xX.
Setting waitable timer for %I64d 100 nano second units in the future which is %s (local time).
Randomizing timer by %I64u 100ns units, %d seconds.
Scheduling item for %s. Time d:d, Day %s, Days: %s.
Looking for next week schedule items. Checking schedule item . Time d:d, Days: %s.
Deleting expired one time schedule. Schedule item . Time d:d, Days: %s.
Looking for this week schedule items. Checking schedule item . Time d:d, Days: %s.
Looking for next schedule item. Today is %s. Day of week as int = %d.
%m/%d/%y Day %A, %H:%M.
Potentially too small of a repeat interval caused adding of max number of schedules. Truncating to max schedules. Repeat interval %d minutes.
Added schedule item object. Start d:d.
Malformed stop time passed in . Rejecting this schedule.
Malformed time passed in . Rejecting this schedule.
Maximum count [50] of scheduled items exceeded for itemData . Rejecting this schedule.
Added schedule item object.
okernel32.dll
Unable to locate the WDStatus and WDEnable functions in the MPClient.dll.
Request to (%s) Defender failed hr = .
Request to (%s) Defender processed successfully.
Request was to (%s) and Defender is already (%s).
Load of MPClient.dll failed. Defender not installed on this system.
\Windows Defender\MpClient.dll
Invalid source buffer pSourceBuff=[0x%x], dwSourceLen=[%d]. Crypt will abort now.
Invalid target buffer pTargetBuff=[0x%x], pdwTargetLen=[0x%x]. Crypt will abort now.
There is no valid key handle=[0x%x]. Crypt will abort now.
There is no valid key string set. Crypt will abort now.
Couldn't encrypt/decrypt data using key=[%s]. Crypt failed.
Couldn't create block cypher session basd on hash of key=[%s]. Crypt will abort now.
Couldn't populate cryptographic hash object using key=[%s]. Crypt will abort now.
Invalid target buffer ppTargetBuff=[0x%x], pdwTargetLen=[%d]. Crypt will abort now.
Successfully retrieved file size .
Got source data and size from path successfully.
Coulnd't read file size on path . Crypt will abort now.
Invalid source path string length=[%d]. Crypt will abort now.
Wrote all data into file .
Unexpected size written into file %s.
Failed writing data into file %s.
Couldn't open file %s.
Could not write RegInfo registry key, error [%ld].
Could not open SBAMSvc registry key, error [%ld].
SKMSRegistration::WriteRegistrationKeyToRegistry
Could not open HKLM\Software registry key.
Could not read RegInfo registry key.
SKMSRegistration::ReadRegistrationKeyFromRegistry
Could not open HKLM\Software\SBAMSvc registry key.
Could not read MachineGuid registry key.
Could not open HKLM\Software\Microsoft\Cryptography registry key.
InstallEXEName
InternetReadFile successful. SKMS Return Value = %s.
Error getting SKMS status code from skms. Registration key will not be able to be verified.
Error getting install date from SBAMConfig.bin
Error writting install date to SBAMConfig.bin
Invalid date from SBAMConfig.bin
Error getting data from SBAMConfig.bin. Date is in the future, resetting to now.
SBAMConfig.bin exists
Query for operating system name failed.
Failed to Create the Web Object
Error getting SKMS status code from skms, it return an empty string. Registration key will not be able to be verified.
Unique Key = %s
Validating Registration Code: %s
Didn't receive a registration key from SKMS. Will try again on next attempt.
The Registration code returned by SKMS did not validate as a registration key. This data will not be used.
Request to SKMS for a trial key returned success, will attempt to validate that this looks like a valid key. SKMS Returned = (%s).
The request to SKMS was unable to AutoGet Registration key. Will try again on next attempt.
SKMSRegistration::AutoGetRegistrationKey
?KEYVALUE=
kbu.dat
Proxy is enabled, using server name (%s).
WinHttpOpen failed error [%d]. Proxy server name is (%s). Returning false.
Leaving SBInternetAccess after WinHttpOpen returning false.
WinHttpOpen returned valid handle, checking request url .
hXXps://
Invalid RequestURL (%s) unable to retrieve server name.
Invalid RequestURL (%s) unable to retrieve application request name.
WinHttpConnect to failed error [%d]. Request not performed.
Leaving SBInternetAccess after WinHttpConnect returning false.
WinHttpConnect to successful.
WinHttpOpenRequest of failed error [%d]. Request not performed.
Leaving SBInternetAccess after WinHttpOpenRequest returning false.
WinHttpOpenRequest successful.
WinHttpSendRequest returned [%s] GetLastError returned [%d].
WinHttpReceiveResponse returned [%s] GetLastError returned [%d].
error = ERROR_WINHTTP_RESEND_REQUEST, so resending request...
A WinHttp* call returned an error, GetLastError returned [%d].
WinHttpQueryHeaders returned [%s].
Received HTTP_STATUS_SERVICE_UNAVAIL response to WinHttpQueryHeaders.
Received HTTP_STATUS_OK response to WinHttpQueryHeaders.
Received HTTP_STATUS_PROXY_AUTH_REQ response to WinHttpQueryHeaders. The proxy requires authentication. Sending credentials.
GetLastError = [%d] calling WinHttpQueryAuthSchemes during Proxy Authentication processing.
Status code [%d] returned from WinHttpQueryHeaders while reading response from web service.
WinHttpQueryHeaders returned status [%d], GetLastError = [%d]
WinHttpQueryDataAvailable returned [%d] bytes available to read.
Reading the data into file .
WinHttpReadData() error . Download not completed successfully.
Open of download file failed with error [%d]. Download not performed.
Closed download file, [%d] total bytes downloaded.
Returning buffer data (%S).
Progress call back indicated cancel download. Deleting partial download file .
Caught an exception error [%d] trying to get data from internet. Request not performed.
Leaving SBInternetAccess returning [%s].
Request URL is empty. Unable to request data from internet server.
SBAMInternetAccess::SBPostURLReadResult
SBPostURLReadResult Request URL is (%s).
SBAMInternetAccess::SBPostURLSaveToFile
Request URL is empty. Cannot request data from internet server.
SBPostURLSaveToFile Request URL is (%s).
z:\lmx\sw\lmx-0050\lmxparse.h
lmxparse.cpp
l_event != EXE_UNKNOWN
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
w.bat
WUSER32.DLL
!#%*,/:;?@[]__{{}}
!#%'**,,./:;?@\\
$$ ^^``||~~
||~~
tnft_temp.zip
hXXp://dbteam_testbox/ThreatNetResTService/SendFileService.svc/ThreatNetTransferFile?
sFilePath: ; sURL: ; sPassword:
Error deleting zip file:
File is too large to transfer to ThreatNet. Unable to transfer file to Threatnet.
COM error: x> Description: .
Args: sFilePath: ; sURL: ; sPassword:
Error %d. Unable to open file: . File(s) will not be transfered to ThreatNet
GetZipFile Args: sZipPathFileName: ; iFileLength:
COM error: x> Description: . Unable to transfer file to ThreatNet.
Xceed error: . Unable to transfer file to ThreatNet.
ZipFiles Args: sBasePath: ; sFilesToProcess: ; sZipPathFileName: ; sPassword:
The file is read only. Unable change file attributes for %s .
Error saving %s --%s
Failed to save %s .
Bad argument; pFilePath is NULL. %s.
Error reading %s --%s
Failed to read %s .
r4.0.0
Couldn't resolve path=.
Couldn't get file info from path=. Go to next item.
Couldn't get value from [hive:key:value]=[0x%x:%s:%s]. Leave now.
Couldn't resolve path=. Go to next item.
Got valid class path [%s] from [hive:key:value]=[0x%x:%s:%s].
Couldn't traverse for SUBKEYS under [hive:key]=[0x%x:%s]. Proceed normally.
Couldn't traverse for VALUES under [hive:key]=[0x%x:%s]. Proceed normally.
Couldn't access subkeys nor values under registry location [hive:key]=[0x%x:%s]. Returning now.
Couldn't find any ClsIds on registry location [hive:key]=[0x%x:%s]. Returning now.
Couldn't get path from ClsId=. Go to next item.
No Clsid paths were found under [hive:key]=[0x%x:%s].
Got Clsid paths under [hive:key]=[0x%x:%s] successfully.
Couldn't traverse for ClsId paths under [hive:key]=[0x%x:%s]. Returning now.
Couldn't resolve path=. Proceed normally.
Couldn't get file info from path=. Proceed normally.
No Clsid info were found under [hive:key]=[0x%x:%s].
Got Clsid info objects under [hive:key]=[0x%x:%s] successfully.
software\microsoft\windows\currentversion\explorer\browser helper objects
Couldn't get the BHOs under HKEY_LOCAL_MACHINE.
Couldn't get the BHOs under HKEY_CURRENT_USER.
%sClsIds were found under the BHO registry location.
Couldn't get ActiveX objects under HKEY_LOCAL_MACHINE.
Couldn't get ActiveX objects under HKEY_CURRENT_USER.
%sClsIds were found under the Active X registry location.
software\microsoft\windows\currentversion\explorer\shellexecutehooks
Couldn't get ShellExecHooks under HKEY_LOCAL_MACHINE.
CSBExplorer::GetShellExecHookColl
Couldn't get ShellExecHooks under HKEY_CURRENT_USER.
%sClsIds were found under the windows shell execute registry location.
Couldn't get Shell Execution Hooks.
CSBExplorer::GetShellExecHooks
Got info from no Shell Execution Hook.
Got all Shell Execution Hooks info successfully.
Couldn't get ip address from input string [%s].
Couldn't get host information from Ip address [%s].
There is no server name for Ip address [%s].
Buffer for host name is not big enough iLen=[%d], strRemoteHost=[%s].
It failed in getting info from file path [%s]. Leave now.
Couldn't get host name from ip address [%s]. Go to next item.
GetModuleFileNameEx failed [%u]
Invalid start up type eType=[%d].
Couldn't get list of files under path=[%s].
desktop.ini
Couldn't get shortcut info path=[%s] or it's not a shortcut. Proceed normally.
Couldn't resolve path to file pointer by shortcut path=[%s]. Go to next file.
Couldn't get file info path=[%s]. Proceed normally.
software\microsoft\windows\currentversion\run
Invalid start up type eType=[%d].Leave now.
Registry location empty eType=[%d]. Leave now.
Couldn't get file path from command strCmd=[%s].Go to command.
Couldn't get file info path=[%s].Proceed normally.
software\microsoft\windows nt\currentversion\winlogon
Invalid start up type eType=[%d]. Leave now.
Got empty string on registry location [hive:key:value]=[0x%x:%s:%s]. Leave now.
