Gen.Trojan.Heur.PT.SmWaOAD21fi_51bd6e8e95 – Adaware

Trojan.Win32.Scar.hskr (Kaspersky), Gen:Trojan.Heur.PT.SmW@aOAD21fi (B) (Emsisoft), Gen:Trojan.Heur.PT.SmW@aOAD21fi (AdAware), GenericAutorunWorm.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 51bd6e8e95bba41a4697a101b2d6a187

SHA1: 65789c6261342acf1c47551b88f33e712685e661

SHA256: f059350004859eca7def5e834ca31cade5160afb7fb92053c3805a834c16403a

SSDeep: 12288:todAI3o7QvJ/RGtBp9T9e3dr1/qbio1NcTUrz7Ly/rqNDiS4Rn4xsluubAJsEEd:DWSi/Rim3z/qJ1sUbLy/rODGBHukAG

Size: 722432 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: AirInstaller

Created at: 2011-03-25 15:17:42

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

SACBENTP285944DEFB2A.exe:892
%original file name%.exe:1700
mofcomp.exe:372
mofcomp.exe:776

The Trojan injects its code into the following process(es):

WRSA.exe:2008
WRSA.exe:352

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process SACBENTP285944DEFB2A.exe:892 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Webroot\WRSA.exe (3785 bytes)

The process %original file name%.exe:1700 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\SACBENTP285944DEFB2A.exe (3825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\wsa.bat (52 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\SACBENTP285944DEFB2A.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\wsa.bat (0 bytes)

The process mofcomp.exe:372 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1587 bytes)
%WinDir%\Temp\tmp41.tmp (2 bytes)
%System%\wbem\AutoRecover\3FB02EC54EF11291FA75FBAC8D6B80D4.mof (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\tmp41.tmp (0 bytes)

The process mofcomp.exe:776 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1291 bytes)
%WinDir%\Temp\tmp40.tmp (2 bytes)
%System%\wbem\AutoRecover\3FB02EC54EF11291FA75FBAC8D6B80D4.mof (6 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\tmp40.tmp (0 bytes)

The process WRSA.exe:2008 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\WRkrn.sys (112 bytes)
%Documents and Settings%\All Users\Application Data\WRData\~tmp.hiv (33604 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere\Webroot SecureAnywhere.lnk (629 bytes)
%System%\WRusr.dll (149 bytes)
%WinDir%\Temp\perflib_perfdata_7a8.dat (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\All Users\Application Data\WRData\dbi.db (714 bytes)
C:\$Directory (1732 bytes)
%Documents and Settings%\All Users\Application Data\WRData\WR.mof (1 bytes)
%Documents and Settings%\All Users\Application Data\WRData\dbg.db (1636 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\WRData\~tmp.hiv (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere\Webroot SecureAnywhere.lnk (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (0 bytes)

Registry activity

The process SACBENTP285944DEFB2A.exe:892 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 B7 66 87 0E A3 C6 6D F4 78 90 9A A5 C8 C7 35"

[HKLM\SOFTWARE\WRData]
"InstalledVersion" = "134218217"

[HKCU\Software\WRData]
"InstallOpt" = "38498"

[HKLM\SOFTWARE\WRData]
"InstallDir" = "%Program Files%\Webroot\WRSA.exe"
"nid" = "134218217"

[HKCU\Software\WRData]
"LIC" = "SACBENTP285944DEFB2A"
"3" = "0"

The process %original file name%.exe:1700 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 16 14 CF 70 C7 B4 82 4B E1 CA B9 35 C9 EE EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp]
"wsa.bat" = "wsa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process mofcomp.exe:372 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 6D D8 C2 37 4B 59 07 E6 B7 6A 25 6C 4D 6A 3E"

[HKLM\SOFTWARE\Microsoft\WBEM\CIMOM]
"Autorecover MOFs timestamp" = "130558497636928750"

The process mofcomp.exe:776 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF FF D5 E1 55 5D 92 38 15 B4 47 61 57 0D B4 BE"

[HKLM\SOFTWARE\Microsoft\WBEM\CIMOM]
"Autorecover MOFs timestamp" = "130558497636303750"
"Autorecover MOFs" = "%System%\WBEM\cimwin32.mof, %System%\WBEM\cimwin32.mfl, %System%\WBEM\system.mof, %System%\WBEM\wmipcima.mof, %System%\WBEM\wmipcima.mfl, %System%\WBEM\regevent.mof, %System%\WBEM\regevent.mfl, %System%\WBEM\ntevt.mof, %System%\WBEM\ntevt.mfl, %System%\WBEM\secrcw32.mof, %System%\WBEM\secrcw32.mfl, %System%\WBEM\dsprov.mof, %System%\WBEM\dsprov.mfl, %System%\WBEM\msi.mof, %System%\WBEM\msi.mfl, %System%\WBEM\policman.mof, %System%\WBEM\policman.mfl, %System%\WBEM\subscrpt.mof, %System%\WBEM\wmi.mof, %System%\WBEM\wmi.mfl, %System%\WBEM\scm.mof, %System%\WBEM\fevprov.mof, %System%\WBEM\fevprov.mfl, %System%\WBEM\wmitimep.mof, %System%\WBEM\wmitimep.mfl, %System%\WBEM\wmipdskq.mof, %System%\WBEM\wmipdskq.mfl, %System%\WBEM\wmipicmp.mof"

The process WRSA.exe:2008 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = ""

[HKLM\System\CurrentControlSet\Services\WRkrn\Instances]
"DefaultInstance" = "WRkrn"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = ""

[HKCR\CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}]
"(Default)" = "WRShellExt"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control]
"CloneTimeStampFlags" = "432977565"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"NoModify" = "1"

[HKCR\*\shellex\ContextMenuHandlers\WRShellExt]
"(Default)" = "{69D72956-317C-44bd-B369-8E44D4EF9802}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"InstallLocation" = "%Program Files%\Webroot\"

[HKLM\SOFTWARE\WRData]
"GWord" = "WSASME.EXE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\WRData]
"CTX" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WRkrn]
"(Default)" = "Driver"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"UninstallString" = "%Program Files%\Webroot\WRSA.exe -uninstall"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"EstimatedSize" = "695"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\WRData]
"rCV" = "1"

[HKLM\System\CurrentControlSet\Services\WRSVC]
"Description" = "Webroot SecureAnywhere Endpoint Protection v8.0.1.233"

[HKLM\SOFTWARE\WRData]
"InstalledVersion" = "134218217"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\Folder\shellex\ContextMenuHandlers\WRShellExt]
"(Default)" = "{69D72956-317C-44bd-B369-8E44D4EF9802}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"VersionMajor" = "8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"Publisher" = "Webroot"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 06 A0 92 1A FA 49 B5 0B D6 F1 22 6B 35 DB EB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\System\CurrentControlSet\Services\WRkrn\Instances\WRkrn]
"Altitude" = "321611"

[HKLM\SOFTWARE\WRData]
"InstallDir" = "%Program Files%\Webroot\WRSA.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WRkrn]
"MSvc" = "WRSVC"

[HKLM\System\CurrentControlSet\Services\WRkrn\Instances\WRkrn]
"Flags" = "0"

[HKCR\CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32]
"(Default)" = "%System%\WRusr.dll"

[HKLM\System\CurrentControlSet\Services\WRSVC]
"CSD" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"VersionMinor" = "0"
"DisplayName" = "Webroot SecureAnywhere"
"DisplayVersion" = "8.0.1.233"
"DisplayIcon" = "%Program Files%\Webroot\WRSA.exe"
"NoRepair" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\WRkrn]
"DeleteFlag"
"WOW64"

The process WRSA.exe:352 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 36 18 BD B7 72 4A 75 F8 3D C5 A9 67 F9 2B F2"

[HKLM\SOFTWARE\WRData]
"BLV" = "E3 17 B9 E7 73 89 DF 89 C8 2C 84 9F 37 2F F2 EC"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"wInstallTime" = "1411376161"

[HKCU\Software\WRData]
"LIC" = "SACBENTP285944DEFB2A"
"17" = "1927995897"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WRSVC]
"(Default)" = "Service"

[HKCU\Software\WRData]
"5" = "ivTHbMBs"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\WRSVC]
"WOW64"
"DeleteFlag"

Dropped PE files

MD5	File path
cbe1be460b6da29669169379afe61720	c:\Program Files\Webroot\WRSA.exe
b666f9ae523f9150e1ee1f6c8242441c	c:\WINDOWS\system32\WRusr.dll
8570519458afa754d99292a815bc49b9	c:\WINDOWS\system32\drivers\WRkrn.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls creation and closing of threads by installing the thread notifier.

Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls operations with a system registry by installing the registry notifier.

The Trojan installs the following kernel-mode hooks:

ZwAllocateVirtualMemory
ZwAssignProcessToJobObject
ZwCreateThread
ZwDebugActiveProcess
ZwDeleteKey
ZwDeleteValueKey
ZwDuplicateObject
ZwOpenProcess
ZwOpenSection
ZwOpenThread
ZwProtectVirtualMemory
ZwSetContextThread
ZwSetValueKey
ZwSystemDebugControl
ZwTerminateProcess
ZwTerminateThread
ZwWriteVirtualMemory

Using the driver " %System%\drivers\WRkrn.sys" the Trojan attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
SACBENTP285944DEFB2A.exe:892
%original file name%.exe:1700
mofcomp.exe:372
mofcomp.exe:776
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Webroot\WRSA.exe (3785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\SACBENTP285944DEFB2A.exe (3825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\wsa.bat (52 bytes)
%System%\wbem\Logs\mofcomp.log (1587 bytes)
%WinDir%\Temp\tmp41.tmp (2 bytes)
%System%\wbem\AutoRecover\3FB02EC54EF11291FA75FBAC8D6B80D4.mof (4 bytes)
%WinDir%\Temp\tmp40.tmp (2 bytes)
%System%\drivers\WRkrn.sys (112 bytes)
%Documents and Settings%\All Users\Application Data\WRData\~tmp.hiv (33604 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere\Webroot SecureAnywhere.lnk (629 bytes)
%System%\WRusr.dll (149 bytes)
%WinDir%\Temp\perflib_perfdata_7a8.dat (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\All Users\Application Data\WRData\dbi.db (714 bytes)
C:\$Directory (1732 bytes)
%Documents and Settings%\All Users\Application Data\WRData\WR.mof (1 bytes)
%Documents and Settings%\All Users\Application Data\WRData\dbg.db (1636 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.MPRESS1	4096	765952	718848	5.54368	ab7a591948a0dfb81c8e9d20364bd65c
.MPRESS2	770048	1228	1536	3.48797	bb1c5ba93743189ec186fa9dce165a49
.rsrc	774144	1040	1536	2.62402	b9520c33f1e3aea0922a32485ebeba1f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ronb1-1759004122.us-east-1.elb.amazonaws.com/arm.asp
hxxp://g74.p4.webrootcloudav.com/arm.asp	50.16.211.74

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /arm.asp HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

Host: g74.p4.webrootcloudav.com

Content-Length: 1141

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

TV=1&TT=AWARE&SV=134218217&InstanceMID=19ceb69d6a09dedff47750851539a8874a1a04894327bb608db5179dd6a9ae21&HEADERS=$$$01$$$314F04E9OLCKIKPLHKHRNEMEPDQDLGQRNFNHPHFIOIIGNQIHJPHDMIIPEKECMGJLRKHLHHOCOPDOLFJEEJRNGJNRMIKPCCHGRIEEEQQNRHHJNLFGFPDCNLNLMMQMNLGDCEHHPKIIIGCMCJFHJHRLHJHPHECDMQHCDEGIJQONJNCGONLJHKFINLGEOEPQJPKEOMKMNKDOLCNGGGNKOLENDRMNOLRKEPIPMLRQJNQKMLGIHDQEECPHMGNFMHKJQHOHGMKNDLEMQLNFLRFCNKMNOLKDNJQQKHJIFQIJERKCMOCFPGCJKMLQEQHLDLHQPMEJLQNMHQPQKNHENNCEDDQGHKMKMPLLGODPFJQLJRMMNREHCKMOMMINLQLFOKKMRCCPOHOQLKIQMCOJOFMNRJRICCCORNMFPJEDFIENHOOHIPFQRLIPQMOFIHLQKEKMKDEIMROIRQGFONPHJPKINQHEEQKIPQLJCFHNLLJERNJCJLPJOLJCEROIMNMGNIOPMEORHCOREHLEDLGRHNRGJGFRLJJEHHPEMLPRMQRQGMQMDLQEQQJHNKLHEIRQMERQJEKGHGJOGHLLKJCIQPHMGRLIFMOHLKQCOPLKCQOOHJPMKEDCEJEPFFCQRFRIDHHREKNHRMDKOENMJKCEIIDKQPQMLELMLDMHDGHNCFNDOLELRPLPLFGOJHHLNEFPNPIOQKDCLLILGLLNKMHJLFIMQKCKFGMGNNCMLRMPINNFQFERGLQNRRGQGCNDDPFNFOMKORJDMJRJQHGJDCFENOFNJFNCCQEDIEJPPREDNLQLPHCPFFGDKOOKDNDLMMHHECFHPIEPQJKFFCGHPLOCFOKNLQRJMEDCMEPRCLEOICNMEEMIRRDCENDMLPINLRLOPFKHQPLLDJGPKRRGGEDFMQDEMLNENLMHDDCPJKKIPEKPQDKQIEOFDOOFEDDLMOHLDJGQOMCLCGMPPHGCQLDCLKIHFRHIQKJIIRCEKNHIOKDENMJNJIOKIFQMQPGFDLQLCFDH&

HTTP/1.1 200 OK

Cache-Control: private,no-cache

Content-Type: application/octet-stream

Date: Mon, 22 Sep 2014 13:58:15 GMT

Expires: Sun, 21 Sep 2014 13:58:16 GMT

Pragma: no-cache

Server: Microsoft-IIS/7.5

Set-Cookie: errtext=; path=/

X-Powered-By: ASP.NET

Content-Length: 2530

Connection: keep-alive

<?xml version='1.0' encoding='UTF-8' ?>.<pvx_com_xml><![CDATA[.TT=AWARE.TV=1.SV=134218217.InstanceMID=19ceb69d6a09dedff47750851539a8874a1a04894327bb608db5179dd6a9ae21.$$^^URL=156A21CCKFQTKNGRFQMNSPQROJGHUIRLFRQSJQSMOFNFHJJJKLSHQTJPOPQUPTQSQKHQPTNKKGIKGLNTNIPLNHMKURFRGPUHQQNGILGFQLQUIUGONTSOTLMSTJOPFINQHFRSMNHUMJPIISMIRKTHOPHGTLFNKUSUFIUOSUQJOUQMUQOISQJNFGNULIRMNNGGJFPOFFJSJRILFURGMOHJNURGITHJLMTTRSRJRPGHRNSOHJLRLMTOQKSNKQUFFHFSGMFNKIOGRQHLMOIUSMQRRPUKKUIFSMGROHMGQTPQIFIRNHPTQHKTMFJSOGHQHLPMNMGMTUSLPTNTQMHLPNPGOQPJLOHGITSNNSPNUHNRRPNPFGSQKKRTQGNQKQTIPIHJJFPGPGNTSMLSUMUHGFHIMIFSIISKHRURIORPHRLQKFRGSGIMGMNHSMJMMLOLNUHUIOINOSNQNPLKMJUNQSTRHQIOUIOGOHRLUUTOUQJGUHTIGIJOPRMTFKFGNUHNRKPGSMIHUFQGUJFMUOTUFKGLHGMGRLJMUJMNRUHFJIJRPRQNHMRHOOFQHPRNFRHUIPQHLQUHQGSJGPHIKULLUQRMQGIFRJRPHOSJRQOHSRTQHKPPIIRKJIJNSTPKQPGFKGQLTPNHRNITMSPUHKLJLUGPUIOSLFOPIFFORGJSQMFLMSLPNITRFHNLIJURPLJUKJIQIIMGQNSQJIHKSNKFFOPUFBKM.$$^^UPD=9FE3A845OEOCEAJHMFCKNIOLLBICBFDMEHCAKDKFHGLPDGIKKGPPGHDOFFFNDEHJNNNLNCKCCLNLDFDAELBBMPBCDIECHIEDJGDNLHFJDAPFMMCGAJBDNBOENCPHEBFCCEFOLGGNMFOOANJKINCCPJJONCKBCMDEBGHBGCKFDOACKKJAGMCMIAJJDFAIMGNLLINFIHHLMCNMMCJFNLNCKOHDBLFFKHPJGFHMAKJDPNHNOEDINGAADIACPDKMCCLMBKKGAJBNICPIIDFJFEKLOJOCPMAGJKHMBHCHJMBIGCLKKJAJCCADNPHOBDFFCEPJDFHFOFJIPPEDAOHDEEKHHGPBMDOCGPAGPP.$$^^HDR=09703BD6AAMBOHJPCIOHEDJFCONIGFNAMLIKKNIJLONDEGNCIFOBFJNNFAJAFMEPIIGACFHJLNKFODMLNGEDLGAHNGDFPAOPHHHILPLBGEANJJNPJOPIBKNAAJAAJJKLKCLMPIAOMFGCCBNKKEOAAHMDAEJJPOMGMLNAKHNNKCBKJCIJABCHOPFDBLMPCEBNBLBCGJAEEBKMJFKAJJDCEPLCBIOBHMHHIJAFELBDJJLNNAKICCJMKG

