Gen:Variant.Adware.Symmi.41092 (BitDefender), Adware:Win32/BetterSurf (Microsoft), not-a-virus:AdWare.Win32.BetterSurf.b (Kaspersky), Adware.Bettersurf (fs) (VIPRE), Gen:Variant.Adware.Symmi.41092 (B) (Emsisoft), Artemis!BD17D95D0E5E (McAfee), Adware.BL (Symantec), Gen:Variant.Adware.Symmi.41092 (FSecure), Skodna.Generic_r.HW (AVG), NSIS:Amonetize-G [PUP] (Avast), TROJ_SPNR.0BCP14 (TrendMicro), Gen:Variant.Adware.Symmi.41092 (AdAware), Trojan-Downloader.Win32.Moure.FD (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, PUP, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bd17d95d0e5eb936e99f74151ea3681e
SHA1: d64e8e42637f94ea030190c6de6515d5e7ca1a6d
SHA256: 5e2ebb3bf7f4bf4a63ee7c45d13653d99868245289010eed77c0ee4950db87bf
SSDeep: 12288:D7QkCG4GjeZHkwuPikQ7lKH5p5H9x1meZHkwuLiDQTlKJ5p xWlfM:DOG4GjeZEXi37l6Br1meZEjiMTlmWslU
Size: 649721 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:1096
gpupdate.exe:764
%original file name%.exe:1384
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome.manifest (149 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316.js (747 bytes)
%System%\GroupPolicy\Machine\Registry.pol (408 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\overlay.xul (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (224 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\install.rdf (788 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\default\MediaWatchV1home8316_32.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp\aminsis.dll (18748 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll (1467 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe (11397 bytes)
C:\extensions.ini (83 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ch\MediaWatchV1home8316.crx (1568 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\Thumbs.db (564 bytes)
%System%\GroupPolicy\gpt.ini (315 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316ffaction.js (678 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp\aminsis.dll (0 bytes)
Registry activity
The process regsvr32.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 89 FD 7B 94 B1 7F B3 33 2F EF DF C1 A6 6B 6F"
[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\InprocServer32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll"
[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}]
"(Default)" = "IMediaWatchV1home8316BHO"
[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\TypeLib]
"Version" = "1.1"
[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}]
"(Default)" = "MediaWatchV1home8316"
[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1]
"(Default)" = "MediaWatchV1home8316Lib"
[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\Version]
"(Default)" = "1.1"
[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1\HELPDIR]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie"
[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\TypeLib]
"(Default)" = "{FE98987B-878C-48A6-B681-1239F5D03F63}"
[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1\0\win32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll"
[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\TypeLib]
"(Default)" = "{fe98987b-878c-48a6-b681-1239f5d03f63}"
[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1\FLAGS]
"(Default)" = "0"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8afda607-2367-462f-b161-becee009ecde}]
"(Default)" = "MediaWatchV1home8316"
"NoExplorer" = "1"
The process gpupdate.exe:764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 98 11 E7 FD 96 A3 15 95 65 7D 0D E1 D9 C4 74"
The process %original file name%.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"NoModify" = "1"
[HKLM\SOFTWARE\Google\Chrome\Extensions\ppmchhbfeheohajbnoogelfhonjabong]
"Version" = "1.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"DisplayIcon" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe"
"DisplayName" = "Media Watch"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1" = "ppmchhbfeheohajbnoogelfhonjabong"
[HKLM\SOFTWARE\MediaWatchV1home8316\Components]
"CH" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"UninstallString" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"Publisher" = "Media Watch"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Mozilla\Firefox\extensions]
"ext@MediaWatchV1home8316.net" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"NoRepair" = "1"
"DisplayVersion" = "1.1"
[HKLM\SOFTWARE\MediaWatchV1home8316\Components]
"ie" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"gpupdate.exe" = "Microsoft® Group Policy Refresh Utility"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB3.tmp\aminsis.dll,"
[HKLM\SOFTWARE\MediaWatchV1home8316]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316"
[HKLM\SOFTWARE\MediaWatchV1\Media Watch]
"Installed" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{8afda607-2367-462f-b161-becee009ecde}" = "51 66 7A 6C 4C 1D 3B 1B 17 B9 E7 97 54 72 43 0C"
[HKLM\SOFTWARE\MediaWatchV1home8316\Components]
"ff" = "1"
