not-a-virus:AdWare.Win32.Shopper.adw (Kaspersky), GenericInjector.YR (Lavasoft MAS)Behaviour: Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b7e586fb3669c782043c07eaa0c4603f
SHA1: caa094984d0c0040fcf97100f8d70bb25da8e0ea
SHA256: 912b223358b74b985ea7b17abb3f75346577a9a5a9cf6c81f2ea2356e8b12631
SSDeep: 12288:ZDjZfJJ4ctjz7JhqioPbD /P2gyI7 6Pk92YweEKVk1p7F2k5DdwvcpRELLYGf:JjJ4q718gyENeEKOpJ2k5Jze
Size: 751464 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Goobzo
Created at: 2015-02-07 20:13:58
Analyzed on: WindowsXP SP3 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The not-a-virus creates the following process(es):
spbia.exe:1316
ShopperPro.exe:744
spbiu.exe:536
spbiu.exe:880
spbiu.exe:376
sc.exe:1188
wscript.exe:852
ShopperProJSINJFull.exe:1088
regsvr32.exe:1812
setup.exe:1704
%original file name%.exe:1352
The not-a-virus injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ShopperPro.exe:744 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%WinDir%\Tasks\ShopperPro.job (1974 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\config.json (215 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.json (5 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3073 bytes)
%Program Files%\ShopperPro\config.json (215 bytes)
The process spbiu.exe:536 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (439 bytes)
The process spbiu.exe:880 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%WinDir%\Tasks\SPBIW_UpdateTask_Time_3835323735333432352d3437415a556c2a3223346c41.job (946 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (435 bytes)
The process ShopperProJSINJFull.exe:1088 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\setup.exe (1583141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\D1958.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (151172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\setup1.exe (142646 bytes)
The not-a-virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\setup1.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\NK.lky (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\D1958.dll (0 bytes)
The process setup.exe:1704 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp (340314 bytes)
%Program Files%\Common Files\ShopperPro\spbia.exe (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\AccDownload.dll (11048 bytes)
%Program Files%\ShopperPro\Updater.exe (25112 bytes)
%Program Files%\ShopperPro\manifest.json (595 bytes)
%Program Files%\ShopperPro\database1_0_0.json (5 bytes)
%Program Files%\ShopperPro\SPRemove.exe (20416 bytes)
%Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
%Program Files%\Common Files\ShopperPro\spbii32.exe (13368 bytes)
%Program Files%\ShopperPro\ShopperPro64.dll (16944 bytes)
%Program Files%\Common Files\ShopperPro\spbiu.exe (54196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\nsExec.dll (6 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
%Program Files%\ShopperPro\ShopperPro.dll (14184 bytes)
%Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
%Program Files%\Common Files\ShopperPro\spbici32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\ns8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\MoreInfo.dll (7 bytes)
%Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
%Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
%Program Files%\Common Files\ShopperPro\spbiw.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\ns9.tmp (6 bytes)
%Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
%WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\jsdrv.exe (100378 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)
The not-a-virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\ns8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\jsdrv.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\AccDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\MoreInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\ns9.tmp (0 bytes)
The process %original file name%.exe:1352 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopperProJSINJFull.exe (39342 bytes)
Registry activity
The process spbia.exe:1316 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 71 10 DC 2D BF A3 E5 E8 64 18 F7 0A 60 2B B7"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process ShopperPro.exe:744 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\ShopperPro]
"CONFIGLOCATION" = "%Documents and Settings%\All Users\Application Data\ShopperPro"
[HKLM\SOFTWARE\ShopperPro\ExtraInfo]
"DBVersion" = "1.0.0.9"
[HKLM\SOFTWARE\ShopperPro]
"DBLocation" = "%Documents and Settings%\All Users\Application Data\ShopperPro"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\ShopperPro]
"Version" = "2.5.8305.1507"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 69 00 D6 95 F9 25 CD 54 B4 6D C4 DA E4 CF 2B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"
The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"NoExplore" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The not-a-virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process spbiu.exe:536 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F A3 CA 1F 07 90 D3 E5 48 F5 47 C1 3F 6F 94 20"
[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Ult" = "Type: REG_QWORD, Length: 8"
The process spbiu.exe:880 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 7C F1 05 0D 12 B3 31 41 74 FA 1A B8 03 68 88"
[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Gcf" = "BD 5C D8 2C 4B 26 89 3B 6B 04 51 21 50 9E D3 FC"
[HKLM\SOFTWARE\ShopperPro\SPBIUpd\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"
[HKLM\SOFTWARE\ShopperPro\SPBIUpd]
"Scf" = "9E 85 BC F6 BE 20 20 AF B0 63 EB 7D E5 43 62 6E"
The process spbiu.exe:376 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA B3 C8 34 25 43 C0 0B 27 88 3B B6 46 97 B0 3C"
The process sc.exe:1188 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 D5 C8 CE CE 06 63 07 46 FB 81 F4 64 BF D7 F3"
The process wscript.exe:852 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B D8 8E A5 4B A5 75 3C 42 9F F6 4C 59 05 E1 48"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files\ShopperPro]
"spbiu.exe" = "ShopperPro Update Service"
The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process ShopperProJSINJFull.exe:1088 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 F8 0C A8 FD 49 A8 75 2C 60 23 07 68 E6 C3 6A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process regsvr32.exe:1812 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"
[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"
[HKCR\ShopperPro.ShopperProBHO\CurVer]
"(Default)" = "ShopperPro.ShopperProBHO.1"
[HKCR\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}]
"(Default)" = "ShopperPro"
[HKCR\AppID\ShopperPro.DLL]
"AppID" = "{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}"
[HKCR\ShopperPro.ShopperProBHO]
"(Default)" = "Shopper Pro"
[HKCR\ShopperPro.ShopperProBHO.1\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"
[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\ProgID]
"(Default)" = "ShopperPro.ShopperProBHO.1"
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "Shopper Pro"
[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"Version" = "1.0"
[HKCR\ShopperPro.ShopperProBHO\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"
[HKCR\ShopperPro.ShopperProBHO.1]
"(Default)" = "Shopper Pro"
[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro"
[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0]
"(Default)" = "ShopperPro 1.0 Type Library"
[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 C2 AB 07 55 7F 76 5F 09 48 B2 26 5C 12 05 38"
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\VersionIndependentProgID]
"(Default)" = "ShopperPro.ShopperProBHO"
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"
[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"
[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}]
"(Default)" = "IShopperProBHO"
[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"
"NoExplorer" = "1"
The not-a-virus deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
The process setup.exe:1704 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 04 8A 09 15 16 50 17 7D 0A 25 B0 C1 AB 7A 79"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"UninstallString" = "%Program Files%\ShopperPro\SPremove.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"DisplayIcon" = "%Program Files%\ShopperPro\ShopperPro.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"DisplayName" = "Shopper-Pro"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ShopperPro.exe]
"(Default)" = "%Program Files%\ShopperPro\ShopperPro.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc6.tmp\AccDownload.dll,"
The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1352 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\ShopperPro]
"reportLevel" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ShopperProJSINJFull.exe" = "ShopperProJSINJFull"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 42 CC E1 B2 11 99 53 A7 39 B1 A0 F8 2C FB F1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The not-a-virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 06b4b7cebabb7b7b63209e98de3b56ab | c:\Documents and Settings\All Users\Application Data\ShopperPro\ShopperPro.dll |
| 88cf8bfbc52da7180cdb55aed7045b82 | c:\Documents and Settings\All Users\Application Data\ShopperPro\ShopperPro64.dll |
| 4ef6dbc0ff6cb0c8c89054cca438b430 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ShopperProJSINJFull.exe |
| 8683e0490479293e0dd1faf2cf2e88d7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc6.tmp\AccDownload.dll |
| faa7f034b38e729a983965c04cc70fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc6.tmp\nsProcess.dll |
| 7d67ed70c316e079e929ab98098af2c4 | c:\Program Files\Common Files\ShopperPro\spbia.exe |
| b82b00206be732969f2692954621a5eb | c:\Program Files\Common Files\ShopperPro\spbici32.dll |
| 3c213111ecd687107201ebddfd4e55f6 | c:\Program Files\Common Files\ShopperPro\spbii32.exe |
| 279967ccf300290cad97db7b6c249865 | c:\Program Files\Common Files\ShopperPro\spbiu.exe |
| a608bc4351c6a507e80eab8a169f6565 | c:\Program Files\Common Files\ShopperPro\spbiw.sys |
| ed54ab3255e95203f027e1582dde3041 | c:\Program Files\ShopperPro\JSDriver\jsdrv.exe |
| 4da780a2bc9fafe425020a1650aa3318 | c:\Program Files\ShopperPro\JSDriver\jsdrv.sys |
| 7d4be688f04fce64a6456420ce596fc8 | c:\Program Files\ShopperPro\SPRemove.exe |
| 06b4b7cebabb7b7b63209e98de3b56ab | c:\Program Files\ShopperPro\ShopperPro.dll |
| 3aee8ac29d9c7907294dbcbbd9584d78 | c:\Program Files\ShopperPro\ShopperPro.exe |
| 88cf8bfbc52da7180cdb55aed7045b82 | c:\Program Files\ShopperPro\ShopperPro64.dll |
| 14933a24364c0597b614e9a2567426c3 | c:\Program Files\ShopperPro\Updater.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls creation and closing of processes by installing the process notifier.
Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls creation and closing of threads by installing the thread notifier.
Using the driver "\??\%Program Files%\Common Files\ShopperPro\spbiw.sys" the not-a-virus controls loading executable images into a memory by installing the Load image notifier.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
spbia.exe:1316
ShopperPro.exe:744
spbiu.exe:536
spbiu.exe:880
spbiu.exe:376
sc.exe:1188
wscript.exe:852
ShopperProJSINJFull.exe:1088
regsvr32.exe:1812
setup.exe:1704
%original file name%.exe:1352 - Delete the original not-a-virus file.
- Delete or disinfect the following files created/modified by the not-a-virus:
%WinDir%\Tasks\ShopperPro.job (1974 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\config.json (215 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.json (5 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3073 bytes)
%Program Files%\ShopperPro\config.json (215 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\spbihe.js (439 bytes)
%WinDir%\Tasks\SPBIW_UpdateTask_Time_3835323735333432352d3437415a556c2a3223346c41.job (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\setup.exe (1583141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\D1958.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (151172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\setup1.exe (142646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp (340314 bytes)
%Program Files%\Common Files\ShopperPro\spbia.exe (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\AccDownload.dll (11048 bytes)
%Program Files%\ShopperPro\Updater.exe (25112 bytes)
%Program Files%\ShopperPro\manifest.json (595 bytes)
%Program Files%\ShopperPro\database1_0_0.json (5 bytes)
%Program Files%\ShopperPro\SPRemove.exe (20416 bytes)
%Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
%Program Files%\Common Files\ShopperPro\spbii32.exe (13368 bytes)
%Program Files%\ShopperPro\ShopperPro64.dll (16944 bytes)
%Program Files%\Common Files\ShopperPro\spbiu.exe (54196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\nsExec.dll (6 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
%Program Files%\ShopperPro\ShopperPro.dll (14184 bytes)
%Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
%Program Files%\Common Files\ShopperPro\spbici32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\ns8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\MoreInfo.dll (7 bytes)
%Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
%Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
%Program Files%\Common Files\ShopperPro\spbiw.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\ns9.tmp (6 bytes)
%Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
%WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp\jsdrv.exe (100378 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopperProJSINJFull.exe (39342 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Goobzo
Product Name: Update Helper
Product Version: 1.4.0.0
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: Updater.exe
Internal Name: Update
File Version: 1.4.0.0
File Description: Update Helper
Comments:
Language: Language Neutral
Company Name: GoobzoProduct Name: Update HelperProduct Version: 1.4.0.0Legal Copyright: Copyright (C) 2014Legal Trademarks: Original Filename: Updater.exeInternal Name: UpdateFile Version: 1.4.0.0File Description: Update HelperComments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 585456 | 585728 | 4.60852 | 1bca9a341a4facab7a0f4f4a5f0170b4 |
| .rdata | 589824 | 107252 | 107520 | 3.51475 | acb1eb961ec5dfc5a4c542fde4d3ad14 |
| .data | 700416 | 24164 | 14336 | 3.72548 | 1620d561ef652059f9344b28bb30381f |
| .rsrc | 724992 | 2184 | 2560 | 2.6656 | 4c33e8c1750f1fa12846a87afa4f098b |
| .reloc | 729088 | 32774 | 33280 | 3.63672 | 069b05eaabf47c8e0eaf3e5c3b87e8bc |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://50.18.63.239/app/ping.ashx?e=GFrjZskQvqP4YOj/qSs/oBiPbCybztIvTEgCpOx0T0GQL2F0hg1RiTOxvMX97V0ps943/u aXwQx ARCOrzfa1EUhVow7tBBMhyMxI MPZEuTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHN9 h9fxQBxhpHtajDWk/vQncPvizrCuIItMHrHbvNfq6AAic iFvFkD6PzPll6J6dNaYWHo2Zjuim/KhmSiOMrnW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC6U4Dd5uNizGnw B7XmN/bx3NCTk5ucOFXlcUe3XIWrL | |
| hxxp://50.18.63.239/app/ping.ashx?e=2fVCHF6kf8ip2eBShmJaQN2Xg OVSnLYPYtKKSjfjuTZhN5o5pkk8XKxIhAz9YyqvaJKFIOO pJzLSS9ycS1B8yw3rQ5Q72iaKU0RcGk/KcyHIzEj4w9kS5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAc336H1/FAHGGke1qMNaT 9Cdw LOsK4gi0wesdu81 roACJz6IW8WQPo/M WXonp01phYejZmO6Kb8qGZKI4yudb1jBKTmCPbxVrsmYiz8GXXfKGul9gAx4gZ vPJZHK/LaAptfI88NdShcBfZSLPdbqw8UqueILpTgN3m42LMafD4HteY39vHc0JOTm5w4VeVxR7dchass= | |
| hxxp://50.18.63.239/app/ping.ashx?e=eISsn0A7mAahuis9qfwvJd2Xg OVSnLYRhVmKoZLDh3ZhN5o5pkk8XKxIhAz9YyqvaJKFIOO pJzLSS9ycS1B/I7ma9OdUhU24p/ hkoobnhrXnnSje mECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mbjagVUTwqno3tPfNk0LwjiLK0PdH5S113vQnLoLWpSGWP4i/ZSXngbd92qyPh4NZ00KMJoV MDdUipml/xTtJneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy36 2rnEMjUuKYbM9UAJTh5I4G/4/VfGVweQ8pWPD4WN3E= | |
| hxxp://50.18.63.239/app/ping.ashx?e=P5c0s7lb4RzgSf1QY 1oLXO8RsAeGOi7 0R MP RL3VKgFoRkIu6RnnRkhr6AyxjXX1Ow4X7CuYAShSSAVlltbv gNlTZPLGRzJziH5lBM6NmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw81lhagNSrkXt1NL5A3oO1EiHVbGzrGerD5x1Dh/wuQ7H/AAE2 QD ThAUjfQa2vLDvnq /UIN5QqIs V7Ds6CRuZZIi5/tojjeFKyzEEA2TzBaKXaEKdzFwqwK4Z/LB/gEuwwpt2SWXjaQSUVKXu21L8ExzavHCoaXOzasTiDAtO2Fbyzw8J/1bZlb2xASvkw== | |
| hxxp://rep.shopper-pro.com/app/ping.ashx?e=6SSQJDW2873gSf1QY 1oLQs3HjGinSkQ 0R MP RL3UJOLXkS9L/h YWA31ptk0zYT/V7WBAfCqsJK7cGrSrCRPNOLfZAo0yyUY zL76DfdTgHVbvbgbiaI1V6x5uBFBE802eFlrCiGVVMDe7vdSpWMgUoTb7vyaQI4IYW7BlwKG/8 ILd4bihRW JECizii0o6CnERxfiYoYL3r 4idODB8Q7BcAr9dBHIQSAUi/qZ6ui3jv/3sP3EbLWmTIe6HPSZuizlKZS4vVGidJQzQbwcX153juosly7z014jPGHi9SV3844bx1g== | 54.197.238.106 |