<<< skipped >>>

POST /arm.asp HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

Host: g74.p4.webrootcloudav.com

Content-Length: 1206

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

Cookie: errtext=

TV=1&TT=WALL&SV=134218217&InstanceMID=19ceb69d6a09dedff47750851539a8874a1a04894327bb608db5179dd6a9ae21&HEADERS=$$$01$$$F38AC12CNSJRNKOGNOLNHEGOFRKHFKKNPPFDRNJGSMSRDFSSDFDPQQOGMHSRQLFGHLPORIIFGQLJFORDIJFMOKJQEJISKDDJGNIDKRQMNINLQMSMEEQEINGHHMFKINLDFQMHOKFKHOHORSKDNMDOLOROLNOGGFRFHNSHJJOMJGOEIDFFDDHPRQOOIMFKFJSKIIGKFKNEHSDEQGDIMKQJPDIJIJDIKFEDHFNGDHSIQJMRERDLFOGOJLEMJMJQFMFOHFJIIEHHREQQILIFHGKJGFEDHDKGGRROHMSNELQQMOMEJDMISQPOIQLSNQLLNRKIFJFDRJHHKGPDDOMLJLGRNDKFEIHGGHHKSGMGFKMDRKQFJDJMLRNFKIEJFGHSEOPHRFDKSSFKLKLRFGRJFGDPQHOFFOEMHGMOJJMEHPOSKQLGJNQDONOEGMJSEEKOQFIOGLKGJMSJEPJLRFGGRLNKSMKGHMJFIHFRKNFKLPJIDRDKLRMFFPFDJSDJKFFSJJFMIDFMJISHEMFMMHMRLKRNJHRONNHKENHNQEJOKIOSFJKLIFRSPKPLIQFDERFDDRQRRHRRSIDOKKMPIIPLGRHHPNEKFLGFOQPNPFORDKRLQFRSHKRDESPSEDKOSJMFPOKHQIQMNQSOIKHGLRIQGEELHRFPHMEKLLRMIODGQEIORIFLDLSMFQFGRJPHFJMIOGJIDJQHQJFJIIRFDHQKOJSIROIMFHSKPDQDLDRRMPGFGJGGODNHHOISQEMESDHFDGMSNSEMNQFMELIPKOIMLLJQSIODMIRDJHOPPRKHRFIDDHQGGLINJPHPQMLGMHRGNFKSISEMLLQSFEIFLPEERKFQINPNENDIKEKJNHPDKNMPNKRKHGQSOMNFKHEMGLHDDJIDGDLHSLKGPOKELHMOLRNGNSPMMQENHHROHQGJSDOIFGFOQNGOOPNJSPSJQNLLNNKDDKLMQGJENGEPRGFHERIKPGJLEKQLJGMOPGNJDOOLDOEFRNNJHSDFLMDHJQHDIMLDEMOHLIDMFIIMSMEJPSKKROLIIMJKNPKPMFNLGODDQPQGGNDGGQGDNQDRQSDDGM&

HTTP/1.1 200 OK

Cache-Control: private,no-cache

Content-Type: application/octet-stream

Date: Mon, 22 Sep 2014 13:58:15 GMT

Expires: Sun, 21 Sep 2014 13:58:16 GMT

Pragma: no-cache

Server: Microsoft-IIS/7.5

Set-Cookie: errtext=; path=/

X-Powered-By: ASP.NET

Content-Length: 57100

Connection: keep-alive

<?xml version='1.0' encoding='UTF-8' ?>.<pvx_com_xml><![CDATA[.TT=WALL.TV=1.SV=134218217.InstanceMID=19ceb69d6a09dedff47750851539a8874a1a04894327bb608db5179dd6a9ae21.$$^^LIC=7D014AA7ITOTNNVRKHPSHIRSTHIRSNOOOHLUONRNWURHUIOMJONOLWVWOKHJTNWONTOWKVMKUKVOKNNRJHRHLIUJISRUOTQKIWVRPTNULWMJQROPJMKNTHKRSOLIQTUOQSSIVMWNNQUSPMTRRPQUOVPRHQRJSHWLSUUJWQUNSUOPVPORWVRHKLWLUIKQISLVQRSWUQWPSUVRTWTNVKOLMHLRNUVPNLKJUSKWNULPPVITMTUHLOPUTUNTVKHLSTKRVOMKLLPRRTHSTUMSHURRIHQKOVUQONRQWRMSHPMJHLMTQJJROVMNSRWKNWTHLPHJTHQQRITTRKQOVOPJTWKOURIJTSHKVSTJOKPWMKSRWSRWVJRPWVJOUURLMIRQUTQWLQNWNQMJLIMRHTLVKPPNJUQJKPQVNIJUNMHJJNTLRSNKVWLJVVSWPKLWIIHJHFUI.$$^^STR=D9773CD1DDDDDJKFPHEKQHIFFELKGIMELFRFPIRLSSMILDEHDJKFDNMRESONKRKPNOLDLIQGIKHSGPEHDNMSJMIPLESEGHJNSFSSKLKJSJLSQNPPLGJELGNLJEJSNJMQRISSHLSRSMJSFJILFNPRJMFFQHHJQISIFRKIPQOKPPRDKDNMJELPJIQILPIPMGONGMGDHNOFSKENKGDKKSQIFLPIHRSKRFQMFQDHHNSDFNDHILFQFGLQIJQOHGIMSGDMPHQQQJFJHQQGFPIFFONDLJJMMDMNGEISHDIFIPGRRIMEEMPIDFFSQDGLOPHJMNFOLHRJHNEOKEKEEIIIDQDERLQEHPOSHGILJLJMJHGNRDODRRFHKNRDHRHHPIPJRJQIDFDDMKJLJSJEFKEFGDGLMJINNEGSRGLGMMNOMGSIMFEDPDIEOEQFMGFGLIDIHSDRPMJMDPINHOQESEPJHKSNHPRQSLFLSRDMSQDRHPDISKMEEIJKRGEEKHMDHIKGPFSMKPRNPMGGGJOMMMOSDHQJGGKHMOKILJONPQQQQPNOISJONGGJODGHQHHMMQPHIEJEDGKFKSGNFHNQLDHQDHOKIFRKNGEMMMMSRESLJJEDLHDPIEFDKJPQONKMMJLMGJEEILRGSQEQDRPDRNQODDPLOMJKHLLFGQFHGNFDDKGKFPHENLGMIKGSLDILMGRNFHLMHJJOKFRHEPDEMROFDEOLHPRHGDMRIGKMMIQMHFHDKSEFDMJGNEKOMJKROGEPPEKMOINMNGHEIKMPQGPQOKRQDFNOHDMIHRKINONPERKEHFERMFJMSMSHELFQPEEPDEGLGEHPGPEEHRPSSJKFHSFPHDOENPDILLQJRKQKLKIPQJEQEPJGHQSHGRRKFQ

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

WRSA.exe_352:

`.rsrc

B'hG.Ir

SUPPORTHOME

WEBROOTHOME

SUPPORT

/exeshowaddremove

-proxyport=

-proxypass=

-key=

/key=

DlExec

TempKeycode

ChangeKeyCode

virusscan.jotti.org

VVV.virustotal.com

sophos.com

grisoft.com

pandasoftware.com

trendmicro.com

virustotal.com

f-secure.com

kaspersky.com

mcafee.com

webroot.com symantec.com

webrootanywhere.com

webrootcloudav.com

prevxinfo.com

prevx.com

hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

hXXp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

scrnsave.scr

res://ieframe.dll/securityatrisk.htm

res://ieframe.dll/repost.htm

res://ieframe.dll/offcancl.htm

res://ieframe.dll/noaddoninfo.htm

res://ieframe.dll/noaddon.htm

res://ieframe.dll/inprivate.htm

res://ieframe.dll/navcancl.htm

res://mshtml.dll/blank.htm

C:\Windows\system32\blank.htm

hXXp://go.microsoft.com/fwlink/?LinkId=54896

hXXp://go.microsoft.com/fwlink/?LinkId=69157

BURLT

Software\Microsoft\Windows\CurrentVersion\App Paths

Terminal Server Client\TransportExtensions

Ole\AppCompat\ActivationSecurityCheckExemptionList

.html

UrlSearchHooks

Extensions\CmdMapping

Keyboard Layouts

Userinstallable.drivers

LoginScript

rdpwd\Tds\tcp

Cmdline

SetupExecute

Image File Execution Options

wowcmdline

cmdline

Windows

SCRNSAVE.EXE

KeyFileName

Explorer\ShellExecuteHooks

PendingFileRenameOperations

FileRenameOperations

BootExecute

Software\Policies\Microsoft\Windows\System\Scripts

AppCertDlls

DefaultPassword

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

$$^^URL

ProxyPort

ProxyPassword

UninstallKey

websec

UPDATEURL

ERRURL

URLSTR

URLFILEUPLOAD

URLINBOUND

URLSLAP

hXXp://webcache.google

hXXp://developers.facebook.com

hXXp://static.ak.fbcdn.net

hXXp://VVV.facebook.com

video.ak.fbcdn.net

VVV.facebook.com

driver.cab

sp1.cab

sp2.cab

sp3.cab

A suspicious file was detected: %S - %s - X

Applied unique machine ID: X

In-memory infection identified: %S

Configuration Saved: %s

Removed invalid LSP chain entry: %S

Connected to %s

Monitoring process %S [%s]. Type: %i (%i)