Couldn't get file path from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
Couldn't resolve path to file path=[%s]. Go to next item.
There is no Windows logon to get info from.
Got info from all Windows logon programs successfully.
Couldn't find host file on location paht=[%s].
Successfully got path to host file paht=[%s].
Couldn't open hosts file on path=[%s]. Leave now
Couldn't memory to get data from file path=[%s]. Leave now
Failed reading data from hosts file path=[%s]. Leave now.
Push data host into collection [HostName:IpAddr]=[%s:%s]
Couldn't get wisock version from registry location [hive,key,value]=[0x%x:%s]. Leave now.
Got wisock version from registry location [hive,key,value]=[0x%x:%s] successfully.
Found no subkeys under [hive,key]=[0x%x:%s]. Returning now.
Got no data from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
Got registry binary value successfully from [hive:key:value]=[0x%x:%s:%s]. Proceed normally.
Unknown value type queried from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
Couldn't query value from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
mswsock.dll
rsvpsp.dll
Couldn't resolve path=[%s]. Go to next item.
Couldn't get file info from path=[%s]. Go to next item.
Got version info, dwInfoSize=[%d] and pInfoBuff=[0x%p].
Unexpected file version data structure size, uiDataLen=[%d]. Leave now.
XX
FileVersion =
CompanyName =
ProductName =
SpecialBuild =
InternalName =
PrivateBuild =
FileDescription =
ProductVersion =
LegalCopyright =
LegalTrademarks =
OriginalFileName =
Couldn't open file to calculate the MD5, errno = %d, strPath = %s.
Couldn't set mode to file, errno = %d, strPath = %s.
Source file path must be a valid full path, strPath=. Leave now.
Couldn't calculate the MD5, strPath=. Proceed normally now.
Couldn't get version information from file strPath=. Proceed normally now.
Couldn't open file, strPath=. Proceed normally now.
Couldn't get file times, strPath=. Proceed normally now.
Windows
Operating System
(Export Version)
Calculated non-version file info successfully, strPath=.
Path to file [%s] found on [%s].
Invalid file name [%s].
inetinfo.exe
Path to file [%s] NOT found.
Path to file in the registry [%s] found on [%s].
Invalid command string path strCmd=[%s].
CSBFileSystem::ResolveCmdLine
%1\"" %*
""%1"" %*
Got valid full path for strResolvedCmd=[%s].
Got valid full path for strResolved=[%s].
Got valid full path strResolved=[%s].
Invalid file path or name [%s]
Invalid directory path [%s]
Couldn't test folder existance [%s].
Folder existance tested successfully [%s].
Invalid path [%s]
Skipping default directories under [%s]
Couldn't traverse all files under [%s]
Directory doesn't exist [%s].
Failed getting info of all files under path=[%s].
Got info of all files under path=[%s].
Failed to get files under directory path=[%s].
Current file to get info from [%s].
File doesn't exist path=[%s].
Couldn't get hive handle: Hive:Key=[0x%x:%s].
Couldn't get hive handle: Hive:Key:Value=[0x%x:%s:%s].
Couldn't get registry key: Hive:Key:Value=[0x%x:%s:%s].
No buffer nor size for data : pbvData = 0x%p, dwSize = %d.
No size for data buffer : pbvData = 0x%p, dwSize = %d.
Get registry value : Hive:Key:Value=[0x%x:%s:%s].
Registry value successfully queried: Hive:Key:Value=[0x%x:%s:%s].
Registry value size successfully queried: Hive:Key:Value=[0x%x:%s:%s], dwDataSize = %d.
Got no data from registry location [hive:key:value]=[0x%x:%s:%s]. Leave now.
Got registry string successfully, strData=%s : Hive:Key:Value=[0x%x:%s:%s].
CSBRegistry::EnumRegistrySubkeyColl
Enumerate all subkeys under a given key : Hive:Key=[0x%x:%s].
Got subkey [index=%d, name=%s] successfully from: Hive:Key=[0x%x:%s].
Failed enumerating subkeys from: Hive:Key=[0x%x:%s].
Couldn't get registry key: Hive:Key=[0x%x:%s].
Invalid value or data sizes, dwValue=%d, dwData=%d : Hive:Key=[0x%x:%s].
Found the value [%s] under [hive:key]=[0x%x:%s] successfully.
Failed enumerating values from: Hive:Key=[0x%x:%s].
Found [%d] values under [hive:key]=[0x%x:%s] successfully.
No values were found under [hive:key]=[0x%x:%s] successfully.
gAdvapi32.dll
Got process dwPID=[%d] file path [%s].
Couldn't get file name on process id [%d] to get its path.
Couldn't open process id [%d] to get its path.
Couldn't get module handle from process PID[%d]
Couldn't get info from module handle from process PID[%d]
Unable to set platform info platform ID, BuildNo MajorVersNo MinorVersNo ServicePackInfo
SHGetFolderPath API call failed when getting CSIDL
SHGetSpecialFolderPath API call failed when getting CSIDL
Got CSDIL path successfully
Failed to expand environment strings
Source string is too big when expanded
Source string expanded to
Couldn't get registry data value from registry location [hHive:Key:Value]=[%d:%s:%s]. Leave now.
Couldn't expand any environment variables on
%SYSTEMDIRECTORY%
%SYSTEM%
%SYSTEMROOT%
%WINDOWS%
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ACTIVEX CACHE
%DOWNLOAD_PROGRAM_FILES%
%STARTUP%
%COMMON_STARTUP%
%COOKIES%
ÞSKTOPDIRECTORY%
úVORITES%
%STARTMENU%
%COMMON_STARTMENU%
%COMMON_PROGRAMS%
%COMMON_FAVORITES%
%COMMMON_ALTSTARTUP%
%COMMON_DESKTOPDIRECTORY%
%COMMON_APPDATA%
ÞFAULT_STARTUP%
%DRIVERS_ETC%
Got full path from abreviated path
Couldn't find full path for abreviated path
Failed getting file path for the shell link object, hr=[%d].
Failed getting description for the shell link object, hr=[%d].
Couldn't find shell link object shortcut, hr=[%d].
Couldn't open shell link object shortcut, hr=[%d].
Assertion failed: %s, file %s, line %d
74.0.0
7.0.0.4
%Program Files% (x86)\STOPzilla\SBAMSvc.exe
SBAMSvc.exeSBAMSvc.exe_3448_rwx_00D60000_00001000:
.edata
.rsrc
.rdata
.debug
.idata
.relocSBAMSvc.exe_3448_rwx_00D90000_00004000:
gmer.dllGMERgmer.exe -l.text
.rsrc
.data
.rdata
checkpoint.com
\\.\PrimaxPointingDeviceFilterSoftware\Primax\Mouse Suite 98.text
.reloc
.idata
hXXp://tufei
03.ho
4u.ch
SET RESCUEAPP_MAJOR=%d
SET RESCUEAPP_MINOR=%d
.text
pexcel.jar
pocketword.jar
xmerge.jar
clasOpenOffice.org Calc
OpenOffice.org Calc XML Document
{C6AB3E74-9F4F-4370-.reloc
ADVAPI32.dll
USER32.dll
KERNEL32.dll
COMCTL32.dll
WhatsUp-Setup.exe
.rsrc.data.rdata.textPEMZ
techinline.com
idlecrawler.com
support@fixila.com
WEB PICK - INTERNET HOLDINGS LTD
Webroot Inc.
ComboFix.exe
14.3.1.53697
.ndata
icuuc40.dl
Winlogon.exe
%SYSTEM%\Winlogon.exe
masswatermark.comSBAMSvc.exe_3448_rwx_00DA0000_00006000:
Mimetype_mscab found type %dSTOPzilla.exe_3836:.text`.rdata@.data.rsrc@.reloct.jTjt.jtjt.jpju.PPht.jHjt.jhjt.jLjt.jPjuO8^ItJSSh78SQLiu.hp{f;F.sAf;H.sAL$4f;P.sF3.6.78.9:;B.CDEFFGFUu.AUu FUupt.Vot/vptClptsetting_smtpemail_advanced_error_portcleaner_option_reportscan_month_select_day_%dscan_day_select_day_%d.ZHtheme.dialogs.dialog(descriptor:license_instance_keysupport_phone_demosupport_phone_expiredsupport_phone_fullsupport_phone_suspendedsupport_phone_freesupport_phone_currentpipe.closedsetting.app.direct3doption_flag_enforcer_executionaction_supportsupport_backsupport_action_chatsupport_action_websupport_action_emailsupport_action_phonesupport_value_instancepage_supportscan.results_xmloptions_support_instance_copy_failedoptions_support_instance_copiedsetting.app.show-splashscheduled.phone-home.get.vipre-targetssettings.app.battery-powersetting.app.notify-detected-threatssettings.scan.root-kitssettings.scan.low-prioritysettings.scan.updatesettings.scan.archivessettings.scan.low-severitysettings.scan.auto-cleansettings.scan.cookiessettings.scan.removabletheme.dialogs.dialog(descriptor:dialog_options)nag.demo.next_nagnag.expired.next_nagnag.suspended.next_nagnag.subscription.next_nagactivate_key_1activate_key_2activate_key_3activate_key_4activate_key_%dactivate_result_key_invalidactivate_result_key_inactiveexternal.reseller_idtheme.dialogs.dialog(descriptor:dialog_splash)SQLite format 3REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYCREATE TABLE sqlite_master(sql text3.8.8.3CREATE TEMP TABLE sqlite_temp_master(%s>%s?>operator >> (CSZVinaryData& failurelast-execute-timelast-execute-resultlast-execute-result-textstored-action.savednever-executedCSZStoredAction::Executepipe-nameCSZApplicationPipeClient::_ExecuteCSZApplicationPipeClient::GetWrapperCSZApplicationPipeClient::OnPacketstored-action.deletedexternal.editionexternal.productexternal.downloader_idexternal.affiliate_idSupportCSZHomeServiceLicense::ExtractSupportCSZHomeServiceComponentResult::ParseTokenKeyCSZAppDB::ExecuteMigrationCodeCSZApplicationPipeServer::Replykey-inactivekey-invalidkey-mismatchkey-in-useSMTPErrorStringCloseEmailWindowMsgBadUrlCheckingEnabledBadUrlReplacementTextWindowsLiveMailClientEnabledBadUrlActionEnumPortMsgIDRegKeyBaseURLLogToWindowsEventLogPasswordcustom.all-drivescustom.ignore-removablecustom.known-file-typescustom.processescustom.cookiescustom.registrycustom.deep-processescustom.derivativescustom.all-userscustom.archivescustom.root-kitscustom.path.custom.common-tacticstheme.assetsds_noidlemsglbs_wantkeyboardinputes_passwordlvs_reportCSZHttpContentHandler::StatusCodeCSZHttpContentHandler::ContentLengthCSZHttpContentHandler::ReceiveContentCSZHttpContentHandler::CompleteContentCSZHttp::RequestCSZHttp::ReportStatusCodeCSZHttp::ReportContentLengthCSZHttp::ReportCompleteCSZHttp::ReportContentCSZSQLDatabase::ExecuteSQLCSZSQLDatabase::CompileSQLSQLITE_
d:d:d
d-d-d
d-d-d d:d:d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s%c%s
recovered %d pages from %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
invalid page number %d
2nd reference to page %d
freelist leaf count too big on page %d
Page %d:
%d of %d pages missing from overflow list starting at %d
failed to get page %d
On tree page %d cell %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Page %d is never used
Fragmentation of %d bytes reported as %d on page %d
unknown database %s
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
%s(%d)
MJ collide: %s
-mjX9X
%s-mjXXXXXX9XXz
MJ delete: %s
FOREIGN KEY constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
FOREIGN KEY
%s constraint failed
cannot open savepoint - SQL statements in progress
abort at %d in [%s]: %s
%s constraint failed: %s
cannot commit transaction - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
database table is locked: %s
statement aborts at %d: [%s] %s