| hxxp://rep.shopper-pro.com/app/ping.ashx?e=2v0SNuZrMFxLlRAfuGRpD5NKgs3DMZQNnL2mJkRwP/gicvsFwQStENB87jgWTbK/vLOgBjaPUAzQAxIlXsFUXiuXhHAuoDITHa3z53DjByH lPuSoguSWxrRu4kWrXNynl1xOKDZuhV32iCW81wbGIKsBnpxnODFqF2K7v3Wx4ONmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw136MSsEaSIORzP5Rzi4YzflEuO9e0hYCneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy361S7rZnnZ2TU= | 54.197.238.106 |
| hxxp://rep.shopper-pro.com/app/ping.ashx?e=6SSQJDW2873gSf1QY 1oLQs3HjGinSkQ 0R MP RL3UJOLXkS9L/h YWA31ptk0zYT/V7WBAfCqsJK7cGrSrCRPNOLfZAo0yLd A1HeTh7Yfo4QnaEaXkmxE9AUlgFpHEbMjOvdMuwlfLso2p8cu ApFTrCCyZw6jZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDkcz Uc4uGM35RLjvXtIWAp3qPv/BEEOxGiq9ZfonCR6Oox6FF19pfqJlifxMfc97cyVb1EWo6eKpVEOys WrB2aQstvfmMt tUu62Z52dk1 | 54.197.238.106 |
| hxxp://rep.shopper-pro.com/app/ping.ashx?e=fx25sIC5hWP4YOj/qSs/oJIN/Wkq2V2rTEgCpOx0T0GQL2F0hg1Ridz0NLiYL60E7ONLYPARXR89zI2Lw9 hgZUhNsmBpSm8YCpHZc9ZUaF4PzDsAgk936bK2Q7GGGnWzo/w/HffLExyHqaaCgYxqI2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDXfoxKwRpIg5HM/lHOLhjN US4717SFgKd6j7/wRBDsRoqvWX6JwkejqMehRdfaX6iZYn8TH3Pe3MlW9RFqOniqVRDsrPlqwdmkLLb35jLfrVLutmednZNQ== | 54.197.238.106 |
| hxxp://rep.shopper-pro.com/app/ping.ashx?e=xZXl1pX5gRngSf1QY 1oLe e12fLmvfm 0R MP RL3UJOLXkS9L/h YWA31ptk0zYT/V7WBAfCqsJK7cGrSrCRPNOLfZAo0ytYRRGpvjKZmzjXrgYJQKsUCndBhIJGn5Gl3VMfCFqNT669uXeODcaV gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFDMWtlnh6ykfXZz8PHIAwA2XCKyxfyg8N9A8dpvtBeO2hc3DbjNrW8PhalNGReGDudXf8s99rZqrmh5G7kLgKqRaV67pS3nBkkuGbiMqeAsg9JWacyDbfAA== | 54.197.238.106 |
| hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=P5c0s7lb4RzgSf1QY 1oLXO8RsAeGOi7 0R MP RL3VKgFoRkIu6RnnRkhr6AyxjXX1Ow4X7CuYAShSSAVlltbv gNlTZPLGRzJziH5lBM6NmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw81lhagNSrkXt1NL5A3oO1EiHVbGzrGerD5x1Dh/wuQ7H/AAE2 QD ThAUjfQa2vLDvnq /UIN5QqIs V7Ds6CRuZZIi5/tojjeFKyzEEA2TzBaKXaEKdzFwqwK4Z/LB/gEuwwpt2SWXjaQSUVKXu21L8ExzavHCoaXOzasTiDAtO2Fbyzw8J/1bZlb2xASvkw== | |
| hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=GFrjZskQvqP4YOj/qSs/oBiPbCybztIvTEgCpOx0T0GQL2F0hg1RiTOxvMX97V0ps943/u aXwQx ARCOrzfa1EUhVow7tBBMhyMxI MPZEuTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHN9 h9fxQBxhpHtajDWk/vQncPvizrCuIItMHrHbvNfq6AAic iFvFkD6PzPll6J6dNaYWHo2Zjuim/KhmSiOMrnW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC6U4Dd5uNizGnw B7XmN/bx3NCTk5ucOFXlcUe3XIWrL | |
| hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=2fVCHF6kf8ip2eBShmJaQN2Xg OVSnLYPYtKKSjfjuTZhN5o5pkk8XKxIhAz9YyqvaJKFIOO pJzLSS9ycS1B8yw3rQ5Q72iaKU0RcGk/KcyHIzEj4w9kS5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAc336H1/FAHGGke1qMNaT 9Cdw LOsK4gi0wesdu81 roACJz6IW8WQPo/M WXonp01phYejZmO6Kb8qGZKI4yudb1jBKTmCPbxVrsmYiz8GXXfKGul9gAx4gZ vPJZHK/LaAptfI88NdShcBfZSLPdbqw8UqueILpTgN3m42LMafD4HteY39vHc0JOTm5w4VeVxR7dchass= | |
| hxxp://updatejs.shopper-pro.com/app/ping.ashx?e=eISsn0A7mAahuis9qfwvJd2Xg OVSnLYRhVmKoZLDh3ZhN5o5pkk8XKxIhAz9YyqvaJKFIOO pJzLSS9ycS1B/I7ma9OdUhU24p/ hkoobnhrXnnSje mECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mbjagVUTwqno3tPfNk0LwjiLK0PdH5S113vQnLoLWpSGWP4i/ZSXngbd92qyPh4NZ00KMJoV MDdUipml/xTtJneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy36 2rnEMjUuKYbM9UAJTh5I4G/4/VfGVweQ8pWPD4WN3E= |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /app/ping.ashx?e=6SSQJDW2873gSf1QY 1oLQs3HjGinSkQ 0R MP RL3UJOLXkS9L/h YWA31ptk0zYT/V7WBAfCqsJK7cGrSrCRPNOLfZAo0yyUY zL76DfdTgHVbvbgbiaI1V6x5uBFBE802eFlrCiGVVMDe7vdSpWMgUoTb7vyaQI4IYW7BlwKG/8 ILd4bihRW JECizii0o6CnERxfiYoYL3r 4idODB8Q7BcAr9dBHIQSAUi/qZ6ui3jv/3sP3EbLWmTIe6HPSZuizlKZS4vVGidJQzQbwcX153juosly7z014jPGHi9SV3844bx1g== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:18 GMT
Content-Length: 0
....
GET /app/ping.ashx?e=fx25sIC5hWP4YOj/qSs/oJIN/Wkq2V2rTEgCpOx0T0GQL2F0hg1Ridz0NLiYL60E7ONLYPARXR89zI2Lw9 hgZUhNsmBpSm8YCpHZc9ZUaF4PzDsAgk936bK2Q7GGGnWzo/w/HffLExyHqaaCgYxqI2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDXfoxKwRpIg5HM/lHOLhjN US4717SFgKd6j7/wRBDsRoqvWX6JwkejqMehRdfaX6iZYn8TH3Pe3MlW9RFqOniqVRDsrPlqwdmkLLb35jLfrVLutmednZNQ== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:18 GMT
Content-Length: 0
....
GET /app/ping.ashx?e=2v0SNuZrMFxLlRAfuGRpD5NKgs3DMZQNnL2mJkRwP/gicvsFwQStENB87jgWTbK/vLOgBjaPUAzQAxIlXsFUXiuXhHAuoDITHa3z53DjByH lPuSoguSWxrRu4kWrXNynl1xOKDZuhV32iCW81wbGIKsBnpxnODFqF2K7v3Wx4ONmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw136MSsEaSIORzP5Rzi4YzflEuO9e0hYCneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy361S7rZnnZ2TU= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:18 GMT
Content-Length: 0
....
GET /app/ping.ashx?e=6SSQJDW2873gSf1QY 1oLQs3HjGinSkQ 0R MP RL3UJOLXkS9L/h YWA31ptk0zYT/V7WBAfCqsJK7cGrSrCRPNOLfZAo0yLd A1HeTh7Yfo4QnaEaXkmxE9AUlgFpHEbMjOvdMuwlfLso2p8cu ApFTrCCyZw6jZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDkcz Uc4uGM35RLjvXtIWAp3qPv/BEEOxGiq9ZfonCR6Oox6FF19pfqJlifxMfc97cyVb1EWo6eKpVEOys WrB2aQstvfmMt tUu62Z52dk1 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:18 GMT
Content-Length: 0
....
GET /app/ping.ashx?e=xZXl1pX5gRngSf1QY 1oLe e12fLmvfm 0R MP RL3UJOLXkS9L/h YWA31ptk0zYT/V7WBAfCqsJK7cGrSrCRPNOLfZAo0ytYRRGpvjKZmzjXrgYJQKsUCndBhIJGn5Gl3VMfCFqNT669uXeODcaV gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFDMWtlnh6ykfXZz8PHIAwA2XCKyxfyg8N9A8dpvtBeO2hc3DbjNrW8PhalNGReGDudXf8s99rZqrmh5G7kLgKqRaV67pS3nBkkuGbiMqeAsg9JWacyDbfAA== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:19 GMT
Content-Length: 0
GET /app/ping.ashx?e=2fVCHF6kf8ip2eBShmJaQN2Xg OVSnLYPYtKKSjfjuTZhN5o5pkk8XKxIhAz9YyqvaJKFIOO pJzLSS9ycS1B8yw3rQ5Q72iaKU0RcGk/KcyHIzEj4w9kS5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAc336H1/FAHGGke1qMNaT 9Cdw LOsK4gi0wesdu81 roACJz6IW8WQPo/M WXonp01phYejZmO6Kb8qGZKI4yudb1jBKTmCPbxVrsmYiz8GXXfKGul9gAx4gZ vPJZHK/LaAptfI88NdShcBfZSLPdbqw8UqueILpTgN3m42LMafD4HteY39vHc0JOTm5w4VeVxR7dchass= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:04 GMT
Content-Length: 0
....