End passive write scan (%i file(s))

Begin passive write scan (%i file(s))

Saved the product log to %S

Rule Overridden: MD5: %s, Size: %i bytes, ID: X, Result: %i

Website determination changed: %S [Level: X] [Type: X]

>>> Service started [%s]

SLevel updated to %s

Applied license key: %s

Executed cleanup script: %S

Submitted file at user request: %S

Updating from %S

Scan Results: Files Scanned: %i, Duration: %S, Malicious Files: %i

Scan Started: %S [ID: %i - Flags: %i/%i]

Configuration imported from %S

Configuration exported to %S

Cleanup tool %i executed

Determination flags modified: %S - MD5: %s, Size: %i bytes, Flags: X

Blocked process from accessing protected data: %S [Type: %i]

Closed network connection: [X.%i - X.%i]

Blocked process from connecting to the Internet: %S [MD5: %s]

Infection found in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]

File blocked in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]

Blocked website: %s

Rolled back infection: %S

Infection detected: %S [MD5: %s] [%i/X] [%s]

Installation successfully completed (%s/%s)

GetWindowsDirectoryA

ConnectNamedPipe

CreateNamedPipeW

DisconnectNamedPipe

CallNamedPipeW

GetWindowsDirectoryW

GetNamedPipeClientProcessId

CreateIoCompletionPort

%m/%d %I:%M %p

%d/%m %I:%M %p

127.0.0.1

_CorExeMain

1.3.6.1.5.5.7.3.3

g%i.p4.webrootcloudav.com/arm.asp

000000000000000

Win32.Override.1

Win32.LocalInfect.3

Win32.LocalInfect.1

Win32.AutoBlock.1

Win32.UserAdded

Win32.RuleBlock.1

Win32.Untrusted.1

Caution.Rootkit

Community.OuterEdge

Community.Heuristic

Win32.LocalADS

Win32.LocalInfect.0

Win32.LocalInfect.2

ScanSeq:%i,ScanType:%s,VM:%c,L:%s,MM=Y,LSysC:%I64X,TSysC:%I64X,

ScanSeq:%i,ScanType:%s,VM:%c,L:%s,LSysC:%I64X,TSysC:%I64X,

%commonfiles%

ÃŠche%

%cookies%

Ãºvorites%

%documents%

%start%

%startup%

Ãžsktop%

VVV.google.com

if exist "%s" goto d

Nspr4Hook::hookerPrOpenTcpSocket

if exist "%s"

VVV.bing.com

ru.brans.pl

proxim.ircgalaxy.pl

irc.zief.pl

core.ircgalaxy.pl

kernel32.dll

SLAPKEY

%s/arm.asp

%s/aot.asp

184.72.40.115

174.129.33.10

79.125.105.211

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

arm.asp

%Y-%m-%d %H:%M:%S.000

serverexecutable

%s\wininit.ini

1%iX%s^%s

DEX%s^

C0X%s^

C1X%s^%s

C2X%s^

(%i %s)

Removing all components... %c

.pvxdtr

https

PACKED_EXE,

[Ovr=X*Age=%i*Pop=%i*Dir=%i*Adv=%i*],

00000000000000000000

00000000

0000000000000000

00000000000000

URLBlob

Start: X. End: X. Seq: X. DB: X. Install: X. Command: %s. Parameters: %s

reg %s /f

%x %x

1.2.3

%m-%d

hXXp://

%2sX

%2ss

JOBHTTP

$$$01$$$

%S,%s,

WSASME.EXE

operating systems

%C:\boot.ini

%s\%S

"%S\%s",SynProc %i

XXX

v8.0.1.233

@.dll

%S\%s.dll

SetTcpEntry

GetExtendedTcpTable

GetExtendedUdpTable

FilterConnectCommunicationPort

RegSaveKeyExW

RegRestoreKeyW

RegSaveKeyW

RegCloseKey

RegFlushKey

RegOpenKeyExW

RegOpenKeyExA

RegSetKeySecurity

RegCreateKeyExW

RegDeleteKeyExW

RegDeleteKeyW

RegEnumKeyExA

RegEnumKeyExW

RegQueryInfoKeyW

CertOpenStore

CertCloseStore

CryptMsgClose

CertFindCertificateInStore

CryptMsgGetParam

CertFreeCertificateContext

CertGetNameStringW

MsgWaitForMultipleObjectsEx

ExitWindowsEx

ShellExecuteW

ShellExecuteExW

WinHttpConnect

WinHttpSetTimeouts

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSetCredentials

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpSendRequest

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WinHttpCloseHandle

winhttp

CryptCATCatalogInfoFromContext

msvcrt

OS=%i%i^OSLang=%i^OSFull=%s^AVV=%s^AVS=%s^AVA=%s^AVU=%s^IB=%S^IBV=%S^FWE=%s^

%u%u%u

PX%sMID3%sSRC

MACX%s

(Build %d)

%s (Build %d)

Server 2008 WebServer

Server 2003 Web Edition

Windows Version Unknown

Windows %s %s

Windows %s %s %s

-X

HTTP/1.1 500

Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\%s

{C27CCE38-8596-11D1-B16A-00C0F0283688}

{C1A8AF25-1257-101B-8FB0-0020AF039CA8}

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%i

20323:TCP

System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

14671:UDP

c:\windows\explorer.exe

System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts

System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts

System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts

System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\PublicProfile\GloballyOpenPorts

System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\StandardProfile\GloballyOpenPorts

System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\DomainProfile\GloballyOpenPorts

Software\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST

Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AE68DC3-F16E-457D-947A-092D614C7ABD}_is1

Software\Microsoft\Windows\CurrentVersion\Uninstall\{B4B5AD48-8D34-41D3-BD8A-8A10BD9BDED3}_is1

Software\Microsoft\Windows\CurrentVersion\Uninstall\{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1

Software\Microsoft\Windows\CurrentVersion\Uninstall\{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1

Software\Microsoft\Windows\CurrentVersion\Uninstall\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\86AEEA3A39CAF6F4D8D287BB7F4E228B

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F4A73EC6-EFC4-488D-AF1A-F2C3CD1BC072}

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}

255.255.255.255

$$$04$$$

$$$03$$$

$$$02$$$

AntiVirusProduct.instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}"

-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --siluninstall -name=webroot --nostartmenu --noaddremove -noshut

-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --userinstallie --userinstallff -name=webroot --nostartmenu --noaddremove --installforallusers -j "%S\pkg" --disablenotes --disableidentities --disablevault --disablecontext --lpbarpath="%S\PKG\WRBar.dll" --lpbarpath64="%S\PKG\WRBar64.dll" -noshut

WRCLOUDALPHA.EXE

%s %s

sShortDate

%a %Y-%m-%d %H:%M

%a %d-%m-%Y %H:%M

%a %Y-%m-%d %H:%M:%S

%a %d-%m-%Y %H:%M:%S

%s%I64XXXX

XXXXXXXXX%I64X

UpdateURL

Software\Classes\winbio.winbiotools

Software\Classes\Typelib\{130e4dce-ffac-15e3-5893-74950afeea4c}

Software\Classes\Typelib\{86727a1a-8140-4cfa-abfa-1620398fcec5}

Software\Classes\Clsid\{86727a1a-8140-4cfa-abfa-1620398fcec5}

Software\Classes\Interface\{86727a1a-8140-4cfa-abfa-1620398fcec5}

Software\Classes\Typelib\{8a4f328c-c9f4-4449-a0df-a756a6b52abf}

Software\Classes\bho.fffplayer.1

Software\Classes\bho.fffplayer

Software\Microsoft\Active Setup\Installed Components\{b00589a8-44cb-ba97-5de2-7c733bbee8ed}