cannot change %s wal mode from within a transaction
cannot open value of type %s
cannot open table without rowid: %s
cannot open view: %s
cannot open virtual table: %s
indexed
cannot open %s column for writing
no such column: "%s"
foreign key
misuse of aliased aggregate %s
%s: %s.%s
%s: %s
%s: %s.%s.%s
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
hex literal too big: %s
%s%.*s"%w"
sqlite_rename_table
%.*s"%w"%s
%s OR name=%Q
sqlite_rename_trigger
sqlite_rename_parent
sqlite_
table %s may not be altered
type='trigger' AND (%s)
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
there is already another table or index with this name: %s
view %s may not be altered
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_altertab_%s
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat3
sqlite_stat4
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
too many attached databases - max %d
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
unable to open database: %s
database %s is already in use
database %s is locked
no such database: %s
cannot detach database %s
%s %T cannot reference objects in database %s
%s cannot use variables
sqlite_detach
sqlite_attach
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
there is already an index named %s
object name reserved for internal use: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
too many columns on %s
duplicate column name: %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
PRIMARY KEY missing on table %s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE %s %.*s
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
table %s may not be dropped
use DROP TABLE to delete table %s
cannot create a TEMP index on non-TEMP table "%s"
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
views may not be indexed
virtual tables may not be indexed
table %s may not be indexed
sqlite_autoindex_%s_%d
table %s has no column named %s
there is already a table named %s
index %s already exists
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
no such index: %S
a JOIN clause is required before %s
%s.rowid
unable to identify the object to be reindexed
%s.%s
table %s may not be modified
cannot modify %s because it is a view
duplicate WITH table name: %s
no such collation sequence: %s
sqlite_version
sqlite_compileoption_used
sqlite_compileoption_get
sqlite_source_id
sqlite_log
foreign key mismatch - "%w" referencing "%w"
%d values for %d columns
table %S has no column named %s
table %S has %d columns but %d values were supplied
unable to open shared library [%s]
sqlite3_
sqlite3_extension_init
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_key_check
defer_foreign_keys
foreign_key_list
foreign_keys
*** in database %s ***
NULL value in %s.%s
unsupported encoding: %s
malformed database schema (%s)
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
%s - %s
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
unknown or unsupported join type: %T %T%s%T
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
column%d
%s:%d
COMPOUND SUBQUERIES %d AND %d %s(%s)
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
circular reference: %s
table %s has %d values for %d columns
no such index: %s
multiple references to recursive table: %s
sqlite_sq_%p
too many references to "%s": max 65535
multiple recursive references: %s
recursive reference in a subquery: %s
no such table: %s
%s.%s.%s
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
no such column: %s
no such trigger: %S
-- TRIGGER %s
cannot VACUUM - SQL statements in progress
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
PRAGMA vacuum_db.synchronous=OFF
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
vtable constructor did not declare schema: %s
vtable constructor failed: %s
automatic index on %s(%s)
no such module: %s
table %s: xBestIndex returned an invalid plan
ANY(%s)
AS %s
PRIMARY KEY
SUBQUERY %d
TABLE %s
COVERING INDEX %s
INDEX %s
VIRTUAL TABLE INDEX %d:%s
%s.xBestIndex() malfunction
USING INTEGER PRIMARY KEY
at most %d tables in a join
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
database corruption at line %d of [%.10s]
no such table column: %s.%s
X:\sz7.0.1.3\Build7\Release\x86\STOPzilla.pdb
mfc120u.dll
__crtGetShowWindowMode
_amsg_exit
_wcmdln
MSVCR120.dll
_calloc_crt
__crtSetUnhandledExceptionFilter
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
KERNEL32.dll
ExitWindowsEx
EnumChildWindows
GetKeyState
USER32.dll
GDI32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
GdiplusShutdown
gdiplus.dll
MSVCP120.dll
RPCRT4.dll
MPR.dll
d3d9.dll
WinHttpOpen
WinHttpConnect
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpSetOption
WinHttpQueryOption
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
EnumWindows
MsgWaitForMultipleObjectsEx
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
VERSION.dll
WaitNamedPipeW
.?AVCCmdTarget@@
.PAVCException@@
.PAVbad_cast@std@@
.PAVexception@std@@
.?AVDelegate@CSZApplicationPipeClient@@
.?AVListener@CSZHttpContentHandler@@
.PAVrange_error@std@@
.PAVruntime_error@std@@
.?AVCSZPWKeyValueNotify@@
.?AVDelegate@CSZApplicationPipeServer@@
.?AVCSZPacketPipeConnection@@
.?AVCSZPipeConnection@@
.?AVCSZApplicationPipeClient@@
.?AVCSZSQLDatabase@@
.?AVCSZPacketPipeClient@@
.?AVCSZPipeClient@@
.?AVCSQLMigrationStep@@
.?AVCVIPREWebFilterEvents@@
.?AU_ISBWebFilterEvents@@
.?AVCSZGraphicsShape@@
.?AVCSZGraphicsShapeRectangle@@
.?AVCSZHttpContentHandler@@
.?AVCSZPipeConnectionThread@CSZPipeConnection@@
.?AVCSZSQLStatement@@
]]>
true
true
0%1X1
1$2(2,202
7Â8I8
2/2$3F3X3o3
1(2,2024282
40805_5S5h5u5=$=2&252\2}23]3&454{41o1v102F2%3X3x37%8X85Y5F5O5k5{59%9U9c9z98(9,90949892-2O23,4044484> >$>(>,>0>4>8>8 8$8(8,82999: :$:(:,:0:4:8:6 6$6(6,60646>#>)>9>?>9 9$9(9,909;(;7;\;~;6%7U7; ;$;(;,;> >$>(>,>0>4>0 0(0,00040803 3$3(3,37 7$7(7,7074787:,=0=4=8=%s (%s:%d)%Program Files% (x86)\Microsoft Visual Studio 12.0\VC\atlmfc\include\afxwin1.inleuTheme: Loading "STOPzilla" at "%s".Theme: Failed Loading "STOPzilla" at "%s".hXXp://VVV.stopzilla.com/{8DFC6702-AF86-4CBB-9D8B-00055514603A}Detected 'pipe.closed' trigger...scan.custom.scan.custom.partialsscan.custom.fullsurl_storeurl_chaturl_supportemail_supportdurl_helpEMAIL AV: %sdurl_purchaseurl_registerexternal.home_service_urlhXXps://secure.logmeinrescue.com/customer/Code.aspxContent-Type: application/x-www-form-urlencodedSupport.exeGlobal\update.binaries.skip_waiturl_renewWindows 95Windows 98Windows MEWindows NT 4.0Windows 2000Windows XPWindows .NetWindows VistaWindows 7Windows Server 2008Windows Server 2008 R2Windows 8Windows 8.1Windows 10Windows 2012 ServerWindows 2012 Server R2Web Server%s ~%d MHZGetLogicalProcessorInformation is not supported.Unable to determine windows version%u.%u.%uokernel32.dllWindows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Web Server EditionWindows Server 2003 R2,Windows Storage Server 2003Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003,Web EditionWindows XPWindows 2000(build %d)[%d/%m/%Y %H:%M:%S](%s%s%s%s%s):shfolder.dll"%s" %shkcu\software\microsoft\windows\shell\associations\urlassociations\http\userchoicehkcr\http\shell\open\command%hs(%d): failed [%u|%s]%hs(%u, %u): failed [%u|%s]httpsHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CLASSES_ROOTHKEY_CURRENT_CONFIGHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_DYN_DATAKernel32.dll%s%s%s%ssystem.last_boot_timee%hs: %hs named '%s' updated to %u%hs: unable to parse received action content '%hs' [%u]%hs: attempt to execute an action with no implementation!support.phone.%support.phone.e%s InitializingProcess ID: %uUnable to start pipe client. (0xX)SetProcessAffinityMask failed [%u|%s]Working Directory: %sCSZLogManager::Initialize(0x%X) failed [%u|%s]ConstructLogFile(%s) failed [%u|%s]application-pipe-client%hs: wait failed with unexpected result %u%hs: no wrapper for opCode %u%hs: unhandled incoming packet - opCode(%u)e%hs: unable to compile empty or missing SQL statement%hs: no database available for SQL statement '%s'%hs: failed to compile SQL statement '%s'%hs: found duplicate name '%s' for type '%hs'CONFIG.XML%hs: duplicate component (%d|%hs)%hs: updated license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)t%hs: failed to update license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d) [%u|%s]%hs: component '%hs' skipped with result %d%hs: missing value for region '%s' and status '%hs'%hs: duplicate region key '%s'%hs: missing %d of %d expected statuses in region '%s'%hs: invalid status value '%hs' for region '%s'%hs: no token key provided%hs: unexpected token key '%hs'%hs: parse error on markup '%hs' [%u|%s]%hs: element '%hs' not supported by config object factory%hs: request execution failed%hs: request failed with result %u [%s]%hs: Received %uException: %sFailed: %s%s in transactionINSERT INTO migration_history (version, phase) VALUES (%d, %d)Failed to get value '%hs' for user '%hs' [%d|%s]Failed to set value '%hs' for user '%hs' [%u|%s]Failed to get system value '%hs' [%d|%s]Failed to delete value '%hs' for user '%hs' [%u|%s]Failed to set system value '%hs' [%u|%s]Failed to delete system value '%hs' [%u|%s]Failed to delete %hs keys %s %s [%u|%s]'%s' set aside but new file not opened'%s' cannot be opened and cannot be set aside'%s' not created'%s' set aside and recreatedNo phase %d (%hs) migration necessary; current migration is %d'%s' cannot be set asidePhase %d (%hs) migration mismatch - DB is %d and application is %dMigrated phase %d (%hs) from version %d to %dSELECT value_type, value_data FROM kv_data WHERE user=? AND key=?REPLACE INTO kv_data (user, key, value_type, value_data) VALUES (?, ?, ?, ?)SELECT key, value_type, value_data FROM kv_data WHERE user=? AND key LIKE ?DELETE FROM kv_data WHERE user=? AND key LIKE ?DELETE FROM kv_data WHERE user=? AND key=?DELETE FROM kv_data WHERE user=? AND key NOT LIKE ?Failed to compile statement '%s' [%u|%s]Failed to execute statement '%s' [%u|%s]%hs: CreateFile('%s') failed [%u|%s]tFailed to execute function '%hs' [%u|%s]lFailed to set value '%hs' [%u|%s]%hs: unsupported step '%hs'%hs: invalid option '%c' for component (%d/%hs)%hs: option '%c' for component (%d/%hs) requires value for variable %hs%hs: option '%c' for component (%d/%hs) contains unbalanced variable delimitersCreateInstance(CLSID_SBLogger) returned 0xXCreateInstance(CLSID_SBService) returned 0xXCreateInstance(CLSID_SBScanControl) returned 0xXCreateInstance(CLSID_SBActiveProtection) returned 0xXCreateInstance(CLSID_SBRegistration) returned 0xXCreateInstance(CLSID_SBQuarantine) returned 0xXCreateInstance(CLSID_SBThreatDefinitions) returned 0xXCreateInstance(CLSID_SBSoftwareUpdates) returned 0xXCreateInstance(CLSID_SBWSC) returned 0xXCreateInstance(CLSID_SBVipre) returned 0xXCreateInstance(CLSID_SBFirewall) returned 0xXCreateInstance(CLSID_SBEmailAV) returned 0xXCreateInstance(CLSID_SBHIPS) returned 0xXCreateInstance(CLSID_SBWebFilter) returned 0xXCreateInstance(CLSID_SBLanGuard) returned 0xXReleased ISBFirewallWebFiltervipre.config.scan.known-apps.reset%hs: VIPRE failure [0xX|%s]gVIPRE: Error communicating to set back the config: %sIncompatibles Check: Did not find program data in '%s' or '%s'incompats.datIncompatiblePrograms.dllIncompatibles Check: Found '%s' but not '%s'Incompatibles Check: '%s' does not contain function '%hs'Incompatibles Check: Found but did not load '%s' [%u|%s]B%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been cleaned.