[HKLM\SOFTWARE\Google\Chrome\Extensions\ppmchhbfeheohajbnoogelfhonjabong]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ch\MediaWatchV1home8316.crx"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 E3 22 C5 C9 CB DC 82 12 66 5B 6E C3 90 48 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"URLInfoAbout" = ""
[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}]
"(Default)" = "Media Watch"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}User]
Dropped PE files
| MD5 | File path |
|---|---|
| 51ba1095f0ae45a2d444bea506cb9ad4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB3.tmp\aminsis.dll |
| a0c88a2e2b84896a3bef110746662bed | c:\Program Files\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll |
| f986ae5d5a445b51d7c680e5516f85b8 | c:\Program Files\MediaWatchV1\MediaWatchV1home8316\uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:1096
gpupdate.exe:764
%original file name%.exe:1384 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome.manifest (149 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316.js (747 bytes)
%System%\GroupPolicy\Machine\Registry.pol (408 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\overlay.xul (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (224 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\install.rdf (788 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\default\MediaWatchV1home8316_32.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp\aminsis.dll (18748 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll (1467 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe (11397 bytes)
C:\extensions.ini (83 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ch\MediaWatchV1home8316.crx (1568 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\Thumbs.db (564 bytes)
%System%\GroupPolicy\gpt.ini (315 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316ffaction.js (678 bytes)
Static Analysis
VersionInfo
Company Name: Media Watch
Product Name: Media Watch home 8316
Product Version: 1.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1
File Description:
Comments:
Language: English (United States)
Company Name: Media WatchProduct Name: Media Watch home 8316Product Version: 1.1Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 45056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 237568 | 3120 | 3584 | 2.92164 | 813e5a36ad046c0e3f27fadc0a3fbee1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 921
66840532e694f3313495d419a8de01d3
843604fa73df1c46cdf81c87cbb180ea
e36fb129673e7b52096f40f3b850c687
dc87bbc730b0c5838a1cde61ed835d51
158f2ccb716304c727b06d988ceaac0b
eb28c2a06fcfc69d405b7d7b19d76a69
3f1782d3393e6953f7bbbb02e6a55048
fb23bc26230b6c36024878c018e8601a
4d5f46b65f2f609a682d5524ca6dc60c
002f72c934bc04a02244435a7293a831
bbf3653c95900c95ad3bc40769234903
4feb3e46c0e80a2c926babd6b764b09a
650fba80462cb8553381a92989eba87d
8d8fe08878652bee0f2794cc8f021f82
0229becf239707ea1ca8d86215dc33ab
322e0c3eed8db63cbb179026c951c04b
40b65d02f87e33a20e633877c31f8a97
898d5ed5eff308af6b381627e574e27a
03e29863f924d46b672c192188fef174
df5fc4dea8a2266bff8314b0693ac540
76affeb516b57062b88d6874474017fa
2756ee04e3082ac2813b83f7c136f45b
3cdc4ddb5f6ba60d1ab75685e4bcbb0e
e986f15ea9d4355f7577d511187e7d7f
f1bb36543560036033170282a6196536
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
wuauclt.exe_540:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
wuauclt.pdb
wuauclt.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
_wcmdln
_wcmdln
_amsg_exit
_amsg_exit
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
zcÃ
zcÃ
version="6.0.0.0"
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
name="Microsoft.Windows.windowsupdate.wuauclt"
true
true
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
wuaueng.dll
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ReportNow
/ShowWindowsUpdate
/ShowWindowsUpdate
/CloseWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
Failed to load %s with error %X
wucltui.dll
wucltui.dll
wucltux.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
wuauclt.exe launched with command line %s
kernel32.dll
kernel32.dll
WUWeb
WUWeb
Report
Report
7.6.7600.256
7.6.7600.256
Global\WindowsUpdateTracingMutex
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
Windows
shell32.dll
shell32.dll
%s: %s [
%s: %s [
%s: %s
%s: %s
%s\%s
%s\%s
= Module: %s
= Module: %s
= Module:
= Module:
= Process: %s
= Process: %s
= Process:
= Process:
=========== Logging initialized (build: %s, tz: %s) ===========
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups2.dll
wups.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
Microsoft.WindowsUpdate
wupdmgr.exe
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Window %d is NOT a WU window
Done enumerating windows
Done enumerating windows
Quit for window %d failed: 0xlX
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Found %d explorer windows
Closing WU explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
%chdhd
hd-hd-hd%chd:hd:hd:hd
hd-hd-hd%chd:hd:hd:hd
%WinDir%
%WinDir%
Windows Update
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
wuauclt.exe
Windows
Windows
Operating System
Operating System