%s.i

Win32.MalComponent

Win32.Corrupted

Software\Microsoft\Windows\CurrentVersion\Policies

credssp.dll

Software\Microsoft\Windows\CurrentVersion\Policies\System

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

%SystemRoot%\System32\svchost.exe -k netsvcs

%SystemRoot%\System32\qmgr.dll

System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider

%SystemRoot%\system32\ntmarta.dll

%SystemRoot%\system32\notepad.exe %1

Software\Classes\Applications\notepad.exe\shell\open\command

System\CurrentControlSet\Control\Session Manager\AppCertDlls

Software\Microsoft\PCHealth\ErrorReporting

DoReport

Software\Microsoft\Windows\CurrentVersion\Internet Settings

WarnOnBadCertRecving

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

Software\Policies\Microsoft\Windows NT\SystemRestore

%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

%SystemRoot%\system32\ntvdm.exe

Software\Microsoft\Windows NT\CurrentVersion\Windows

comm.drv commdlg.dll ctl3dv2.dll ddeml.dll keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv progman.exe avicap.dll mapi.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe

Software\Classes\.exe\shell\open\command

Software\Classes\exefile\shell\open\command

Software\Classes\.exe

dontreportinfectioninformation

Windows\WindowsUpdate

Windows\WindowsUpdate\AU\NoAutoUpdate

DisableCMD

NoWindowsUpdate

%windir%\system32\choice.exe /T 1 /N /D N /M Uninstalling...

#pragma namespace("\\\\.\\root\\SecurityCenter")

[Description("Webroot SecureAnywhere Security Center Integration"),Override("HostingModel")]

Name="AVClientInt.AVClientIntProvider";

ClsId="{D486329C-1488-4CEB-9CC8-D662B732D904}";

SupportsPut="FALSE";

SupportsGet="TRUE";

SupportsDelete="FALSE";

SupportsEnumeration="TRUE";

instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}";

companyName="Webroot";

displayName="Webroot SecureAnywhere";

Microsoft\Office\%s\%s\%s\

http://

WSA_SA_Report-%s

%a_%Y-%m-%d_%H-%M-%S

g1.p4.webrootcloudav.com/arm.asp

symsecureport

SQLANYs_sem5

semwebsrv

Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\

memory.dmp

Microsoft\Windows NT\CurrentVersion\Winlogon\altdefaultusername

Microsoft\Windows NT\CurrentVersion\Winlogon\defaultusername

Microsoft\Windows\CurrentVersion\Explorer\Streams\

Microsoft\Windows\CurrentVersion\Explorer\DesktopStreamMRU\

Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\

msdownload.tmp\

Microsoft\Windows\Cookies\index.dat

Microsoft\Windows\Temporary Internet Files\index.dat

Cookies\index.dat

Local Settings\Temporary Internet Files\Content.IE5\index.dat

Microsoft\Windows\IEDownloadHistory\index.dat

Logs\IE9_NR_Setup.log

IE9_Main.log

IE9.log

IE8_Main.log

IE8.log

IE7_Main.log

IE7.log

IE Setup Log.txt

Microsoft\Windows\History\

Local Settings\Temporary Internet Files\Content.IE5\

Microsoft\Windows\Temporary Internet Files\

Microsoft\Windows\Cookies\

Microsoft\Internet Explorer\TypedUrls\

Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\

Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\

Microsoft\Internet Explorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\

Microsoft\InternetExplorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU\

Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Find\

Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\

Microsoft\Windows\CurrentVersion\Explorer\RunMRU\

Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\

Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\

Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\

Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\&Documents\Menu\

Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Documents\

Microsoft\Windows\Recent\

$Recycle.bin\

Google\Chrome\User Data\Default\Cache\

Mozilla\Firefox\Profiles\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install

P4REPORT

%S\Driver Cache\i386

%s,%i%i

8.0.1.233

%s %s%s

%i-%i-%i-X-X.tmp

%s %s%S %s

Microsoft\Windows NT\CurrentVersion

\REGISTRY\User\%S

Microsoft\Windows\CurrentVersion

IG=%s,

hXXp://anywhere.webrootcloudav.com/zerol/pkgwiscaway.exe

detail.webrootanywhere.com/p4inbound.asp

hXXp://VVV.webrootanywhere.com/betaeula.asp

%.*s(%d)%s

=%%

d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\WRSA.pdb

O|SSSh

SSSSh=

tcSSSh

SSSSh6

SSSSh7

PSSSh

(QPSSSSh,

SSSSh?

PIQSSSh

RjEQSSSShE

SSSSh@

RSSSSSSh

KPjVSSSh

QjfSSSh

SShaaa

}.VQR

PSSSSSSh

>\u%f

K Pj.SV

SSSh8

O|SSSSh

jtSSSSh$

SSh ;

tcPQ

SSSSh

S|Wj.WWh

jmj SSSh

N|Sj.SSh

jDSSSh

jJj)SSSh

N|Sj.SSj^jBSSSh

SShDDD

SSSSjJj)SSSh

W|Sj.SSj^jBSSSh

V|Sj.SSj^jBSSSh

t.SSSV

zcÃ

Allow users to remove threats without a password

Allow users to scan without a password

This website is already being protected with SecureAnywhere Browser Protection. Remove it from the Browser Protection list to change its Website Filtering options.

This application is being actively protected against keyloggers, screen-grabbers, clipboard stealers, and other information-stealing threats.

Assess the intent of new programs before allowing them to execute

Would you like to automatically import the settings that were used in your previous installation?

Automatically block files when detected on execution

Caution: Booting into Safe Mode may prevent access to encrypted hard drives. Ensure that you have all encryption keys available if you are using hard disk encryption so that your computer can boot properly. Do you want to continue?

Warn when new programs execute that are not trusted

Protect against keyloggers

Block phishing and known malicious websites

Block suspicious access to browser windows

The current operation cannot be aborted.

SecureAnywhere was unable to remove threats automatically. Click "Contact Support" to contact our Support engineers.

Configuration for HTTP websites

Configuration for HTTPS websites

Would you like SecureAnywhere to continue monitoring and alerting about the Windows Firewall?

Your keycode has been copied to the clipboard. You can now paste it into any application.

The keycode could not be verified at this time. Ensure that SecureAnywhere is allowed to connect to the Internet and try again.

Configuration settings could not be exported to the selected file.

Configuration settings could not be imported from the selected file.

SecureAnywhere has detected that the Windows Firewall is currently disabled. It is recommended that you enable the Windows Firewall to receive maximum protection. The firewall built into SecureAnywhere is fully compatible with the Windows Firewall and provides an additional layer of protection.||Would you like to enable the Windows Firewall now?

Displaying %s events

Displaying %s process events

Enable Password Protection

Password protection is not currently enabled. Do you want to enable it now?

Enable "right-click" scanning in Windows Explorer

Enter a valid keycode to continue.

First Exec - PID: %i

A full keycode is required to add custom applications. Would you like to obtain one now?

Store Execution History details

Hide the SecureAnywhere keycode on-screen

SecureAnywhere has detected a modification to the HOSTS file, which may have been created by malicious software. The entry has the contents:||[%S]||Would you like SecureAnywhere to remove this entry?

HTTP Proxy

Save non-executable file details to scan logs

Enter a valid keycode. If you continue to receive this message, contact SecureAnywhere Support.

I/O Operations

A full keycode is required to increase the default security level. Would you like to obtain one now?

A keycode is required to run a full system scan. Would you like to obtain one now?

Your SecureAnywhere keycode has been validated and activated. Your computer will now be rescanned to provide the most accurate protection.

Enter a keycode to continue.

Loading execution history process events...

The Execution History log is currently loading.

Loading %s execution history events...

Caution: Your current configuration settings may prevent access to SecureAnywhere. You may want to change your configuration settings now or use the command-line option "WRSA.exe -showgui" to show the SecureAnywhere interface if needed.

Operate background functions using fewer CPU resources

This website is blocked because of a policy added by the user to prevent access.

This website has been trusted locally and visitation is not blocked.

Contact SecureAnywhere Support to upload files larger than 10MB.

Insert a keycode for SecureAnywhere.

Password

This file is trying to access stored passwords

The password entered was incorrect.

Error: The entered passwords do not match.

PID %i active %s (CPU %s)

PID %i active %s

%s (PID: %i) started by %s (PID: %i)

%s (PID: %i) - (Parent PID: %i)

Enter your password below to enter:

Enter a password to enable protection.