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been quarantined. You can unquarantine this suspicious file from the %PRODUCT% application.%CRLFÞfinition Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been deleted.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%%PRODUCT% Anti-phishing removed a known bad URL from your email message. It was deleted or quarantined and replaced with this message.*.themetheme.xml.themenCSZGraphicsHive::_ReferenceFont - Failed to load font '%S'.CSZGraphicsHive::_LoadTTF - Failed to load system font '%s' (0xX).CSZGraphicsHive::_LoadTTF - Loading font '%S'.CSZGraphicsHive::_LoadTTF - Failed to load memory font '%S' (0xX).CSZGraphicsHive::_LoadTTF - Failed to find container file '%s'.CSZGraphicsHive::_LoadTTF - Failed to find font face '%S'.Direct3D: Could not create IDirect3DDevice9 (0xX).Error: Unexpected message loop (0xX).ColumnData_%dColumnWidth_%dcomctl32.dllUxTheme.dll%Program Files% (x86)\Microsoft Visual Studio 12.0\VC\atlmfc\include\afxwin2.inlCSZGraphicsFont::Load - GDI Failed to load '%s' (0xX)%hs (%p): uStatusCode = %u%hs (%p): actual content length (%I64u) exceeds reported (%I64u)HTTPSSZHttp/1.0%hs: WinHttpConnect(%s, %u) failure [%u|%s]%hs: WinHttpOpen failure [%u|%s]%hs: WinHttpSetOption - WINHTTP_OPTION_CONNECT_TIMEOUT - failure [%u|%s]%hs: WinHttpOpenRequest(%s, %s) failure [%u|%s]%hs: WinHttpSetOption - WINHTTP_OPTION_RECEIVE_TIMEOUT - failure [%u|%s]%hs: WinHttpSetOption - WINHTTP_OPTION_SEND_TIMEOUT - failure [%u|%s]%hs: WinHttpSetOption - WINHTTP_OPTION_RESOLVE_TIMEOUT - failure [%u|%s]%hs: WinHttpSetOption - WINHTTP_OPTION_RECEIVE_RESPONSE_TIMEOUT - failure [%u|%s]%hs: WinHttpSetOption failure [%u|%s]%hs: WinHttpQueryOption failure [%u|%s]%hs: WinHttpReceiveResponse failure [%u|%s]%hs: WinHttpSendRequest failure [%u|%s]%hs: request failed with status %u%hs: WinHttpQueryHeaders(WINHTTP_QUERY_STATUS_CODE) failure [%u|%s]%hs: WinHttpQueryDataAvailable failure [%u|%s]%hs: WinHttpQueryHeaders(WINHTTP_QUERY_CONTENT_LENGTH) failure [%u|%s]%hs: WinHttpReadData failure [%u|%s]\\.\pipe\%hs: queue '%s', index %u - wait failed with result %u%hs: queue '%s', index %u - thread 0x%X started%hs: queue '%s', index %u - thread 0x%X ending%hs: queue '%s' - attempt to start while abort is signalled%hs: queue '%s', index %u - failed to start [%u|%s]%hs: queue '%s', index %u - thread completed_%hs: '%s' (0xX)%hs: failed to compile '%s' [%d|%hs]dbghelp.dll%s%d.log%s%d.dmpUnhandled Exception: Code(0xX) Addess(0xX)%hs: expected sequence number greater than or equal to %u; got %u instead%hs: packet %u of request %u indicated no more data when %u packets remain.%hs: expected packet size in %u bytes; got %u bytes%hs: received %u bytes; 0 expected%hs: expected packet buffer of %u bytes; got %u bytes
xx
C:\ProgramData\STOPzilla!\dumps\STOPzilla.exefatal
7.0.1.3
STOPzilla.exeSBAMSvc.exe_3448_rwx_00DC0000_00004000:
.upx2
.upx1
.upx0
.reloc
.idata
.rdata
.data
.text
AutoIT 3.3.12.0
AutoIT 3.2.6.0
AutoIT 3.2.0.0
AutoIT 3.0.100.0
AutoIT 3.0.102
Upack 0.3.9SBAMSvc.exe_3448_rwx_00E20000_0000A000:
T$.RV
Compiler Detection: Borland C/C 1999 %d
Compiler Detection: Borland C Dll %d
Compiler Detection: FreeBasic_0_14 %d
Compiler Detection: MASM_TASM %d
Compiler Detection: MASM32 %d
Compiler Detection: Microsoft_Visual_C_2_0 %d
Compiler Detection: Microsoft_Visual_Cpp %d
Compiler Detection: Microsoft_Visual_Cpp_3_0_old_crap_ %d
Compiler Detection: Microsoft_Visual_Cpp_7_0_Custom %d
Compiler Detection: Microsoft_Visual_Cpp_8_0_Debug %d
Compiler Detection: Microsoft Visual C 8.0 Release %d
Compiler Detection: Microsoft_Visual_Cpp_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v4_x %d
Compiler Detection: Microsoft_Visual_Cpp_v5_0_v6_0_MFC_ %d
Compiler Detection: Microsoft_Visual_Cpp_v6_0_Debug_Version_ %d
Compiler Detection: Microsoft_Visual_Cpp_v6_0_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v6_0_SPx %d
Compiler Detection: Microsoft_Visual_Cpp_v7_0 %d
Compiler Detection: Microsoft_Visual_Cpp_v7_0_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v7_1_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v7_1_DLL_Debug_ %d
Compiler Detection: Microsoft_Visual_Cpp_v7_1_EXE %d
Compiler Detection: Microsoft_Visual_Cpp_vx_x %d
Compiler Detection: Microsoft_Visual_Cpp_vx_x_DLL %d
Compiler Detection: Microsoft_Visual_CSharp_Basic_NET %d
Compiler Detection: MinGW_GCC_DLL_v2xx %d
Compiler Detection: MinGW_GCC_v2_x %d
Compiler Detection: MingWin32_Dev_Cpp_v4_9_9_1_h_ %d
Compiler Detection: MingWin32_Dev_Cpp_v4_x_h_ %d
Compiler Detection: MingWin32_GCC_3_x %d
Compiler Detection: MingWin32_vn_n_h_ %d
Compiler Detection: PowerBASIC_CC_3_0x %d
Compiler Detection: PowerBASIC_CC_4_0 %d
Compiler Detection: PowerBASIC_Win_7_0x %d
Compiler Detection: PseudoSigner_0_1_Borland_Delphi_6_0_7_0_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Basic_5_0_6_0_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Cpp_5_0p_MFC_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Cpp_6_0_Debug_Version_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Cpp_7_0_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Cpp_1999_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Cpp_DLL_Method_2_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Delphi_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Delphi_Setup_Module_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Microsoft_Visual_Basic_5_0_6_0_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Microsoft_Visual_Cpp_7_0_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_MinGW_GCC_2_x_Anorganix %d
Compiler Detection: PseudoSigner_0_2_REALBasic_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Watcom_C_Cpp_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_WATCOM_C_Cpp_EXE_Anorganix %d
Compiler Detection: REALbasic %d
Compiler Detection: Star_PseudoSigner_0_1_Borland_Delphi_3_0_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Borland_Delphi_5_0_KOL_MCK_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Microsoft_Visual_Basic_6_0_DLL_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Microsoft_Visual_Cpp_6_0_Debug_Version_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Microsoft_Visual_Cpp_6_20_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_MinGW_GCC_2_x_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_WATCOM_C_Cpp_EXE_Anorganix %d
Compiler Detection: Stranik_1_3_Modula_C_Pascal %d
Compiler Detection: Symantec_Visual_Cafe_v3_0 %d
Compiler Detection: TASM_MASM %d
VB Signature: %x
VB Header Startaddress: %x
Compiler Detection: WATCOM_C_Cpp %d
Compiler Detection: WATCOM C/C 1.7 %d
Compiler Detection: WATCOM_C_Cpp_32_Run_Time_System_1988_1995 %d
Compiler Detection: ZipWorxSecureEXE_v2_5_ZipWORX_Technologies_LLC_h_ %dSBAMSvc.exe_3448_rwx_00E30000_0000E000:
=-=/=*=&=,=>() -/*&[]SBAMSvc.exe_3448_rwx_06F50000_00156000:%SYSTEM%Win32.Unair{4b87fd04-2b89-0306-b0db-7dd6740e6c89}{4481a693-e8d2-9549-4315-0ef724694f3f}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaec9c9-2c0a-1c56-3063-e776919a4d6c}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB73411E-48F7-9D19-6293-EA0AD71836D4}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0fc85afd-096d-731e-a871-6c0f1af600dc}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaec9c9-2c0a-1c56-3063-e776919a4d6c}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB73411E-48F7-9D19-6293-EA0AD71836D4}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3698A47F-0E80-000E-7948-960CF605F542}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0fc85afd-096d-731e-a871-6c0f1af600dc}HKEY_CURRENT_USER\Software\{C5D43B9E-F5B7-480B-B8C4-C3A78AF3E670}HKEY_CURRENT_USER\Software\{5d90b4ad-0f8f-c24a-865f-900f2caccae2}HKEY_CURRENT_USER\Software\{59301c76-ede9-a1a9-f66d-c99effa3aa02}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{3698A47F-0E80-000E-7948-960CF605F542}uÂ$HKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERS\explorer.exe csrcs.exe124.40.51.1758.17.236.92360.cn360safe.cn360safe.com60.210.176.251chinakv.comcnnod32.cndswlab.comduba.neteset.comikaka.comjiangmin.comkaspersky.comkingsoft.comlanniao.orgnod32.comnod32club.comqihoo.cnqihoo.comrising.comsucop.comvirustotal.com7.0.6007.0.3790.7.0.2600.msvcrt.dllsfcfiles.dll.reloc.rsrc.data.textMenu\Programs\Startup\TEMP.HTA""",65/* 'if (!document.getElementById('JSSS')){ document.getElementsByTagName('head').item(0).appendChild(js) }; *//script>/script>/scr' 