GET /app/ping.ashx?e=P5c0s7lb4RzgSf1QY 1oLXO8RsAeGOi7 0R MP RL3VKgFoRkIu6RnnRkhr6AyxjXX1Ow4X7CuYAShSSAVlltbv gNlTZPLGRzJziH5lBM6NmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw81lhagNSrkXt1NL5A3oO1EiHVbGzrGerD5x1Dh/wuQ7H/AAE2 QD ThAUjfQa2vLDvnq /UIN5QqIs V7Ds6CRuZZIi5/tojjeFKyzEEA2TzBaKXaEKdzFwqwK4Z/LB/gEuwwpt2SWXjaQSUVKXu21L8ExzavHCoaXOzasTiDAtO2Fbyzw8J/1bZlb2xASvkw== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:05 GMT
Content-Length: 0
GET /app/ping.ashx?e=GFrjZskQvqP4YOj/qSs/oBiPbCybztIvTEgCpOx0T0GQL2F0hg1RiTOxvMX97V0ps943/u aXwQx ARCOrzfa1EUhVow7tBBMhyMxI MPZEuTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHN9 h9fxQBxhpHtajDWk/vQncPvizrCuIItMHrHbvNfq6AAic iFvFkD6PzPll6J6dNaYWHo2Zjuim/KhmSiOMrnW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC6U4Dd5uNizGnw B7XmN/bx3NCTk5ucOFXlcUe3XIWrL HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:04 GMT
Content-Length: 0
....
GET /app/ping.ashx?e=eISsn0A7mAahuis9qfwvJd2Xg OVSnLYRhVmKoZLDh3ZhN5o5pkk8XKxIhAz9YyqvaJKFIOO pJzLSS9ycS1B/I7ma9OdUhU24p/ hkoobnhrXnnSje mECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mbjagVUTwqno3tPfNk0LwjiLK0PdH5S113vQnLoLWpSGWP4i/ZSXngbd92qyPh4NZ00KMJoV MDdUipml/xTtJneo /8EQQ7EaKr1l icJHo6jHoUXX2l omWJ/Ex9z3tzJVvURajp4qlUQ7Kz5asHZpCy29 Yy36 2rnEMjUuKYbM9UAJTh5I4G/4/VfGVweQ8pWPD4WN3E= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: updatejs.shopper-pro.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 21 Feb 2015 15:07:05 GMT
Content-Length: 0
Map
The not-a-virus connects to the servers at the folowing location(s):
Strings from Dumps
spbiu.exe_536:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
t.VWPj
t.VWPj
SShp
SShp
Qh4%X
Qh4%X
Shx%X
Shx%X
Vhd%X
Vhd%X
2 34 567
2 34 567
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
0123456789-
0123456789-
%b %d %H : %M : %S %Y
%b %d %H : %M : %S %Y
%m / %d / %y
%m / %d / %y
%I : %M : %S %p
%I : %M : %S %p
%d / %m / %y
%d / %m / %y
operator
operator
GetProcessWindowStation
GetProcessWindowStation
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.2.3
1.2.3
SQLite format 3
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
3.7.2
3.7.2
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
Catcher.ProcessId:
Catcher.ProcessId:
Catcher.Path:
Catcher.Path:
Watcher.Filter:
Watcher.Filter:
/Url:
/Url:
Update.xml
Update.xml
URLSet
URLSet
Report
Report
homeURL
homeURL
suggestURL
suggestURL
newTabURL
newTabURL
ieSearchURL
ieSearchURL
chSearchURL
chSearchURL
ffSearchURL
ffSearchURL
opSearchURL
opSearchURL
chromeKeyword
chromeKeyword
[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]
[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]
vup.tmp
vup.tmp
Argument.CheckResult:
Argument.CheckResult:
Argument.IsRunning:
Argument.IsRunning:
Delivery of report succeeded. TaskId:
Delivery of report succeeded. TaskId:
Delivery of report failed.
Delivery of report failed.
SHDeleteKeyW
SHDeleteKeyW
RegDeleteKeyExA
RegDeleteKeyExA
RegDeleteKeyExW
RegDeleteKeyExW
NtQueryKey
NtQueryKey
1.3.6.1.4.1.311.2.1.12
1.3.6.1.4.1.311.2.1.12
X;
X;
%s>
%s>
%s="%s"
%s="%s"
%s='%s'
%s='%s'
version="%s"
version="%s"
encoding="%s"
encoding="%s"
standalone="%s"
standalone="%s"
Snapshot.xml
Snapshot.xml
GoogleChrome
GoogleChrome
MozillaFirefox
MozillaFirefox
AboutTabsUrl
AboutTabsUrl
HomePageUrl
HomePageUrl
DefaultProviderKeyword
DefaultProviderKeyword
UrlsToRestoreOnStartup
UrlsToRestoreOnStartup
StartupHomepageUrl
StartupHomepageUrl
ParentKey:
ParentKey:
1, 0, 0, 4
1, 0, 0, 4
Envelop.xml
Envelop.xml
UrlSet
UrlSet
Configuration.xml
Configuration.xml
Opera
Opera
StartPageUrl
StartPageUrl
AboutTabUrl
AboutTabUrl
SearchScopeUrl
SearchScopeUrl
SearchScopeIconUrl
SearchScopeIconUrl
SearchScopeSuggestUrl
SearchScopeSuggestUrl
DefaultProviderSearchUrl
DefaultProviderSearchUrl
DefaultProviderIconUrl
DefaultProviderIconUrl
DefaultProviderSuggestUrl
DefaultProviderSuggestUrl
SearchPluginUrl
SearchPluginUrl
SearchPluginSuggestionUrl
SearchPluginSuggestionUrl
TabPageUrl
TabPageUrl
SearchEngineFaviconUrl
SearchEngineFaviconUrl
SearchEngineSuggestionUrl
SearchEngineSuggestionUrl
SearchEngineSearchUrl
SearchEngineSearchUrl
SearchEngineKeyword
SearchEngineKeyword
System.xml
System.xml
Reset-2.1.0.7
Reset-2.1.0.7
ReportUrl
ReportUrl
UpdateUrl
UpdateUrl
ReportDlls
ReportDlls
User.xml
User.xml
Argument.Snapshot:
Argument.Snapshot:
Argument.GeneralConfig:
Argument.GeneralConfig:
Argument.Flags:
Argument.Flags:
favicon_url
favicon_url
keyword
keyword
originating_url
originating_url
suggest_url
suggest_url
keyword LIKE '
keyword LIKE '
WHERE key = 'Default Search Provider ID'
WHERE key = 'Default Search Provider ID'
keywords
keywords
DELETE from keywords WHERE id =
DELETE from keywords WHERE id =
key = 'Default Search Provider ID'
key = 'Default Search Provider ID'
icon_url
icon_url
search_url
search_url
urls_to_restore_on_startup
urls_to_restore_on_startup
startup_urls
startup_urls
chrome_url_overrides
chrome_url_overrides
instant_url
instant_url
web_url
web_url
search_icon.png
search_icon.png
%d-%m-%Y %H:%M, %a
%d-%m-%Y %H:%M, %a
foreign_key_list
foreign_key_list
*** in database %s ***
*** in database %s ***
unsupported encoding: %s
unsupported encoding: %s
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
unsupported file format
database schema is locked: %s
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
%s.%s
%s.%s
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
%s:%d
%s:%d
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
sqlite_subquery_%p_
sqlite_subquery_%p_
no such index: %s
no such index: %s
no such table: %s
no such table: %s
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
no such trigger: %S
no such trigger: %S
no such column: %s
no such column: %s
-- TRIGGER %s
-- TRIGGER %s
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
vtable constructor failed: %s
no such module: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
cannot use index: %s
cannot use index: %s
at most %d tables in a join
at most %d tables in a join
%s AS %s
%s AS %s
TABLE %s
TABLE %s
%s WITH INDEX %s
%s WITH INDEX %s
%s WITH AUTOMATIC INDEX
%s WITH AUTOMATIC INDEX
%s USING PRIMARY KEY
%s USING PRIMARY KEY
%s VIA MULTI-INDEX UNION
%s VIA MULTI-INDEX UNION
%s ORDER BY
%s ORDER BY
%s VIRTUAL TABLE INDEX %d:%s
%s VIRTUAL TABLE INDEX %d:%s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unable to close due to unfinished backup operation
SQL logic error or missing database
SQL logic error or missing database
large file support is disabled
large file support is disabled
unknown database: %s
unknown database: %s
no such vfs: %s
no such vfs: %s
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
SQLITE_
SQLITE_
d:d:d
d:d:d
d-d-d d:d:d
d-d-d d:d:d
d-d-d
d-d-d
failed to allocate %u bytes of memory
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
922337203685477580
922337203685477580
API call with %s database connection pointer
API call with %s database connection pointer
RowKey
RowKey
%s-shm
%s-shm
%s\etilqs_
%s\etilqs_
OsError 0x%x (%u)
OsError 0x%x (%u)
Recovered %d frames from WAL file %s
Recovered %d frames from WAL file %s
invalid page number %d
invalid page number %d
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
2nd reference to page %d
2nd reference to page %d
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
freelist leaf count too big on page %d
freelist leaf count too big on page %d
failed to get page %d
failed to get page %d
unable to get the page. error code=%d
unable to get the page. error code=%d
Page %d:
Page %d:
On tree page %d cell %d:
On tree page %d cell %d:
btreeInitPage() returns error code %d
btreeInitPage() returns error code %d
On page %d at right child:
On page %d at right child:
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Pointer map page %d is referenced
Pointer map page %d is referenced
Page %d is never used
Page %d is never used
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
keyinfo(%d
keyinfo(%d
%s(%d)
%s(%d)
%s-mjX
%s-mjX
foreign key constraint failed
foreign key constraint failed
bind on a busy prepared statement: [%s]
bind on a busy prepared statement: [%s]
unable to use function %s in the requested context
unable to use function %s in the requested context
zeroblob(%d)
zeroblob(%d)
abort at %d in [%s]: %s
abort at %d in [%s]: %s
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
constraint failed at %d in [%s]
constraint failed at %d in [%s]
no such savepoint: %s
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot %s savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
sqlite_master
sqlite_master
sqlite_temp_master
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
database table is locked: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
cannot open virtual table: %s
cannot open virtual table: %s
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
no such column: "%s"
no such column: "%s"
cannot open view: %s
cannot open view: %s
indexed
indexed
foreign key
foreign key
cannot open %s column for writing
cannot open %s column for writing
cannot open value of type %s
cannot open value of type %s
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s
%s: %s.%s
%s: %s.%s.%s
%s: %s.%s.%s
not authorized to use function: %s
not authorized to use function: %s
%s: %s
%s: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
too many SQL variables
too many SQL variables
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many columns in %s
too many columns in %s
misuse of aggregate: %s()
misuse of aggregate: %s()
%.*s"%w"%s
%.*s"%w"%s
%s%.*s"%w"
%s%.*s"%w"
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_table
sqlite_rename_table
sqlite_rename_parent
sqlite_rename_parent
%s OR name=%Q
%s OR name=%Q
sqlite_
sqlite_
there is already another table or index with this name: %s
there is already another table or index with this name: %s
view %s may not be altered
view %s may not be altered
table %s may not be altered
table %s may not be altered
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
sqlite_sequence
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_altertab_%s
sqlite_stat1
sqlite_stat1
DELETE FROM %Q.%s WHERE tbl=%Q
DELETE FROM %Q.%s WHERE tbl=%Q
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
too many attached databases - max %d
invalid name: "%s"
invalid name: "%s"
database %s is already in use
database %s is already in use
no such database: %s
no such database: %s
unable to open database: %s
unable to open database: %s
cannot detach database %s
cannot detach database %s
sqlite_detach
sqlite_detach
database %s is locked
database %s is locked
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
sqlite_attach
sqlite_attach
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
duplicate column name: %s
duplicate column name: %s
too many columns on %s
too many columns on %s
table "%s" has more than one primary key
table "%s" has more than one primary key
default value of column [%s] is not constant
default value of column [%s] is not constant
no such collation sequence: %s
no such collation sequence: %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
view %s is circularly defined
view %s is circularly defined
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
table %s may not be dropped
table %s may not be dropped
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
indexed columns are not unique
indexed columns are not unique
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
views may not be indexed
views may not be indexed
table %s may not be indexed
table %s may not be indexed
there is already a table named %s
there is already a table named %s
virtual tables may not be indexed
virtual tables may not be indexed
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
index %s already exists
index %s already exists
table %s has no column named %s
table %s has no column named %s
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
no such index: %S
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.%s WHERE name=%Q
a JOIN clause is required before %s
a JOIN clause is required before %s
table %s may not be modified
table %s may not be modified
unable to identify the object to be reindexed
unable to identify the object to be reindexed
cannot modify %s because it is a view
cannot modify %s because it is a view
sqlite_version
sqlite_version
sqlite_compileoption_used
sqlite_compileoption_used
sqlite_source_id
sqlite_source_id
sqlite_compileoption_get
sqlite_compileoption_get
foreign key mismatch
foreign key mismatch
%d values for %d columns
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
table %S has no column named %s
table %S has no column named %s
PRIMARY KEY must be unique
PRIMARY KEY must be unique
%s.%s may not be NULL
%s.%s may not be NULL
unable to open shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
sqlite3_extension_init
error during initialization: %s
error during initialization: %s
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
automatic extension loading failed: %s
automatic extension loading failed: %s
foreign_keys
foreign_keys
C:\Builds\Build_ShopperProMulti\BrowserInjection\Bin\ShopperPro_SPBIUpdate\Win32\WinMV\Release\spbiu.pdb
C:\Builds\Build_ShopperProMulti\BrowserInjection\Bin\ShopperPro_SPBIUpdate\Win32\WinMV\Release\spbiu.pdb
SHELL32.dll
SHELL32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
Secur32.dll
Secur32.dll
CryptMsgClose
CryptMsgClose
CertGetNameStringW
CertGetNameStringW
CertFreeCertificateContext
CertFreeCertificateContext
CertFindCertificateInStore
CertFindCertificateInStore
CertCloseStore
CertCloseStore
CryptMsgGetParam
CryptMsgGetParam
CRYPT32.dll
CRYPT32.dll
CreatePipe
CreatePipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
CreateNamedPipeW
GetNamedPipeInfo
GetNamedPipeInfo
DisconnectNamedPipe
DisconnectNamedPipe
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
RegCreateKeyW
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExW
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
zcÃ
zcÃ
.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVPipedProcess@Utils@SpeedBit@@
.?AVPipedProcess@Utils@SpeedBit@@
.?AVImplementation@PipedProcess@Utils@SpeedBit@@
.?AVImplementation@PipedProcess@Utils@SpeedBit@@
.?AVImplementation@MachineKey@Utils@SpeedBit@@
.?AVImplementation@MachineKey@Utils@SpeedBit@@
.?AVMachineKey@Utils@SpeedBit@@
.?AVMachineKey@Utils@SpeedBit@@
.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@
.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@
.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@General@Config@SpeedBit@@
.?AVSettings@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@Implementation@General@Config@SpeedBit@@
.?AVUrlSet@Implementation@General@Config@SpeedBit@@
.?AVOperaSettings@Implementation@General@Config@SpeedBit@@
.?AVOperaSettings@Implementation@General@Config@SpeedBit@@
.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@
.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@
.?AVSettings@Firefox@General@Config@SpeedBit@@
.?AVSettings@Firefox@General@Config@SpeedBit@@
.?AVSettings@Opera@General@Config@SpeedBit@@