Protect cookies and saved website data

An attempt to take a screenshot of your computer was detected. This screenshot may contain confidential information as a protected website is currently open. Do you want to allow this screenshot to continue?

Protect against URL grabbing attacks

Port

Randomize the installed filename to bypass certain infections

Allow the process to execute other processes

Allow access to windows with a High integrity level

Allow access to windows with a Medium integrity level

Select a configuration file to import

Select a file to execute

Select where you would like to export the configuration:

Select a file to report to Webroot

Select a removal script to execute:

Show SecureAnywhere in the Windows Action Center

Show the "Authenticating Files" popup when a new file is scanned on-execution

Show SecureAnywhere in the Windows Security Center

Configuration successfully exported.

Are you sure you want to visit this website? The contents could potentially compromise your identity or infect your computer.

Uninstall Webroot

Configuration saved. Close and re-open all open web browsers to update active protection.

Use the preconfigured policies for changing configuration settings for all websites.

This keycode is valid but has expired. Would you like to renew the keycode now?

Enter a valid, complete website name to configure.

Verify the DNS/IP resolution of websites to detect Man-in-the-Middle attacks

Verify websites when visited to determine legitimacy

This website contains a known threat and has been blocked.

Contact Support

Website determination updated. Close your web browser and open the web page again or refresh the current page to continue browsing.

SecureAnywhere Scan Log (Version %S)~|Log saved at %S~|

(User time: %s - Kernel time: %s)

Cycles: %s

MD5: %S - Size: %i bytes

(PID: %i, TID: %i) %s registry entry: %s\%.*s

(PID: %i, TID: %i) %s file: %.*s

%s: PID - %i

(PID: %i, TID: %i) %s process: %i - %s

(PID: %i, TID: %i) %s named pipe: %.*s

(PID: %i, TID: %i) %s module: %.*s

(PID: %i, TID: %i) %s code: %.*s (%S)

(PID: %i, TID: %i) %s IP %.*S

(PID: %i, TID: %i) %s Sector: %I64X - Length: %I64X

(PID: %i, TID: %i) %s URL: %.*S

(PID: %i, TID: %i) %s service - %.*s - %.*s, (%i, %i)

(PID: %i, TID: %i) %s mutex: %.*s

(PID: %i, TID: %i) Logging keystrokes

(PID: %i, TID: %i) Monitoring Windows events (%i)

(PID: %i, TID: %i) %s section: %.*s

View the Webroot software license agreement

Webroot SecureAnywhere protects your computer from viruses, spyware, trojans, rootkits, and other malicious software.

Enter your keycode to install and activate your software.

Help me find my keycode

By clicking Agree and Install, you accept the terms of the Webroot software license agreement.

Want to learn more about Webroot?

Help and Support

About Webroot SecureAnywhere

Protected Websites

Websites on this list receive custom security to protect any information entered.

View/Edit Protected Websites

Password Required

Web Threat Shield

3. Close any open programs or web browsers (Recommended but not essential)

Reports

You may save a scan log, which Technical Support uses for diagnostics.

View an audit log of all monitored executed code. This allows you to manage running processes and identify potential problems quickly.

Not collecting execution history events

Password:

Repeat Password:

If a Webroot researcher has instructed you to execute a Removal script, select the script to begin.

Import / Export

Block websites from creating high risk tracking information

Analyze websites for phishing threats

Enter the website address to protect (e.g. VVV.webroot.com)

Add Website

Analyze search engine results and identify malicious websites before visitation

Detect websites being redirected by the HOSTS file

Look for malware on websites before visitation

Look for exploits in website content before visitation

Website Filter

View/edit the list of blocked websites to change how they should be handled or add new websites to block.

View Websites

Website

Enter the website address to configure (e.g. VVV.webroot.com)

You received your keycode by email.

Your keycode is located on the CD sleeve.

If you have misplaced your keycode:

Contact Webroot Support at hXXp://VVV.webroot.com/support

Help me find my license keycode

You can also import your settings from another computer using this screen.

Import Settings

Export Settings

Activate a new keycode

Keycode:

Enter your new keycode into the field below and click Activate:

Enter your keycode here...

Are you sure you want to abort the current operation?

Identity && Privacy - protect yourself while browsing web sites

Enter a password that is at least six characters long for better security.

Only executable files can be overridden.

Warning: Clearing the product log will prevent Webroot technical support from assisting you accurately. Are you sure you want to clear the log?

The username or password is invalid.

I forgot my password

Downloading Password Management Components...

Installing Password Management...

Windows System

Windows Desktop

Windows Registry Streams

Windows Update Temporary folder

Windows Temporary folder

Clean Index.dat (cleaned on reboot)

URL history

Securely erase files by overwriting contents with random data using seven passes and clean free space around files.

Erase files by overwriting contents with random data using three passes.

Clean files using standard file deletion techniques, bypassing the Windows Recycle Bin.

SecureAnywhere has detected a significant infection on your computer which requires manual assistance to clean. Contact Webroot Support to help clean your computer.

Your SecureAnywhere subscription entitles you to use Backup && Sync which makes it easy to share files on your computer and protect your important files from loss. Click "Download and Install" to use this feature.

Select specific files and folders to back up to your online storage in the Cloud to protect important files from loss.

Webroot Internet Security Complete is already installed on your computer. Use the Sync & Sharing features within WISC to prevent incompatibilities.

Backup & Sync was not installed successfully. If you continue to receive this error, contact Webroot Support.

Your SecureAnywhere subscription entitles you to use Password Management that makes managing your web site logons easy and more secure. Click "Download and Install" to use this feature.

Install Password Management

Manage your personal information, websites, and passwords at your My Webroot account.

- Automatically fill in your login information for remembered websites

- Create secure, hack-resistant passwords for website logins

Password Management makes web browsing easier and more secure.

Password Management is On

Password Management was not installed successfully. If you continue to receive this error, contact Webroot Support.

Password Management

SecureAnywhere was unable to restore all files to their original locations and has copied them to a dedicated Quarantine folder located at [%s]. Would you like to view the Quarantine folder now?

The keycode is currently hidden and cannot be copied.

%-5i %S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|

%-5i ...%.*S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|

%S (%S) - %S@%S drive - %i%% Free (%i MB Total), Serial Number: X~|

%S (%S)@%S, Number of Logins: %i, %S~|

%S on %S@%i MB, %i MHz (Form Factor: %S, Manufacturer ID: %S, Serial Number: %S, Part Number: %S)~|

%S on %S@%i MB, (Form Factor: %S)~|

%S@%S drive - No media~|

%S@%S, Last Login: %s, Number of Logins: %i, %S~|

%S@%S, Service: %S, Status: X,

%S@(%S) %S, Service: %S, Status: X,$

%S@Device ID: %S, Internal Name: %S~|

%S@Never logged in~|

%S@Port: %S, Status: %i, Jobs: %i~|

%i fragments, %u bytes@%S (MFT: %i)~|

%s@Minidump: %S~|

%s@System Analysis completed in %i seconds (%s)~|

, Problem code - X,

Active Applications@%i - %i windows (%i visible)~|

Active Applications@%i windows (%i visible)~|

Active Directory@%S~|

Auto Update State@%S~|

Browser@%S %S~|

CPU@%s (%i %S)~|

Common AppData Directory@%S~|

Current Processor Speed@%dMHz~|

DHCP Server@%s~|

DNS Server@%s~|

External Clock Speed@%dMHz~|

External IP Address@%s~|

Gateway@%s~|

Graphics Card@%s - %iMB Free Video RAM, %iMB Total~|

Home Page@%S~|

Hostname@%s~|

IP Address@%s~|

IP Mask@%s~|

Internet Cache@%i KB (%s)~|

Last Update Check@%S~|

Last Update Download@%S~|

Last Update Install@%S (%i %S ago)~|

Last Update Install@%S~|

Maximum Supported RAM Size@%i MB~|

Next Scheduled Install Time@%S~|

Next Scheduled Update Check@%S~|

OS Install Date@%s~|

OS@%s (Language: %i)~|

Operating System

Phishing Filter@%S~|

Search History, URL History, and Recent Playlist

Slot %i - %S (%S)@%S - Bus Number: 0xX, Device Number: 0xX, Segment Group Number: 0xX~|

Spyware Protection@%S %S (%S)~|

Spyware Protection@%S %S (%S, %S)~|

System Access Level@%s~|

System Boot Drive Device@%S~|

System Directory@%S~|

System Family@%S~|

System GUID@x-xx-xxxx-xxxx~|

System Manufacturer@%S~|

System Product Name@%S~|

System Proxy@%S~|

System Serial Number@%S~|

System Temporary Files@%i KB (%s)~|

System Uptime@%S (Tick Count: %i)~|

System Version@%S~|

Third Party Firewall@%S %S (%S)~|

UAC Status@%S~|

Update Type@%S~|

User Account Level@%s~|

User Temporary Files@%i KB (%s)~|

Username@%S (%S) - Session ID: %i~|

Username@%S - Session ID: %i~|

Virus Protection@%S %S (%S)~|

Virus Protection@%S %S (%S, %S)~|

Windows Experience Rating

Windows Firewall@Disabled~|

Windows Firewall@Enabled and Active~|

Windows Updates

~|~|This new key must be used on all future installations of Webroot software:~|~|%.4s-%.4s-%.4s-%.4s-%.4s~|~|Thank you for upgrading!