'ipt>yourtruemate.ruyourtruegame.ruyourtruecrime.ruyourtopfilms.ruyourtolltag.ruyourtagheuer.ruyourmaxmedia.ruyourauthentic.ruyourarray.ruxxlwebhost.ruxboxliveweb.ruworldwebworld.ruworldwebmarkets.ruworldsouth.ruworldrat.ruworldmusicmagazine.ruworldhighspeed.ruwintersaleonline.ruwindow.redirectwhosaleonline.ruwebworldshop.ruwebpowerguide.ruwebnetloans.ruwebnetlinks.ruwebnetlender.ruwebnetexperts.ruwebnetenglish.ruweblessnet.ruwebithost.ruwebdirectbroker.ruwebdesktopnet.ruwavebank.ruwarbest.ruvotrelib.ruvipodnososki.ruviewhomesale.ruvideostan.ruvideosaleonline.ruvideo-bum.ruusaworldwideweb.ruurlnext.rutrueworldmedia.rutruesoulonline.rutruerealtime.rutruelifefamily.rutrueblueberyl.rutrueblueally.rutownwebmail.rutopmediasite.rutoplinemarine.ruthetruehelp.ruthestocksite.ruthespeeddate.rutheprocast.ruthemobisite.ruthemobilewindow.ruthelifetag.ruthelaceweb.ruthegiftsale.ruthechocolateweb.rutheaworld.rutheatticsale.rutheaonline.rutheantimatrix.rutestoogle.rutestilla.ruteenwebdesign.rutagsaleusa.rusupertruelife.rusuperpropicks.rusuperore.rusupernun.rusupernil.rusupernewstuff.rusupernetbet.rusupermyweb.rusuperhometours.rusuperhomeschool.rusuperhighest.rusuperaguide.rusugaryhome.rusuesite.rusportwebnet.rusoul-in-you.rusmert-vest.rusmartgaragesale.rusitesages.rusitedesigninc.rusimpleworldhouse.rusimplehomelink.ruserialarchive.ruseamscreative.infosaletradeonline.rurentbesthome.ruregaught.ruredtagjewelry.ruredtagcruises.ruredtagcentral.rurecentmexico.ruqualitysuper.ruprotechradio.ruprivius-life.rupreviouslife.rupoxudeli.rupornomig.rupopcorn-tv.rupiezenia.rupieeonline.ruourfreesite.ruorderseasilver.ruoneanotherlife.ruofficialohsupplies.ruobmanulis.runowhomecare.runewworldlink.runewwaronline.runewvillagefresh.runewsourceworld.runewhomeline.runewgolfonline.runewcitymap.runetmusicbank.rumyworldcampus.rumyskysite.rumyownage.rumygreatsale.rumycontentguide.rumusicboxpro.rumoviehit.rumoremindpower.rumingleas.rumindgameworks.rumediatagonline.rumaxserviceworld.rumanbest.rululucabana.comljinet.rulinuxwebcam.rulimowebcam.rulibprojet.ruletterssite.rulagworld.rukindpea.rujthek.rujohnsite.rujerseyhomesite.ruinnewterra.ruindiawebnet.ruillsite.ruicq-antivirus.ruhuzzahwebdesign.ruhuntalong.ruhXXp://zerosmak-kiev-ua.1gb.ua/hXXp://zeraa-com-ua.1gb.ua/hXXp://whhothatgirl-kiev-ua.1gb.ua/hXXp://unb0rn.biz/hXXp://toldspeak.com/hXXp://tiltandgrin.com/hXXp://promajik.com/hXXp://piazzacreative.com/hXXp://panhandlepointers.com/hXXp://mvblaw.com/hXXp://mabcom.net/hXXp://lendermedia.com/images/z.htmhXXp://kendoaruba.net/hXXp://iritirlast0.co.cc/hXXp://holcombewaller.com/hXXp://govos-com-ua.1gb.ua/hXXp://fixuss.bravehost.com/hXXp://ereintza.com/hXXp://dwmmanagement.com/hXXp://dottiehope.com/hXXp://dextersss-com-ua.1gb.ua/hXXp://alumicool.com/hXXp://3torres.com/hXXp://12s83.com/hotnewguide.ruhomeusaonline.ruhomesweetnetwork.ruhomesiteworld.ruhomesitedesigns.ruhomesaleplus.ruhomeproair.ruhomehousemiami.ruhomegreatloans.ruhomecarenation.ruhomebuyerscd.ruhighestdog.ruhalfsite.ruguiderose.ruguidebat.rugridrevolutions.rugreenscometrue.rugreatwebradio.rugreatvelocity.rugreatsalecenter.rugreatcarscity.rugoldgolfbag.rugethomesite.rugenuinenorth.rugenuinehollywood.rugenuineholly wood.rugenuinecolors.rugenuinecol ors.rugametopsite.rufunwebmail.rufreewebship.rufreeprosports.rufreemindlive.ruforhomessale.ruforesaleonline.ruforallpro.ruflywebcam.ruezsalebuy.ruezpoh.ruextrafreeweb.rueuroshares.ruerogod.ruegreatsale.rueasytabletennis.rueasymusicstore.rueasylifedirect.rudub-dubom.rudirectscsi.rudigitalsiteonline.rudietichka.rucybercityworld.rucounterbest.rucomingbig.rucometruestar.rucobalttrueblue.rucityhomesaustin.rucherrypieusa.rucarswebnet.rucarprotech.rubusop.infoburkewebservices.rubuejackmusic.rubrownbagbar.ruboardsaw.rublueseaguide.rubluejackmusic.rubluejackin.rublackseatrade.rubiltop.rubesttechhome.rubeststyleweb.rubestsis.rubestseasilver.rubestnewsmall.rubestnewhaven.rubestmedpro.rubestlifeusa.rubestjackoff.rubestcia.rubestbondsite.rubestbob.rubestartsale.rubeachdoo.rubattop.ruavattop.ruauthentictype.ruatwebhost.ruaohna.ruanycitytown.ruantivirusicq.ruanti-virus2010.ruampsguide.ruallpropro.ruallbagshop.ruaccurategenuine.ru/script>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNetHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxClsHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Systemc:\windows\system32\userinit.exe,%SYSTEM%\userinit.exeHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\GeneralHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktopHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon7"7.relocHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSpHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NwsapagentHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstationHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IrmonHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpripHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IasHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\bin\dcc32.exe"uses windows;hXXp://VVV.wdheaven.cn/hXXp://VVV.thysearch.nethXXp://VVV.quary888.cn/hXXp://VVV.musicmoa.net/hXXp://VVV.membres.lycos.fr/chouhacasa/hXXp://VVV.membres.lycos.fr/bmwvir/hXXp://VVV.freewebtown.com/crman/hXXp://VVV.82vv.com/hXXp://VVV.77zb.com/hXXp://VVV.6783.com/?u2hXXp://VVV.223224.com/taobao/hXXp://VVV.17oye.cn/hXXp://wa3ra.110mb.com/hXXp://volam111.110mb.com/hXXp://thoidep.com/hXXp://test004.adultsexual.info/hXXp://ro7ei.com/hXXp://rmksa.com/hXXp://qgi.org.sa/hXXp://ms-dl-center3699.info/hXXp://moxulica.evonet.ro/hXXp://members.lycos.co.uk/sauytre00/hXXp://laylalesb.sitesled.com/hXXp://lauxanhus.110mb.com/hXXp://italiandirectory.com/hXXp://images2008.8866.org/hXXp://files.myopera.com/roball/hXXp://diendansinhvienvnn.com/hXXp://dichvum4g.net/hXXp://43leloi43.110mb.com/hXXp://194.160.227.34/hXXp://133666620.host.dj58.net/208.109.220.95173.236.97.27173.201.254.664.117.35.255127.0.0.1 localhostHost file has been infected by :W32.Depkominfo.AHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'))\/\/\o\n\l\y\f\i\n\d\.\n\e\t\/\i\n\.\c\g\i\?1\$ 1\$(1\$,1\$03kernel32.dll.mdataHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\A-%SYSTEM%\Tasks\A-REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\net /fREG COPY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\net HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /sREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\mini /fREG COPY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\mini HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal /sREG COPY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\jjonjo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /sHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HashVsSTDTestHKEY_LOCAL_MACHINE\SOFTWARE\HashVsSTDTest\Temp\UuU.uUu\TEMP\XxX.xXxfirefoxHKCU\Software\Microsoft\Windows\CurrentVersion\RunParseAutoexecSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon{CAB8D20A-31A9-4505-AD1B-6014A0F32D9D}{1EBE9E45-C4BB-4B2A-84CA-7257C9D28992}HKLM\Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Classes\.exeHKEY_CURRENT_USER\Software\CryptoLocker_0388HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinlogonHKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\27\HKCU\softwaremicrosoftwindowscurrentversionpoliciesexplorerHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHKCU\Software\Policies\Microsoft\Windows NT\Terminal ServicesSCRNSAVE.EXEHKCU\Software\Policies\Microsoft\Windows\Control Panel\DesktopHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRunNoChangeKeyboardNavigationIndicatorsHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorerrundll32.exe.txt,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2%WINDOWS%\Active.batSkypeAutoConect.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSServiceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPPortMapService.dspakHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUNHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67EFG7H6-8IJL-56YT-KLH4-76WE2D3RAM87}%APPDATA%\Microsoft\Windows\xGgUFHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHost-process Windows (Rundll32.exe)Service Host Process for WindowsWINDOWS SYSTEMHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices198.175.125.141 sotialmonstercookie.ru198.175.125.141 m.ok.ru198.175.125.141 m.odnoklassniki.ru198.175.125.141 odnoklassniki.ru198.175.125.141 m.vk.com198.175.125.141 m.my.mail.ru198.175.125.141 my.mail.ru198.175.125.141 ok.ru198.175.125.141 VVV.odnoklassniki.ru198.175.125.141 vk.comWINDOWS NT SERVICE[1 5 7 17]%WINDOWS%\TASKS\FLASHDRV.JOB.exe.exe.ndata%SYSTEM%\drivers\etc\hT.TEQUILA4ffffuser32.dlladvapi32.dllmpr.dllffffuser32.dllmpr.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\SvcHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security CenterHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\systemHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHKEY_CURRENT_USER\Software\AasppapmmxkvsKERNEL32.dll.UPX0.vmp1.vmp0HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions presentHKEY_CLASSES_ROOT\batfile\shell\open\commandHKEY_CLASSES_ROOT\VBSFile\Shell\Open2\CommandHKEY_CLASSES_ROOT\VBSFile\Shell\Open\CommandHKEY_CLASSES_ROOT\VBEFile\Shell\Open2\CommandHKEY_CLASSES_ROOT\VBEFile\Shell\Open\CommandHKEY_CLASSES_ROOT\scrfile\shell\open\commandHKEY_CLASSES_ROOT\exefile\shell\runas\commandHKEY_CLASSES_ROOT\exefile\shell\open\command%SystemRoot%\System32\CScript.exe "%1" %*%SystemRoot%\System32\WScript.exe "%1" %*%WINDOWS%%PROGRAMS%\Foto.lnkÞSKTOPDIRECTORY%\Foto.lnk%PROGRAMS%\SUPER CONTENUTI.lnkÞSKTOPDIRECTORY%\SUPER CONTENUTI.lnk%PROGRAMS%\Club del Vizio - Foto Video Calendari - VM18.lnkÞSKTOPDIRECTORY%\Club del Vizio - Foto Video Calendari - VM18.lnk%SYSTEM%\winxtx%SYSTEM%\Winsystens%SYSTEM%\Winsysten%SYSTEM%\Winsystemt%SYSTEM%\Winsystemq%SYSTEM%\Winsystempo%SYSTEM%\Winsystemp%SYSTEM%\Winsystemm%SYSTEM%\Winsysteml%SYSTEM%\Winsystemk%SYSTEM%\Winsystemc%SYSTEM%\Winsystemas%SYSTEM%\WinsystemHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main{C7E341C1-655B-48EB-9FCC-5B56B4A96121}{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping{45525B3D-F0A7-4050-A067-3D0AFF22C45D}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DDF887BD-D021-4E54-ABC9-550A6FDCFA7F}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CDDFA4C7-FB54-493B-B751-99591FC0DD63}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AF866D80-2D98-49B9-A1F4-B8061C7E2C42}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99767248-6535-4064-A342-48DCBBFEDE21}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75CBFD0C-1513-4288-A5A9-F3D6C7DDD342}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6778D566-49BD-466D-9386-DD74E6AF5A23}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6725959F-EB01-4AA3-B75E-2E75E806C825}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{497F4F5A-5665-483B-8CD2-565750DEE151}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3C368A69-8A30-4B49-8451-FF65636F123A}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA02EA2-55E6-429A-8246-A25AD3106C6F}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C7E341C1-655B-48EB-9FCC-5B56B4A96121}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{45525B3D-F0A7-4050-A067-3D0AFF22C45D}HKEY_LOCAL_MACHINE\SOFTWARE\Freeware\{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}HKEY_CURRENT_USER\Software\Freeware\{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}HKEY_CURRENT_USER\Software\Freeware\{45525B3D-F0A7-4050-A067-3D0AFF22C45D}HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALLDisableCMDHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorersymldrv.exeHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfileHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfileHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRTDontReportInfectionInformationexplorer.exeExplorer.exe %WINDIR%\system32\drivers\service.