.?AVSettings@Opera@General@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@
.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@
.?AVValueSet@Chrome@General@Config@SpeedBit@@
.?AVValueSet@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@General@Config@SpeedBit@@
.?AVUrlSet@General@Config@SpeedBit@@
.?AVValueSet@Firefox@General@Config@SpeedBit@@
.?AVValueSet@Firefox@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@User@Config@SpeedBit@@
.?AVChromeSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Firefox@User@Config@SpeedBit@@
.?AVSettings@Firefox@User@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Chrome@User@Config@SpeedBit@@
.?AVSettings@Chrome@User@Config@SpeedBit@@
.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@
.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@
.?AVBrowserSettings@Chrome@SpeedBit@@
.?AVBrowserSettings@Chrome@SpeedBit@@
.?AVWebDataDB@SQLite@SpeedBit@@
.?AVWebDataDB@SQLite@SpeedBit@@
.?AVImplementation@WebDataDB@SQLite@SpeedBit@@
.?AVImplementation@WebDataDB@SQLite@SpeedBit@@
.?AVException@sql@@
.?AVException@sql@@
// SpeedBit hidden execute
// SpeedBit hidden execute
if (WScript.Arguments.length > 0)
if (WScript.Arguments.length > 0)
var root = WScript.Arguments(0);
var root = WScript.Arguments(0);
for (var i = 1, n = WScript.Arguments.length; i
for (var i = 1, n = WScript.Arguments.length; i
args.push(WScript.Arguments(i));
args.push(WScript.Arguments(i));
var path = "\"" root.replace(/\\*$/, "").replace(/\//g, "\\") "\"";
var path = "\"" root.replace(/\\*$/, "").replace(/\//g, "\\") "\"";
path = " \"" args.join("\" \"") "\"";
path = " \"" args.join("\" \"") "\"";
var shell = WScript.CreateObject("WScript.Shell");
var shell = WScript.CreateObject("WScript.Shell");
shell.Run(path, 0, false);
shell.Run(path, 0, false);
343f3
343f3
%0 000^0
%0 000^0
7%8X8
7%8X8
3%4X4
3%4X4
11o1
11o1
8Â8D8V8b8o8{8
8Â8D8V8b8o8{8
= >6>>>\>
= >6>>>\>
4_5X5}5
4_5X5}5
2 363>3\3
2 363>3\3
2-2
2-2
0 0$0(0,0004080
0 0$0(0,0004080
4 4$4(4,4044484*6
4 4$4(4,4044484*6
5 5$5(5,50545~5
5 5$5(5,50545~5
3I4C4M4u4
3I4C4M4u4
2#3&4-5]5
2#3&4-5]5
1 1$1(1,1014181
1 1$1(1,1014181
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
2 2$2(2,2
2 2$2(2,2
5 5$5(5,50545
5 5$5(5,50545
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
> >$>(>,>0>
> >$>(>,>0>
5@5\5`5|5
5@5\5`5|5
combase.dll
combase.dll
kernel32.dll
kernel32.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
portuguese-brazilian
portuguese-brazilian
USER32.DLL
USER32.DLL
Injection::Snapshot::Controller::IsChromeInstalled
Injection::Snapshot::Controller::IsChromeInstalled
Chrome installed:
Chrome installed:
Chrome unchanged:
Chrome unchanged:
Checking
Checking
Checking
Checking
777705555443332
777705555443332
5555443332
5555443332
5555443332
5555443332
logs\${ModuleName}.${Pid}.log
logs\${ModuleName}.${Pid}.log
WatchmanKey::TimeBomb::UninstallTimeBomb
WatchmanKey::TimeBomb::UninstallTimeBomb
Reporting
Reporting
1.0.0.4
1.0.0.4
Chrome::StartPageProtectionEnabled
Chrome::StartPageProtectionEnabled
Chrome::SearchEngineProtectionEnabled
Chrome::SearchEngineProtectionEnabled
Chrome::RestoreOnStartupProtectionEnabled
Chrome::RestoreOnStartupProtectionEnabled
Chrome::StartPageProtectionDisabled
Chrome::StartPageProtectionDisabled
Chrome::SearchEngineProtectionDisabled
Chrome::SearchEngineProtectionDisabled
Chrome::RestoreOnStartupProtectionDisabled
Chrome::RestoreOnStartupProtectionDisabled
ProcessCatcher::ExecutionContext::Resume
ProcessCatcher::ExecutionContext::Resume
Allocation
Allocation
ProcessMonitor::ExecutionContext::Resume
ProcessMonitor::ExecutionContext::Resume
EndsBy:\iexplore.exe|EndsBy:\rundll32.exe
EndsBy:\iexplore.exe|EndsBy:\rundll32.exe
EndsBy:\chrome.exe
EndsBy:\chrome.exe
EndsBy:\firefox.exe
EndsBy:\firefox.exe
iexplore.exe
iexplore.exe
rundll32.exe
rundll32.exe
chrome.exe
chrome.exe
firefox.exe
firefox.exe
opera.exe
opera.exe
spbici32.dll
spbici32.dll
spbifi32.dll
spbifi32.dll
spbioi32.dll
spbioi32.dll
spbii32.exe
spbii32.exe
Utils::PipedProcess::Create
Utils::PipedProcess::Create
Utils::PipedProcess::Start
Utils::PipedProcess::Start
Utils::PipedProcess::WriteData
Utils::PipedProcess::WriteData
[ReportDllsThread]
[ReportDllsThread]
ProcessWatcher::ExecutionContext::Resume
ProcessWatcher::ExecutionContext::Resume
spbia.exe
spbia.exe
Utils::PipedProcess::ReadData
Utils::PipedProcess::ReadData
Utils::PipedProcess::Wait
Utils::PipedProcess::Wait
Utils::PipedProcess::WriteEof
Utils::PipedProcess::WriteEof
Utils::MachineKey::Create
Utils::MachineKey::Create
Utils::MachineKey::Generate
Utils::MachineKey::Generate
Encrypt data. Key:
Encrypt data. Key:
Decrypt data. Key:
Decrypt data. Key:
Package url:
Package url:
WatchmanKey::Updater::SetLastTime
WatchmanKey::Updater::SetLastTime
.Service
.Service
/report
/report
/report1
/report1
%d.%d.%d.%d%n
%d.%d.%d.%d%n
Created URL Set object from configuration. Name:
Created URL Set object from configuration. Name:
UrlSetID:
UrlSetID:
Could not find matching URL set... Using old configuration
Could not find matching URL set... Using old configuration
spbiu.exe
spbiu.exe
[LocalScope::UpdateParser::ParseReportSection]
[LocalScope::UpdateParser::ParseReportSection]
Monitor::ServerEncryption::CreateSessionKey
Monitor::ServerEncryption::CreateSessionKey
Full url:
Full url:
Data url:
Data url:
sbu.exe
sbu.exe
spbiw.sys
spbiw.sys
wscript.exe
wscript.exe
spbihe.js
spbihe.js
[Monitor::WatchmanGuard::SendReport]
[Monitor::WatchmanGuard::SendReport]
Monitor::ServerReporter::Create
Monitor::ServerReporter::Create
/urlset:
/urlset:
Options.InjectAllBrowsers:
Options.InjectAllBrowsers:
Options.InjectDefaultOnly:
Options.InjectDefaultOnly:
Options.ServiceName:
Options.ServiceName:
Options.ProductCode:
Options.ProductCode:
Options.ProductPriority:
Options.ProductPriority:
Options.UpdateUrl:
Options.UpdateUrl:
Options.ReportUrl:
Options.ReportUrl:
Options.AutoStart:
Options.AutoStart:
Options.ProtectSearch:
Options.ProtectSearch:
Options.ProtectHome:
Options.ProtectHome:
Options.ProtectTab:
Options.ProtectTab:
Options.ExplorerInjection:
Options.ExplorerInjection:
Options.ChromeInjection:
Options.ChromeInjection:
Options.FirefoxInjection:
Options.FirefoxInjection:
Options.OperaInjection:
Options.OperaInjection:
Options.ConfigPath:
Options.ConfigPath:
Options.ConfigKey:
Options.ConfigKey:
Getting current URL Set
Getting current URL Set
Getting URL Set from options
Getting URL Set from options
] Provided. And is different from current URL set [
] Provided. And is different from current URL set [
URL Set [
URL Set [
Need to send report!!!
Need to send report!!!
ServerReporter::Create
ServerReporter::Create
general_config.xml
general_config.xml
system_config.xml
system_config.xml
[WatchmanInstaller::SendReport1]
[WatchmanInstaller::SendReport1]
iexplore.exe is running, result for getting DLL's:
iexplore.exe is running, result for getting DLL's:
firefox.exe is running, result for getting DLL's:
firefox.exe is running, result for getting DLL's:
chrome.exe is running, result for getting DLL's:
chrome.exe is running, result for getting DLL's:
[WatchmanInstaller::SendReport]
[WatchmanInstaller::SendReport]
Currently set URLSet:
Currently set URLSet:
Updating system config with new URL set...
Updating system config with new URL set...
Already reported duiring first install
Already reported duiring first install
Report' been sent:
Report' been sent:
WatchmanInstaller::SendReport1
WatchmanInstaller::SendReport1
calling SendReport1...
calling SendReport1...