- Internet Explorer 7.0 and higher, Mozilla Firefox 3.6 and higher; Identity Shield feature in Webroot SecureAnywhere Complete also supports Google Chrome 11 and higher, and Opera 11 and higher

All attached devices have reported to be functioning properly.

Windows Automatic Updates are disabled

Contact Support by clicking the "?" button in the upper right corner of this window.

Create an account to access your security on all your devices online from any Web browser.

Purchase Webroot SecureAnywhere now for uninterrupted protection.

Don't waste a second. Get the fastest security ever. Buy Webroot SecureAnywhere.

Enter your email address to validate your license key and activate realtime threat prevention:

Firefox

If you have other security software installed on your system, you do not need to uninstall it. Webroot SecureAnywhere software is designed to work alongside your existing security software and will automatically upgrade earlier versions of Webroot or Prevx software. If you do experience any issues, please contact our Support team.

Last Password Change: %i %s ago

Malware scanning - detect and report threats

Mozilla Firefox - Cached Files

New Webroot Keycode.txt

No password configured

Operating Systems (32 and 64bit in all Editions)

Please wait until the current operation is complete before shutting down SecureAnywhere.

Please wait until the download of Password Management is finished to download Backup & Sync.

Save Keycode and Continue

SecureAnywhere is currently managed by the Web Console and all changes need to be applied centrally. Please refer to the SecureAnywhere documentation for further information.

Settings - Currently being managed by the Web Console

System Analysis was cancelled and the report may be incomplete.

Screen resolution and bit depth support true color images.

The Windows firewall is disabled.

The credentials used to log into Backup & Sync are invalid. Please login again.

There are currently no items in the execution history log.

To learn more about Webroot's complete portfolio of security solutions, visit VVV.webroot.com.

View Full Report

Visit Webroot.com

Webroot SecureAnywhere has been successfully installed and is actively protecting your computer. You do not need to do anything further - it will continue running in the background, blocking threats if they try to enter.~|~|Accessing Webroot SecureAnywhere is quick and easy - you can locate it any time in your system tray or notification area. You may need to expand your notification area with the "Up" or "Left" arrow to see the Webroot icon.

Webroot SecureAnywhere

Webroot SecureAnywhere`

Webroot System Analyzer

Webroot was unable to be installed because the current user account has limited rights. Please elevate the Webroot installer or install using an administrative account.

Without this protection, your PC is vulnerable to spyware and virus attacks. Don't waste a second - get the fastest security ever. Buy Webroot SecureAnywhere.

Not all RAM can be used by your 32bit operating system.

Protection disabled. Get complete protection with Webroot SecureAnywhere.

Your account gives you anytime access to your security from any Web browser.

Your Webroot SecureAnywhere trial ends in %i days!

Your Webroot SecureAnywhere trial ends tomorrow!

Your Webroot SecureAnywhere trial is expired!

Your new keycode is shown below and is also provided in a text file on your computer's desktop. Use this new keycode for all future installations and upgrades.

Your operating system is up to date.

It is recommended to change your password every 90 days.

Your hardware is adequate for running your operating system.

VVV.geeksquad.com

SecureAnywhere could not be installed. Please contact SecureAnywhere support to assist with your installation.

SecureAnywhere is not compatible with your current operating system. Please consider upgrading your operating system to Windows XP Service Pack 2 or higher.

- Windows XP SP2, SP3

- Windows Vista SP1, SP2

- Windows 7 SP0, SP1

I would like to receive alerts, special offers, important product updates, and newsletters from Webroot.

View the Webroot Privacy Policy

Note: Although your settings will be saved locally, your PC is currently centrally managed by the Web Console and your settings may be overwritten on the next database communication.

Scan with Webroot

To receive the fastest response to a file inquiry, we recommend writing into our support inbox so that a Webroot researcher will immediately look at the submitted information. Would you like to open a support ticket now?

A cleanup license key is required to remove threats.

SecureAnywhere Identity Shield protects your sensitive information on banking, web transacting, and social networking websites while peacefully coexisting with other security software.

Welcome to Webroot

Webroot FastScan quickly assesses your PC security by detecting malicious threats using the Webroot Realtime Threat Database while peacefully coexisting with other security software.

Update now to faster, lighter, and more effective protection. Installation will take less than 10 seconds with scans typically taking less than 2 minutes. Webroot SecureAnywhere protects your computer from all types of malicious activity.

You don't need to do anything further. Webroot SecureAnywhere Identity Shield is now helping to protect you and your personal information when you bank, shop, interact, and transact online.

Aborting the current scan will prevent Webroot from detecting and cleaning all threats. Are you sure you want to abort?

SecureAnywhere has detected active threats on your computer and needs a license key to remove them.

Enable enhanced customer support

Please wait a few moments and try again. Contact Webroot Support if this error persists.

The operation failed with error code %i. %s

The command you selected did not complete successfully. Contact Webroot Support if this error persists.

Backup allows you to automatically back up and access your files securely from a web-based portal.

Web Console

SecureAnywhere is using %2.2f%% of your disk space. The average scan time is %4.1f %s.

SecureAnywhere has used %2.2f%% of your CPU since installation and %2.3f%% disk space. Average scan time is %4.1f %s.

Next scan starts in %s.

%i%% - %s files scanned. %s %s

Scan Complete - %i active %s found in %s. %s

Scan ended - %i active %s found in %s. %s

%s files scanned in %s. No threats found. %s

Scan aborted. %s files scanned in %s. %s

Last scanned %s. %s %s %s removed.

Last scanned %s. %s

Protection has been active for %s.

%s system events have been inspected since installation.

%s system events have been inspected since bootup (%s.%c %s since installation).

%i%% - Cleaned %s bytes (%i files, %i registry entries). Cleaning %s

%i%% - Cleaning %s

System Cleaner is scheduled to run in %s. So far, it has cleaned %s %s.

System Cleaner is scheduled to run in %s.

System Cleaner last cleaned %s. So far, it has cleaned %s %s.

Click here for personal support if you have any questions about SecureAnywhere

Enable Windows Explorer right click secure file erasing

SecureAnywhere Backup allows you to back up your files online so that they can be access through the secure portal in the event of hardware malfunction or system problems, or just to provide easier means for sharing files securely.

Show Windows Explorer overlay icons

Web requests were denied. Please ensure that proxy settings are correct and log in with your current user credentials.

A connection is being established with the Webroot Backup && Sync cloud infrastructure.

Backup is idle and will next archive files at %S. Files were last archived at %S.

Backup is currently idle and is configured to begin automatically archiving files at %S.

Backup allows you to automatically back up and access your files securely from the SecureAnywhere website.

Scanning for threats: %s

By clicking Agree and Begin Analysis, you accept the terms of the Webroot software license agreement.

View report summary

Operating system detected

Detecting operating system information

SecureAnywhere Backup && Sync allows you to protect your data and access it easier by synchronizing it across devices and securely backing it up to prevent data loss. Click "Login" to create your account or log into an existing account.

Please wait until the current operation is complete.