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{F2C63239-A5DB-487B-B283-4132351E7AB6}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htmHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htmhXXp://VVV.baidu.com/index.php?tn=mm667_pgHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\eHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinlogonHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\runHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe%SystemRoot%C:\WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion%SystemRoot%\System32\drivers\etcHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}dmboot.sysdmload.syssermouse.sysvga.sysKeyboard{36FC9E60-C465-11CF-8056-444553540000}{4D36E965-E325-11CE-BFC1-08002BE10318}{4D36E969-E325-11CE-BFC1-08002BE10318}{4D36E96A-E325-11CE-BFC1-08002BE10318}{4D36E96B-E325-11CE-BFC1-08002BE10318}{4D36E977-E325-11CE-BFC1-08002BE10318}{4D36E97B-E325-11CE-BFC1-08002BE10318}{4D36E97D-E325-11CE-BFC1-08002BE10318}{71A27CDD-812A-11D0-BEC7-08002BE2092F}{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}Tcpipdmio.sysrdpcdd.sysrdpwd.systdpipe.systdtcp.sysvgasave.syssr.sys{4D36E967-E325-11CE-BFC1-08002BE10318}{4D36E96F-E325-11CE-BFC1-08002BE10318}{4D36E972-E325-11CE-BFC1-08002BE10318}{4D36E974-E325-11CE-BFC1-08002BE10318}{4D36E975-E325-11CE-BFC1-08002BE10318}{4D36E980-E325-11CE-BFC1-08002BE10318}t\system32\sfcfiles.datHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sr\ParametersHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALLHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command"%Program Files%\Internet Explorer\IEXPLORE.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command"%Program Files%\Internet Explorer\IEXPLORE.EXE" "%1"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command"%SystemRoot%\winhlp32.exe" "%1"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command"%SystemRoot%\hh.exe" "%1"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\commandregedit.exe "%1"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command%SystemRoot%\system32\NOTEPAD.EXE %1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\%SYSTEM%\winupdate86.exe%SYSTEM%\winlogon86.exe%SYSTEM%\winhelper86.dll%SYSTEM%\critical_warning.html%SYSTEM%\AVR10.exe%SYSTEM%\41.exewdmaud.drvHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32smss32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\%System%\winlogon32.exe%WinDir%\SYSTEM32\USERINIT.exe,HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\HKEY_CLASSES_ROOT\secfileHKEY_CLASSES_ROOT\.exeHKEY_CLASSES_ROOT\.exe\shellHKEY_CLASSES_ROOT\.exe\DefaultIconHKEY_CLASSES_ROOT\txtfile\shell\open\command%WINDOWS%\OK.iniHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopesHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListsecurityGuard.exeSAa34e.exeMSW.exeHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListHKEY_CLASSES_ROOT\securityGuard.DocHostUIHandlerHKEY_CLASSES_ROOT\securityGuard.DocHostUIHandler\ClsidHKEY_CLASSES_ROOT\SAa34e.DocHostUIHandlerHKEY_CLASSES_ROOT\SAa34e.DocHostUIHandler\ClsidHKEY_CLASSES_ROOT\MSW.DocHostUIHandlerHKEY_CLASSES_ROOT\CLSID\HKEY_CLASSES_ROOT\MSW.DocHostUIHandler\ClsidCheckExeSignaturesHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulationHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DownloadHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsHKEY_CURRENT_USER\Software\Microsoft\Internet ExplorerHKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopesHKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopesHKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopeshXXp://search-gala.comhXXp://findgala.comHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionssvchost.exeexplorer.exe rundll32.exe nynw.wmo mynleeqHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SystemHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionVPTRAY.EXEUSBGUARD.EXEregedit.exepctstray.exepctsgui.exemsconfig.exemmc.exeAVP.EXEAVGNT.EXEashdisp.exeHKEY_CURRENT_USER\Software\vlad\SYSTEM32\USERINIT.EXE,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinlogonHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScheduleHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\SharesHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvcHKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\commandHKEY_LOCAL_MACHINE\Software\Classes\.exe\shellHKEY_CURRENT_USER\Software\Classes\.exe\shellHKEY_LOCAL_MACHINE\Software\Classes\secfileHKEY_CURRENT_USER\Software\Classes\secfileHKEY_CURRENT_USER\Software\Win Antispyware Centerexplorer.exe rundll32.exe thxr.wgo nwfdtx{260E99CE-9462-361D-9C07-5C104B50DC6D}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{260E99CE-9462-361D-9C07-5C104B50DC6D}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260E99CE-9462-361D-9C07-5C104B50DC6D}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\D.1\CLSIDHKEY_LOCAL_MACHINE\SOFTWARE\Classes\D\CLSID{2D046A82-BED0-36C5-85BC-4BC759C9C472}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D046A82-BED0-36C5-85BC-4BC759C9C472}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D046A82-BED0-36C5-85BC-4BC759C9C472}rundll32 svchost.dll,getrundll32 csrrss.dll,getHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2BA40A2-75F1-51BD-F413-04B15A2C8950}HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.dll, RestoreWindowsmcexecwinHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\,93.188.1693.188.16255.255.255.255HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\ParametersExplorer.execsrss.exec:\windows\csrss.exe%WINDOWS%\csrss.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\EnumHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROVHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV\0000HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\EnumHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSNHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN\0000HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\EnumHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNPHOSTHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNPHOST\0000HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc\EnumHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTMSSVCHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTMSSVC\0000HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\EnumHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMTHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000{8ECC055D-047F-11D1-A537-0000F8753ED1}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSPHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWSAPAGENTHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATIONHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IRMONHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPRIPHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IASHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfileHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile%WinDir%\sp.htm%System%\net.vbs%System%\launch.vbsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\PoliciesC:\windows\sp.htmHKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signaturesHKEY_CURRENT_USER\Software\Patchouc:\windows\system32\userinit.exeHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfileHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgidsHKEY_CURRENT_USER\Software\Microsoft\WindowsHKEY_CURRENT_USER\Software\Classes\.exe\DefaultIconHKEY_CURRENT_USER\Software\Classes\pezfileHKEY_CLASSES_ROOT\pezfileHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WinlogonHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Security CenterHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\PrefixesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\PrefixesHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MainhXXp://VVV.mavideniz.gen.trHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MainHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP Pass-through FilterTCPIP Pass-through FilterHKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGERHKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\GFI_BC_PT_RegKeyToBeDeletedHKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\GFI_BC_PT_RegKeyCreatedHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GFI_BC_PT_RegKeyToBeDeletedHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GFI_BC_PT_RegKeyCreatedC:\GFI_BC_PT_FolderToBeDeletedC:\GFI_BC_PT_FolderCreatedC:\GFI_BC_CleanFile.txtC:\GFI_BC_PT_FileCreated.txtC:\GFI_BC_PT_FileToBeDeleted.txtAdministrator1\winlogon.exeDefault_Search_URLDefault_Page_URLHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvcHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ExplorerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestoreHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srHKEY_CURRENT_USER\Control Panel\Sound%System%\drivers\etc\hosts%SYSTEM%\drivers\etc\hostsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet SettingsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet SettingsHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\AttachmentsHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\AssociationsHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilterHKEY_CURRENT_USER\Software\mdnkso81qq2HKEY_CLASSES_ROOT\VBEfile\shell\OpenHKEY_CLASSES_ROOT\VBSfile\shell\OpenHKEY_CLASSES_ROOT\regfile\shell\MergeHKEY_CLASSES_ROOT\inffile\shell\InstallHKEY_CLASSES_ROOT\lnkfile\shell\DeleteHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHiddenhXXp://VVV.bendot.co.nrHKEY_CURRENT_USER\Software\Classes\exefileHKEY_CURRENT_USER\Software\Classes\exefile\shellHKEY_CURRENT_USER\Software\Classes\exefile\DefaultIconHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore%System%\MS586.sysHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exeHKEY_CURRENT_USER\Software\Microsoft\Command ProcessorHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHiddenHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddressHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt%PROFILE%\Start Menu\Programs\Windows XP Recovery%PROFILE%\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk%PROFILE%\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnkÞSKTOPDIRECTORY%\Windows XP Recovery.lnkHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Control Panel\DesktopHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktopCertificateRevocationWarnonBadCertRecvingHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache@shell32.dll,-21785HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugcmd.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot%system%\userinit.exe,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\commandHKEY_CURRENT_USER\Control Panel\International%system%\logon.scr@%SystemRoot%\system32\SHELL32.dll,-8964HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}@%SystemRoot%\system32\SHELL32.dll,-9216HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\InstallerA%system%\drivers\etc\hostsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-ABX5-00401C608512}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635853}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersionHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionfbdirecto.net/1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccessEnables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.The WSCSVC (Windows Security Center) service monitors and reports security health settings on the computer. The health settings include firewall (on/off), antivirus (on/off/out of date), antispyware (on/off/out of date), Windows Update (automatically/manually download and install updates), User Account Control (on/off), and Internet settings (recommended/not recommended). The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service. The Action Center (AC) UI uses the service to provide systray alerts and a graphical view of the security health states in the AC control panel. Network Access Protection (NAP) uses the service to report the security health states of clients to the NAP Network Policy Server to make network quarantine decisions. The service also has a public API that allows external consumers to programmatically retrieve the aggregated security health state of the system.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters%SystemRoot%\System32\wscsvc.dll%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestrictedHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvcHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\Parameters%ProgramFiles%\Windows Defender\mpsvc.dllWindows Defender%SystemRoot%\System32\svchost.exe -k secsvcsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefendHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters%SYSTEM%\wuauserv.dll%systemroot%\system32\svchost.exe -k netsvcsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauservHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup.exeRPXService.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup-Full.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exeRPService.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exeHKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyEze.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ezeHKEY_CLASSES_ROOT\MyEze.1HKEY_CLASSES_ROOT\.eze%ALLUSERSPROFILE%\Start Menu\Programs\Startup\desktop.iniÞSKTOPDIRECTORY%\System_Check.lnkÞSKTOPDIRECTORY%\SMART_HDD.lnkHKCU\Software\Microsoft\Windows\CurrentVersion\ExplorerHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktopHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\AttachmentsHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\AssociationsHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4rundll32.exelsass.exe%STARTUP%\msconfig.lnk%STARTUP%\runctf.lnk%STARTUP%\ctfmon.lnkservices.exe_%WINDOWS%\winsxs\Backup\%WINDOWS%\Installer\%WINDOWS%\assembly\GAC_64\Desktop.ini%WINDOWS%\assembly\GAC_32\Desktop.ini%WINDOWS%\assembly\GAC\Desktop.iniHKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}%WINDOWS%\system32\services.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Excel\SecurityHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Excel\SecurityHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Excel\SecurityHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Excel\SecurityhXXp://tours.kichwas-ecuador.com/HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runprosqlserv40001.bakprosqlserv4.dllHKEY_CLASSES_ROOT\CLSID\{8BCBB738-FCFA-F17F-134C-1167371C59F7}HKEY_LOCAL_MACHINE\SOFTWARE\LicensesHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCBB738-FCFA-F17F-134C-1167371C59F7}HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdmHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdmHKCU\Software\Microsoft\Windows\CurrentVersion%COMMON_APPDATA%%PROGRAMS%\System Progressive Protection\System Progressive Protection.lnkÞSKTOPDIRECTORY%\System Progressive Protection.lnkHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceC:\PROGRA~3\LOCALS~1\Temp\msnato.exejeema.exeHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileListHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKEY_LOCAL_MACHINE\Software\KHATRA\Startup_ListNoUnsafeTypeCautionForEXESoftware\Microsoft\Windows NT\CurrentVersion\WindowsSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerSoftware\Microsoft\Windows\CurrentVersion\Policies\System%LOCAL_APPDATA%\Microsoft\CD Burning\autorun.inf%COMMON_STARTUP%\(Empty).lnk%WINDOWS%\Youtube.cab%WINDOWS%\supermodels.cab%WINDOWS%\new-screamsaver.com.cab%WINDOWS%\New WinZip File.cab%WINDOWS%\New WinRAR ZIP archive.cab%WINDOWS%\New WinRAR archive.cab%WINDOWS%\mario675.cab%WINDOWS%\kavSetupEng3857.cab%WINDOWS%\fh_antivirussetup6534.cab%WINDOWS%\CyberWar.cab%WINDOWS%\K.BackupHKEY_LOCAL_MACHINE\SOFTWARE\risingHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\srvany.exeHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot%WINDOWS%\ShellNewbron.tokHKEY_LOCAL_MACHINE\Software\Classes\MIDfile\shell\play\commandHKEY_LOCAL_MACHINE\Software\Classes\txtfile\shell\open\command%WINDOWS%\system\explorer.exe%WINDOWS%\system\fndfst32.exe%WINDOWS%\system\applets.exe%WINDOWS%\system\mplayerw.exe%WINDOWS%\system\Sysexp32.exe%WINDOWS%\Help\intret.cnt%WINDOWS%\Syssrc32.exeHKEY_LOCAL_MACHINE\SOFTWARE\XX--XX--XX.txtUuU.uUuXxX.xXxindex.exeHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{NH8ONC0M-V2S2-AQ8L-8OGF-WNY1SA685WDT}HKEY_CURRENT_USER\SOFTWARE\E&BA09AZL%TEMP%\0sexy.jpg.exe%TEMP%\0sexy.jpg%APPDATA%\Microsoft\Windows\E&bA09AzL.cfg%APPDATA%\Microsoft\Windows\E&bA09AzL.dat%SYSTEM%\zlib.dll%SYSTEM%\tcphost.tmp%SYSTEM%\tcphost.iniHKEY_CURRENT_USER\SOFTWARE\oSTDyTHg%LOCAL_SETTINGS%\Temp\aviso.bakHKEY_CURRENT_USER\SOFTWARE\gjm4Yw1WMHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5S15K25F-2471-O311-2B56-1HL8G5821ACD}HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5S15K25F-2471-O311-2B56-1HL8G5821ACD}%WINDOWS%\832images.jpg.exe%TEMP%\832images.jpg%WINDOWS%\832images.jpg%APPDATA%\Microsoft\Windows\gjm4Yw1WM.cfg%APPDATA%\Microsoft\Windows\gjm4Yw1WM.dat\%SYSTEM%\lncom_.jpg%WINDOWS%\ktd32.atmHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srserviceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\ParametersHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\Microsoft\Windows NT\CurrentVersion\WinlogonDirectX For Microsoft WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag%WINDOWS%\system\%SYSTEM%\sservice.exereginv.dllfservice.exewinkey.dllHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}%LOCAL_SETTINGS%\TEMP\w5vpouUpqc.txt%LOCAL_SETTINGS%\TEMP\wboy.txtHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}HKEY_LOCAL_MACHINE\SOFTWARE\Google\SpoolCDSHKEY_LOCAL_MACHINE\SOFTWARE\Adobe\CommonFilesSoftware\Mozilla\FirefoxSoftware\Microsoft\Windows NT\CurrentVersionHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Documents\ntuser{4CB43D7F-7EEE-4906-8698-60DA70737200}.pol%COMMON_DESKTOPDIRECTORY%%SYSTEM%\SourceSystem%SYSTEM%\SourceSystem\logs.datMozillaUpdate%SYSTEM%\SourceSystem\Syscheck.exeMicrosoft Windows%APPDATA%\svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\MSDCSC\msdcsc.exe\```````````````````````````.JPG\```````.JPGuserinit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonHKEY_CURRENT_USER\Software\DC3_FEXECSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run%APPDATA%\system32\system.exe%SYSTEMROOT%\SysWoW64\system32\system.exe%SYSTEMROOT%\system32\system32\system.exeMicrosoft\lsass.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKCU\Software\WOW6432node\Microsoft\Windows\CurrentVersion\Run%WINDOWS%\%WINDOWS%\SYSWOW64\setup.iniwinhelp.iniwinhelp.exeregsvr.exerundll.