WatchmanInstaller::SendReport
WatchmanInstaller::SendReport
[Monitor::WatchmanMonitor::CreateSendReportTask]
[Monitor::WatchmanMonitor::CreateSendReportTask]
SendReportTask
SendReportTask
new
new
[Monitor::WatchmanMonitor::OnSendReportSucceeded]
[Monitor::WatchmanMonitor::OnSendReportSucceeded]
[Monitor::WatchmanMonitor::OnSendReportFailed]
[Monitor::WatchmanMonitor::OnSendReportFailed]
[Monitor::WatchmanMonitor::OnChromeProtectionChanged]
[Monitor::WatchmanMonitor::OnChromeProtectionChanged]
User has changed the chrome protection for:
User has changed the chrome protection for:
[Monitor::WatchmanMonitor::OnResetFirefoxProtection]
[Monitor::WatchmanMonitor::OnResetFirefoxProtection]
User has reset the firefox protection:
User has reset the firefox protection:
Next report task:
Next report task:
Scheduller::RegisterTask
Scheduller::RegisterTask
Monitor::Application::EnsureSystemKey
Monitor::Application::EnsureSystemKey
Options.Revert:
Options.Revert:
Settings.Final:
Settings.Final:
@ADVAPI32.DLL
@ADVAPI32.DLL
shlwapi.dll
shlwapi.dll
Utils::Registry::OpenKeyExW
Utils::Registry::OpenKeyExW
Subkey:
Subkey:
[Utils::Registry::RecursiveDeleteKeyW]
[Utils::Registry::RecursiveDeleteKeyW]
SHLWAPI.GetAddressOf
SHLWAPI.GetAddressOf
WKERNEL32.DLL
WKERNEL32.DLL
VERSION.DLL
VERSION.DLL
NTDLL.DLL
NTDLL.DLL
[Utils::PipedProcess::CreateOutputHandles]
[Utils::PipedProcess::CreateOutputHandles]
[Utils::PipedProcess::CreateInputHandles]
[Utils::PipedProcess::CreateInputHandles]
[Utils::PipedProcess::SpawnProcess]
[Utils::PipedProcess::SpawnProcess]
Utils::PipedProcess::CreateOutputHandles
Utils::PipedProcess::CreateOutputHandles
Utils::PipedProcess::CreateInputHandles
Utils::PipedProcess::CreateInputHandles
Utils::PipedProcess::SpawnProcess
Utils::PipedProcess::SpawnProcess
[Utils::PipedProcess::Start]
[Utils::PipedProcess::Start]
[Utils::PipedProcess::Wait]
[Utils::PipedProcess::Wait]
Utils::PipedProcess::WriteProc
Utils::PipedProcess::WriteProc
[Utils::PipedProcess::WriteData]
[Utils::PipedProcess::WriteData]
Utils::PipedProcess::ReadProc
Utils::PipedProcess::ReadProc
[Utils::PipedProcess::ReadData]
[Utils::PipedProcess::ReadData]
.cache
.cache
FIPHLPAPI.DLL
FIPHLPAPI.DLL
X-hX-hX-XX-XXXXXX
X-hX-hX-XX-XXXXXX
\\.\pipe\
\\.\pipe\
Could not create thread event. %%s
Could not create thread event. %%s
Could not create new client event. %%s
Could not create new client event. %%s
Could not create accept thread. %%s
Could not create accept thread. %%s
Could not create work thread. %%s
Could not create work thread. %%s
Could not start thread. %%s
Could not start thread. %%s
Stop IPC error. %%s
Stop IPC error. %%s
Pipe (0x%X) read problems. %%s
Pipe (0x%X) read problems. %%s
IAction::QueryInterface
IAction::QueryInterface
IExecAction::put_Path
IExecAction::put_Path
IExecAction::put_WorkingDirectory
IExecAction::put_WorkingDirectory
IExecAction::put_Arguments
IExecAction::put_Arguments
http\shell\open\command
http\shell\open\command
[Utils::SoftwareInfo::GetHttpOpenHandler]
[Utils::SoftwareInfo::GetHttpOpenHandler]
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
[SynchronousPipe::Write]
[SynchronousPipe::Write]
[SynchronousPipe::Read]
[SynchronousPipe::Read]
Error code: %u ('%s')
Error code: %u ('%s')
Could not allocate IPC memory. Requires size: %u
Could not allocate IPC memory. Requires size: %u
Could not create pipe. %%s
Could not create pipe. %%s
Could not create pipe event. %%s
Could not create pipe event. %%s
Event error. %%s
Event error. %%s
Pipe connecting error. %%s
Pipe connecting error. %%s
FCould not create IPC event. %%s
FCould not create IPC event. %%s
SHELL32.DLL
SHELL32.DLL
Google\Chrome
Google\Chrome
\Application\chrome.exe
\Application\chrome.exe
\Google\Chrome\Application\chrome.exe
\Google\Chrome\Application\chrome.exe
\resources.pak
\resources.pak
\Google\Chrome\Application\
\Google\Chrome\Application\
\Web Data
\Web Data
[Injection::Snapshot::Chrome::Settings::Dump]
[Injection::Snapshot::Chrome::Settings::Dump]
[Injection::Snapshot::Firefox::Settings::Dump]
[Injection::Snapshot::Firefox::Settings::Dump]
[Monitor::RestoreData::Controller::Build]
[Monitor::RestoreData::Controller::Build]
[Monitor::RestoreData::Controller::Build]
[Monitor::RestoreData::Controller::Build]
[Injection::Snapshot::Builder::BuildSettings]
[Injection::Snapshot::Builder::BuildSettings]
[Injection::Snapshot::Builder::BuildSettings]
[Injection::Snapshot::Builder::BuildSettings]
new
new
Injection::Snapshot::Parser::Parse
Injection::Snapshot::Parser::Parse
new
new
Injection::Snapshot::Parser::Parse
Injection::Snapshot::Parser::Parse
ReadStringNode
ReadStringNode
[Injection::Snapshot::Parser::Parse]
[Injection::Snapshot::Parser::Parse]
ReadStringNode
ReadStringNode
[Injection::Snapshot::Parser::Parse]
[Injection::Snapshot::Parser::Parse]
[Injection::Snapshot::Controller::IsChromeInstalled]
[Injection::Snapshot::Controller::IsChromeInstalled]
Chrome::BrowserSettings::Create
Chrome::BrowserSettings::Create
[Injection::Snapshot::Controller::IsFirefoxInstalled]
[Injection::Snapshot::Controller::IsFirefoxInstalled]
Firefox::BrowserSettings::Create
Firefox::BrowserSettings::Create
Argument.UserSid:
Argument.UserSid:
WatchmanKey::Users::SaveRestoreData
WatchmanKey::Users::SaveRestoreData
[WatchmanKey::GetEncryptionKey]
[WatchmanKey::GetEncryptionKey]
MachineKey::Generate
MachineKey::Generate
MachineKey::Create
MachineKey::Create
[WatchmanKey::LoadEncodedData]
[WatchmanKey::LoadEncodedData]
[WatchmanKey::CleanupKey]
[WatchmanKey::CleanupKey]
WatchmanKey::GetEncryptionKey
WatchmanKey::GetEncryptionKey
[WatchmanKey::SaveEncodedData]
[WatchmanKey::SaveEncodedData]
WatchmanKey::System::Open
WatchmanKey::System::Open
[WatchmanKey::System::LoadGeneralConfig]
[WatchmanKey::System::LoadGeneralConfig]
[WatchmanKey::System::SaveGeneralConfig]
[WatchmanKey::System::SaveGeneralConfig]
WatchmanKey::LoadEncodedData
WatchmanKey::LoadEncodedData
WatchmanKey::SaveEncodedData
WatchmanKey::SaveEncodedData
WatchmanKey::System::Ensure
WatchmanKey::System::Ensure
[WatchmanKey::System::SaveSystemConfig]
[WatchmanKey::System::SaveSystemConfig]
[WatchmanKey::System::LoadSystemConfig]
[WatchmanKey::System::LoadSystemConfig]
WatchmanKey::EnsureKey
WatchmanKey::EnsureKey
[WatchmanKey::Users::Ensure]
[WatchmanKey::Users::Ensure]
WatchmanKey::OpenKey
WatchmanKey::OpenKey
[WatchmanKey::Users::Open]
[WatchmanKey::Users::Open]
[WatchmanKey::Users::LoadConfiguration]
[WatchmanKey::Users::LoadConfiguration]
[WatchmanKey::Users::SaveConfiguration]
[WatchmanKey::Users::SaveConfiguration]
WatchmanKey::Users::Ensure
WatchmanKey::Users::Ensure
[WatchmanKey::Users::LoadRestoreData]
[WatchmanKey::Users::LoadRestoreData]
[WatchmanKey::Updater::SetLastTime]
[WatchmanKey::Updater::SetLastTime]
[WatchmanKey::Updater::GetBlackListHash]
[WatchmanKey::Updater::GetBlackListHash]
[WatchmanKey::Updater::SetBlackListHash]
[WatchmanKey::Updater::SetBlackListHash]
[WatchmanKey::Reporter::GetLastTime]
[WatchmanKey::Reporter::GetLastTime]
[WatchmanKey::TimeBomb::Uninstall]
[WatchmanKey::TimeBomb::Uninstall]
WatchmanKey::SystemKey::Open
WatchmanKey::SystemKey::Open
Argument.SystemConfig:
Argument.SystemConfig:
Argument.Config::User:
Argument.Config::User:
Argument.Config::General:
Argument.Config::General:
IEBHO.DLL
IEBHO.DLL
DATAMNGR.DLL
DATAMNGR.DLL
[Config::General::UrlSet::Copy]
[Config::General::UrlSet::Copy]
[Config::General::Chrome::Settings::Dump]
[Config::General::Chrome::Settings::Dump]
[Config::General::Chrome::ValueSet::Copy]
[Config::General::Chrome::ValueSet::Copy]
[Config::General::Chrome::Settings::Copy]
[Config::General::Chrome::Settings::Copy]
[Config::General::Firefox::Settings::Copy]
[Config::General::Firefox::Settings::Copy]
[Config::General::Firefox::Settings::Dump]
[Config::General::Firefox::Settings::Dump]
[Config::General::Opera::Settings::Dump]
[Config::General::Opera::Settings::Dump]
[Config::General::Firefox::ValueSet::Copy]
[Config::General::Firefox::ValueSet::Copy]
[Config::General::Opera::Settings::Copy]
[Config::General::Opera::Settings::Copy]
Config::General::Parser::ParseUrlSet
Config::General::Parser::ParseUrlSet
Config::General::Parser::ParseFirefoxSettings
Config::General::Parser::ParseFirefoxSettings
Config::General::Parser::ParseChromeSettings
Config::General::Parser::ParseChromeSettings
Config::General::Parser::ParseOperaSettings
Config::General::Parser::ParseOperaSettings
lReadStringNode
lReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
MissedElement
MissedElement
[Config::General::Parser::ParseChromeSettings]
[Config::General::Parser::ParseChromeSettings]
[Config::General::Parser::ParseChromeValueSets]
[Config::General::Parser::ParseChromeValueSets]
Config::General::Parser::ParseChromeValueSets
Config::General::Parser::ParseChromeValueSets
ReadStringNode
ReadStringNode
gReadStringNode
gReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
MissedElement
MissedElement
[Config::General::Parser::ParseFirefoxSettings]
[Config::General::Parser::ParseFirefoxSettings]
[Config::General::Parser::ParseFirefoxValueSets]
[Config::General::Parser::ParseFirefoxValueSets]
Config::General::Parser::ParseFirefoxValueSets
Config::General::Parser::ParseFirefoxValueSets
ReadOptionalStringNode
ReadOptionalStringNode
ReadOptionalStringNode
ReadOptionalStringNode
ReadOptionalStringNode
ReadOptionalStringNode
[Config::General::Parser::ParseUrlSet]
[Config::General::Parser::ParseUrlSet]
MissedElement
MissedElement
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
dReadStringNode
dReadStringNode
[Config::General::Parser::ParseOperaSettings]
[Config::General::Parser::ParseOperaSettings]
ReadStringNode
ReadStringNode
MissedElement
MissedElement
ReadStringNode
ReadStringNode
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
We couldn't find the URL Set section... probably an old configuration!
We couldn't find the URL Set section... probably an old configuration!
WatchmanKey::System::LoadGeneralConfig
WatchmanKey::System::LoadGeneralConfig
WatchmanKey::System::SaveGeneralConfig
WatchmanKey::System::SaveGeneralConfig
H2.1.0.7
H2.1.0.7
2.0.0.0
2.0.0.0
ReadOptionalStringNode
ReadOptionalStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadBooleanNode
ReadBooleanNode
ReadBooleanNode
ReadBooleanNode
Could not find URL Set in configuration. Probably older configuration.
Could not find URL Set in configuration. Probably older configuration.
ReadBooleanNode
ReadBooleanNode
WatchmanKey::System::LoadSystemConfig
WatchmanKey::System::LoadSystemConfig
WatchmanKey::System::SaveSystemConfig
WatchmanKey::System::SaveSystemConfig
[Config::User::Chrome::Settings::Copy]
[Config::User::Chrome::Settings::Copy]
[Config::User::Firefox::Settings::Copy]
[Config::User::Firefox::Settings::Copy]
Config::User::Parser::ParseChromeSettings
Config::User::Parser::ParseChromeSettings
Config::User::Parser::ParseFirefoxSettings
Config::User::Parser::ParseFirefoxSettings
[Config::User::Parser::ParseChromeSettings]
[Config::User::Parser::ParseChromeSettings]
[Config::User::Parser::ParseFirefoxSettings]
[Config::User::Parser::ParseFirefoxSettings]
[Config::User::Builder::BuildFirefoxSettings]
[Config::User::Builder::BuildFirefoxSettings]
[Config::User::Builder::BuildChromeSettings]
[Config::User::Builder::BuildChromeSettings]
WatchmanKey::User::LoadConfiguration
WatchmanKey::User::LoadConfiguration
WatchmanKey::User::SaveConfiguration
WatchmanKey::User::SaveConfiguration
[Chrome::BrowserSettings::OpenConfigFiles]
[Chrome::BrowserSettings::OpenConfigFiles]
SQLite::WebDataDB::Create
SQLite::WebDataDB::Create
Chrome::InstallInfo::Get
Chrome::InstallInfo::Get
[Chrome::BrowserSettings::SetHomePagePreferences]
[Chrome::BrowserSettings::SetHomePagePreferences]
Argument.HomePageIsNewTabPage:
Argument.HomePageIsNewTabPage:
Argument.HomePageUrl:
Argument.HomePageUrl:
Argument.DefaultProviderId:
Argument.DefaultProviderId:
[Chrome::BrowserSettings::SetDefaultProviderPreferences]
[Chrome::BrowserSettings::SetDefaultProviderPreferences]
Argument.DefaultProviderName:
Argument.DefaultProviderName:
Argument.DefaultProviderKeyWord:
Argument.DefaultProviderKeyWord:
Argument.DefaultProviderSearchUrl:
Argument.DefaultProviderSearchUrl:
Argument.DefaultProviderEncoding:
Argument.DefaultProviderEncoding:
Argument.DefaultProviderSuggestUrl:
Argument.DefaultProviderSuggestUrl:
Argument.DefaultProviderIconUrl:
Argument.DefaultProviderIconUrl:
Argument.RestoreOnStartup:
Argument.RestoreOnStartup:
[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]
[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]
[Chrome::BrowserSettings::GetSearchProviderId]
[Chrome::BrowserSettings::GetSearchProviderId]
Argument.UrlsToRestoreOnStartup:
Argument.UrlsToRestoreOnStartup:
SQLite::WebDataDB::GetFirstProviderId
SQLite::WebDataDB::GetFirstProviderId
Argument.KeywordToSearch:
Argument.KeywordToSearch:
Result.ProviderId:
Result.ProviderId:
SQLite::WebDataDB::GetProviderById
SQLite::WebDataDB::GetProviderById
SQLite::WebDataDB::Values::Create
SQLite::WebDataDB::Values::Create
[Chrome::BrowserSettings::EnsureSearchProvider]
[Chrome::BrowserSettings::EnsureSearchProvider]
Key deleted:
Key deleted:
[Chrome::BrowserSettings::DeleteSearchProvider]
[Chrome::BrowserSettings::DeleteSearchProvider]
[Chrome::BrowserSettings::MakeSnapshot]
[Chrome::BrowserSettings::MakeSnapshot]
[Chrome::BrowserSettings::RestoreState]
[Chrome::BrowserSettings::RestoreState]
Chrome::BrowserSettings::DeleteSearchProvider
Chrome::BrowserSettings::DeleteSearchProvider
Chrome::BrowserSettings::OpenConfigFiles
Chrome::BrowserSettings::OpenConfigFiles
SQLite::WebDataDB::SetDefaultProvider
SQLite::WebDataDB::SetDefaultProvider
[Chrome::BrowserSettings::PropagateState]
[Chrome::BrowserSettings::PropagateState]
Chrome::BrowserSettings::EnsureSearchProvider
Chrome::BrowserSettings::EnsureSearchProvider
[SQLite::Implementation::AddProvider]
[SQLite::Implementation::AddProvider]
[SQLite::Implementation::GetProviderByKeyword]
[SQLite::Implementation::GetProviderByKeyword]
[SQLite::Implementation::GetProviderById]
[SQLite::Implementation::GetProviderById]
[SQLite::Implementation::GetProviderId]
[SQLite::Implementation::GetProviderId]
[SQLite::Implementation::GetFirstProviderId]
[SQLite::Implementation::GetFirstProviderId]
chrome-extension://
chrome-extension://
Checking
Checking
%Program Files%\Common Files\ShopperPro\spbiu.exe
%Program Files%\Common Files\ShopperPro\spbiu.exe
1.1.0.0
1.1.0.0