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\singaraja eto les lubi sebua polnostu%Program Files%\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha%Program Files%\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs%Program Files%\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll%Program Files%\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog%Program Files%\sri teplim kalom\singaraja eto les\Uninstall.ini%Program Files%\sri teplim kalom\singaraja eto les\Uninstall.exeHKCU\Software\WOW6432node\Microsoft\Windows\CurrentVersion\Runmsdcsc.exeHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4JFT3224-0O8K-7ONV-CHFJ-5U18T0P61VRW}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4JFT3224-0O8K-7ONV-CHFJ-5U18T0P61VRW}HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}Software\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\WinlogonHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\WindowsHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefendHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauservHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\luafv\HKCU\Software\Microsoft\Windows\CurrentVersion\Run32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\MonitoringHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewallHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirusHKCU\Software\Policies\Microsoft\Windows\SystemHKCU\Software\Microsoft\Windows Script Host\SettingsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfileHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfileHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srHKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffileHKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfileIsShortcutHKLM\System\CurrentControlSet\Control\Session Manager\AppCertDllsasr_skey%SYSTEM%\findsink.dll%SYSTEM%\mqsvgsvc.dll%SYSTEM%\cmdlvert.dll\HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.tmp.exe%WINDOWS%\system64WindowsHKEY_LOCAL_MACHINE\SYSTEM\SelectHKEY_LOCAL_MACHINE\SYSTEM\ControlSet00X\Control\Session Manager\SubSystemsWindows Defender\%APPDATA%\postclean.batHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOncewinhlp32.exetwunk_32.exe%Documents and Settings%\Administrator\Desktop\DisplaySwitch.exemdcsc.exeHKCU\Software\DC3_FEXECÞSKTOPDIRECTORY%\Internet Security PRO.lnkHKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\HKLM\System\CurrentControlSet\Services\Tcpip\ParametersMaxUserPort{310DE29C-0AD3-4A43-A2DB-221F1160CACB}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooksHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogonHKCU\Software\Microsoft\Internet Explorer\New WindowsHKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\PathsWindowsStarttaskhost.exe\HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3HKEY_CLASSES_ROOT\S7.Document\shell\printto\commandHKEY_CLASSES_ROOT\S7.Document\shell\print\commandHKEY_CLASSES_ROOT\S7.Document\shell\open\commandHKEY_CLASSES_ROOT\S7.Document\DefaultIcon%COMMON_APPDATA%\DirtyHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system216.146.36.240216.146.35.240HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces3838:TCPHKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\4421:UDPHKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??\%System%\hide.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialdnwxf\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialdnwxf\Security\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialdnwxf\Enum\HKEY_CLASSES_ROOT\comfile\shell\open\commandrund1132.exe %1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\EnvironmentHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed ComponentsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon{EA6F9A77-5617-406E-AAFA-D7C897C38BA7}{581907C4-33B7-439A-85BA-3DB34D65D3CD}HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunC:\CMPSUCCESS%SystemRoot%\system32\wbem\WMIsvc.dllHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters%LOCAL_APPDATA%\Temp\TarFA22.tmp%LOCAL_APPDATA%\Temp\TarE7F0.tmp%LOCAL_APPDATA%\Temp\TarE7DF.tmp%LOCAL_APPDATA%\Temp\CabFA21.tmp%LOCAL_APPDATA%\Temp\CabE7EF.tmp%LOCAL_APPDATA%\Temp\CabE7DE.tmp\svchost.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvcHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\systemTcpMaxHalfOpenHKEY_LOCAL_MACHINE\ControlSet001\Services\Tcpip\Parameters\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\%Program Files%\Common Files\lsass.exeHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\%SystemDrive%%DOWNLOAD_PROGRAM_FILES%úVORITES%%SYSTEMROOT%%SYSTEMDIRECTORY%%STARTUP%%STARTMENU%%USERPROFILE%ÞSKTOPDIRECTORY%%COOKIES%%COMMON_STARTUP%%COMMON_FAVORITES%%COMMON_STARTMENU%%COMMON_PROGRAMS%%COMMMON_ALTSTARTUP%%WINDOWS%\system32\userinit.exerHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\InstallerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessManager.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exeHKEY_CLASSES_ROOT\exefileHKLM\Software\{5AFD725B-CB98-3C32-ADDC-1F6713561294}HKCU\Software\{5AFD725B-CB98-3C32-ADDC-1F6713561294}ÞSKTOPDIRECTORY%\pQAbGYBP.zip\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceMicrosoft\Windows NT\CurrentVersion\WindowsMicrosoft\Windows NT\CurrentVersion\WinlogonMicrosoft\Windows\CurrentVersion\Policies\Explorer\RunMicrosoft\Windows\CurrentVersion\RunMicrosoft\Windows\CurrentVersion\RunOnceHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEMHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORERHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows%APPDATA%\Sample.lnkPENDINGFILERENAMEOPERATIONSu%system%\drivers\etc\hosts\Uninstall.ini\Uninstall.exe\mirniatom.bat\iosdbfvadj.jka\alkoid.vbsSystem32\DRIVERS\asyncmac.sysHKEY_CURRENT_USER\Software\Microsoft\DeviceControlPendingFileRenameOperationsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager%SYSTEM%\user32.dll%SYSTEM%\user32.vxe\AutoConfigURLHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGSrHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION%APPDATA%\restore.iniHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exewireshark.exewinmgr.exespybotsd.exeSBPIMSvc.exesbamui.exeSBAMTray.exeSBAMSvc.exerstrui.exemsseces.exeMsMpEng.exeMSASCui.exeMpCmdRun.exembamservice.exembamscheduler.exembampt.exembamgui.exembam.exeMantle.exelnssatt.exekeyscrambler.exeinstup.exehijackthis.exeegui.exeComboFix.execcuac.exebdagent.exeavscan.exeavp.exeavgwdsvc.exeavgui.exeavguard.exeavgrsx.exeavgnt.exeavgidsagent.exeavgcsrvx.exeavconfig.exeavcenter.exeAvastUI.exeAvastSvc.exeWindows LiveWindowsUpdateHKCU\Software\Microsoft\Windows\CurrentVersion\ime\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM01000000HKEY_CURRENT_USER\Software\\HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1C:\Windows\InstallDir\help.exeHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run{FD38A8A8-5C04-44A4-8C9B-D51223EF50F8}HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\MICROSOFT\WINDOWS DEFENDER\MP SCHEDULED SCAN60405156816302C:\USERS\TAUSER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SECURITY TOOL.LNKHKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{F835BF8E-6878-4F76-A634-5A258533E717}\{8B98EAC1-8153-42F5-BEF9-3814AA8233F4}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{AED7EE88-954D-420E-A01F-44BDFF4B8E8A}\{B1CC4B02-3772-4C36-AD98-6926DE9C6E2E}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{AED7EE88-954D-420E-A01F-44BDFF4B8E8A}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A9840446-BEF8-4616-B901-49964C4E3DF7}\{8B98EAC1-8153-42F5-BEF9-3814AA8233F4}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A9840446-BEF8-4616-B901-49964C4E3DF7}HKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{B1E5ABB6-6F14-41F6-AEA2-BF537406A4B6}HKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{91899B3D-A02F-4D78-B90E-40BBB59E4A2D}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{BF7E0C08-D53E-46EB-A653-B53C167582F4}\{BD7663B9-926E-4E94-B6BA-F222D979B734}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{BF7E0C08-D53E-46EB-A653-B53C167582F4}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A771865F-3BF1-43CD-8F63-07035ACEAFFE}\{D78FE903-1652-4F28-A4CD-EB8704749713}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A771865F-3BF1-43CD-8F63-07035ACEAFFE}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{3FCF9120-D0DD-4AA2-946F-F99DC6FCEA29}\{D78FE903-1652-4F28-A4CD-EB8704749713}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{3FCF9120-D0DD-4AA2-946F-F99DC6FCEA29}\{BD7663B9-926E-4E94-B6BA-F222D979B734}HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE\NEWSHORTCUTSHKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{555660CB-2037-4BE0-AAAA-ADB09BB0DFE6}HKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{2208559D-C10C-4288-9048-B27B5E72746C}HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{F835BF8E-6878-4F76-A634-5A258533E717}\{B1CC4B02-3772-4C36-AD98-6926DE9C6E2E}%LOCAL_APPDATA%\TEMP\5440629.BAT%LOCAL_APPDATA%\TEMP\86283760.BAT%PROFILE%\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SECURITY TOOL.LNK\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKCU\S-1-5-21-1921027029-3133593505-18383363-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN%STARTMENU%\PROGRAMS\STARTUP\SYSTEM CHECK.LNKOriginal Size: %dc%WINDOWS%\SBS_wininit.vxe%SYSTEM%\wininit.exe%WINDOWS%\SBS_explorer.vxe%WINDOWS%\explorer.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wmicucltsvc%WINDOWS%\SBS_wininit.vxe%WINDOWS%\SBS_winlogon.vxe%SYSTEM%\winlogon.exeYZH.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System%SYSTEM%\Drivers\VDWFP.sys%SYSTEM%\Drivers\VDWFP64.sys%Program_Files%\Lenovo\VisualDiscovery\VisualDiscovery.tlb%Program_Files%\Lenovo\VisualDiscovery\VisualDiscovery.exe%Program_Files%\Lenovo\VisualDiscovery\VDWFPInstaller.exe%Program_Files%\Lenovo\VisualDiscovery\VDWFP64.sys%Program_Files%\Lenovo\VisualDiscovery\VDWFP.sys%Program_Files%\Lenovo\VisualDiscovery\uninstall.exe%Program_Files%\Lenovo\VisualDiscovery\SuperfishCert.dll%Program_Files%\Lenovo\VisualDiscovery\ssl3.dll%Program_Files%\Lenovo\VisualDiscovery\sqlite3.dll%Program_Files%\Lenovo\VisualDiscovery\softokn3.dll%Program_Files%\Lenovo\VisualDiscovery\smime3.dll%Program_Files%\Lenovo\VisualDiscovery\Run.exe%Program_Files%\Lenovo\VisualDiscovery\nssutil3.dll%Program_Files%\Lenovo\VisualDiscovery\nssdbm3.dll%Program_Files%\Lenovo\VisualDiscovery\nssckbi.dll%Program_Files%\Lenovo\VisualDiscovery\nss3.dll%Program_Files%\Lenovo\VisualDiscovery\libplds4.dll%Program_Files%\Lenovo\VisualDiscovery\libplc4.dll%Program_Files%\Lenovo\VisualDiscovery\libnspr4.dll%Program_Files%\Lenovo\VisualDiscovery\freebl3.dllHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD\Software\Microsoft\Windows\CurrentVersion\Internet Settingshttp=127.0.0.1:5555HKEY_LOCAL_MACHINE\Software\avsuiteHKEY_CURRENT_USER\Software\avsuiteHKEY_LOCAL_MACHINE\Software\AvScanHKEY_CURRENT_USER\Software\AvScanHKEY_LOCAL_MACHINE\Software\avsoftHKEY_CURRENT_USER\Software\avsoftHKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings.pptx.xlsx.docxSBAMSvc.exe_3448_rwx_2F60A000_00060000:Vh%cQ3l3u3>