Google Chrome

.text

h.rdata

H.data

.rsrc

B.reloc

SShhA

TransportAddress

HTTP/

d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrkrn.pdb

KeDelayExecutionThread

ZwOpenKey

ZwQueryValueKey

ntoskrnl.exe

WRITE_PORT_UCHAR

HAL.dll

TDI.SYS

FltCloseClientPort

FltCloseCommunicationPort

FltCreateCommunicationPort

FLTMGR.SYS

SeExports

ZwCreateKey

ZwSetValueKey

585=5^5}5

"hXXp://crl.verisign.com/tss-ca.crl0

hXXp://ocsp.verisign.com0

Thawte Certification1

0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0

.Class 3 Public Primary Certification Authority0

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

n.aAHu

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

Webroot Inc.1>0

Webroot Inc.0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://crl.verisign.com/pca3-g5.crl04

.pdata

d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrkrn.pdb

`.data

@.reloc

WmiExecuteMethodW

NtRequestWaitReplyPort

NtConnectPort

NtAlpcConnectPort

NtAlpcSendWaitReceivePort

NtAlpcCreatePortSection

NtRequestPort

NtAlpcCreatePort

NtSecureConnectPort

NtDeleteKey

NtDeleteValueKey

NtSetValueKey

NtDelayExecution

NtCreatePort

http:\/\/

hXXps://

PSOWRX

hXXp://%.*s

Chrome_OmniboxView

Chrome_AutocompleteEditView

%s://%S

search.yahoo

WebDrawText

webkit

PSOTBX

Chrome_RenderWidgetHostHWND

MozillaContentWindowClass

MozillaWindowClass

Chrome_WidgetWin_

OperaWindowClass

\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsagreen.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e

\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsared.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e

nspr4.dll

advapi32.dll

bcrypt.dll

ws2_32.dll

sspicli.dll

secur32.dll

wininet.dll

ntdll.dll

d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrusr.pdb

>HTTPu6

msvcrt.dll

GetProcessHeap

KERNEL32.dll

SetWindowsHookExW

SetWindowsHookExA

EnumWindows

EnumChildWindows

USER32.dll

SHELL32.dll

ole32.dll

ADVAPI32.dll

PSAPI.DLL

WS2_32.dll

URLDownloadToFileW

URLDownloadToFileA

urlmon.dll

InternetOpenUrlA

WININET.dll

OLEACC.dll

RPCRT4.dll

OLEAUT32.dll

UrlIsW

SHLWAPI.dll

Secur32.dll

GDI32.dll

MSIMG32.dll

WRUsr.dll

\\x3ca href\\x3d\\x22http

6 6$6(6,6064686

@.rsrc

d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrusr.pdb

%u6HcA

tÃ¹7u HcG

?;5URLURLURL

)|]({\(z['yZ'wY'vX&uW&tV%sU%rT

%sU%rT

GetCPInfo

CertGetCertificateContextProperty

_acmdln

_amsg_exit

GetAsyncKeyState

MapVirtualKeyExW

GetKeyboardLayout

keybd_event

UnhookWindowsHookEx

v.pL>

00000000006

20.sp

%uV7"iL

KERNEL32.DLL

CRYPT32.dll

DDRAW.dll

DSOUND.dll

iphlpapi.dll

NETAPI32.dll

WINSPOOL.DRV

WINTRUST.dll

ddbl.db

dbk.db

dbj.db

dbi.db

dbh.db

dbg.db

dbf.db

dbe.db

dbd.db

dbc.db

dbb.db

dba.db

index.dat

content url

searchurl

use custom search url

scrnsave.exe

Default_Search_Url

Default_Page_Url

.cn/index

Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Software\Microsoft\Windows\CurrentVersion\Media Center\Service\Video

Software\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance

Software\Microsoft\Ole\appcompat\activationsecuritycheckexemptionlist

Software\Microsoft\Internet Explorer\UrlSearchHooks

Software\Microsoft\Internet Explorer\Extensions\CmdMapping

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Software\Microsoft\Windows\CurrentVersion\PreviewHandlers

"%ProgramFiles%\Internet Explorer\iexplore.exe"

"%ProgramFiles%\Mozilla Firefox\firefox.exe"

"%ProgramFiles%\Internet Explorer\iexplore.exe" %1

rundll32.exe url.dll,FileProtocolHandler %l

rundll32.exe url.dll,TelnetProtocolHandler %l

rundll32 %SystemRoot%\system32\shscrap.dll,OpenScrap_RunDLL %1

regedit.exe "%1"

"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"

"%SystemRoot%\System32\msiexec.exe" /i "%1" %*

Msi.Package

%SystemRoot%\system32\mmc.exe "%1" %*

.mpeg

"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"

"%SystemRoot%\System32\WScript.exe" "%1" %*

rundll32.exe shdocvw.dll,OpenURL %l

%SystemRoot%\system32\NOTEPAD.EXE %1

"%ProgramFiles%\Internet Explorer\iexplore.exe" -nohome

%SystemRoot%\system32\mshta.exe "%1" %*

cmdfile

"%SystemRoot%\hh.exe" %1

chm.file

ieuser.exe

crashreporter.exe

plugin-container.exe

epic.exe

waol.exe

iron.exe

safari.exe

firefox

winlogon.exe

spoolsv.exe

services.exe

audiodg.exe

svchost.exe

lsass.exe

consent.exe

dwm.exe

lsm.exe

procexp64.exe

procexp.exe

dplp2.exe

dplp.exe

watchdogx64.exe

flashcookiecleaner.exe

shredder.exe

atieclxx.exe

atiesrxx.exe

searchfilterhost.exe

werfault.exe

ravcpl64.exe

nvtray.exe

clpsla.exe

clps.exe

mtxagent.exe

googleupdate.exe

googlecrashhandler.exe

downloaderapp.exe

ccleaner.exe

ccleaner64.exe

conhost.exe

irperl.exe

fswscs.exe

bsplayer.exe

wow_helper.exe

realplay.exe

nmake.exe

cl.exe

winrar.exe

fsdomnodeie.dll

jhook.dll

yzshadow.exe

yahoomessenger.exe

wspace.exe

wlmail.exe

wdict32.exe

vmware-vmx.exe

vmware.exe

ultramon.exe

translateclient.exe

totalcmd.exe

thunderbird.exe

stpass.exe

splwow64.exe

skype.exe

sidebar.exe

sllauncher.exe

sbrender.exe

rocketdock.exe

robotaskbaricon.exe

roboform.dll

robo.exe

popupblocker.exe

pdfvista.exe

patrol.exe

packpro.exe

outlook.exe

opstm080.exe

opera.exe

notepad .exe

mvtapp.exe

msnmsgr.exe

fsocrserver.exe

jfw.exe

iexplore.exe

helppane.exe

google.exe

gamebooster.exe

firefox.exe

excel.exe

eudora.exe

eqgame.exe

dsNetworkConnect.exe

dllhost.exe

digsby.exe

communicator.exe

crazy browser.exe

ctfmon.exe

chrome.exe

bttray.exe

babylon.exe

ati2evxx.exe

aolsoftware.exe

admunch64.exe

admunch.exe

adblock.exe

acrotray.exe

acrord32.exe

acrodist.exe

acrobat.exe

verclsid.exe

wrbar.exe

WRSyncManager.exe

wrinstall.exe

snippingtool.exe

Portugu

s (Brazilian Portuguese)

Ftaskmgr.exe

csrss.exe

"%s" %s

"%s" %S

HKEY_USERS

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

%s\%s

%c:\%s

%s:%i

msiexec

%drivers%

*\windows\system32\drivers\*

%fonts%

*\windows\fonts\*

%%restore%%\%s

\\?hostname?\?share?\%s

%%winsxs%%\%s

c:\windows/

windows\system32/

Webroot

WRusr.dll

\\.\%c:

Windows\System32\windbg48.sys

m0rpheus.tpl

%SystemRoot%\System32\svchost.exe

mscoree.dll

%S(%s)

tcpip

.net clr

%S(%s\%s\, %s)

%S(HKLM\Software\Classes\%s\, %s)

%S(%s\%s\)

%S(%s\Software\Classes\%s\)

%S(%s\%s\%s)

/scanfile="%s"

%s\sfc.exe

Writing MBR> New Data: [%S]

Executing Command> %s

Terminating Module Parent> %i - %s

Closing Handle> %i - PID: %i - %s

Renaming Registry Key> %s\%s to %s\%s

Deleting File> %s

Writing Registry Value> %s\%s - %s

Writing File Data> %s - [New Data: %s]

Deleting Directory> %s

Deleting Registry Value> %s\%s - %s

Deleting Registry Key> %s\%s

Fixing LSP> %S

Core Component> Un-patching file [%s] - New Size: %i bytes

Copying File> %s to %s

Terminating Process> %i - %s

Stopping Service> %s

Deleting Service> %s

Starting Routine> %s...

\\.\pipe\WRSynUM2

\\.\WRSYNAPSE

\temporary asp.net files\

\opera\temporary_downloads\

\microsoft.net\framework\

\$recycle.bin\S-

mbam.exe

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncExcl

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncGreen

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncYellow

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncRed

CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}

CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32

%s\Symantec\

%s\Common Files\Symantec Shared\

%s\Symantec.cloud\

\\.\pipe\

wmiprvse.exe

\Slow.pvx

\Slowusr.pvx

%i %s

%s %S - %i%%, %i %s)

%s - %s

hXXps://*

hXXp://*

%ProgramFiles%\Webroot\WRSA.exe

%S - %s

InstallLogo.bmp

\\?\%c:

%i %s, %i %s

%i %s,

s\\.\PhysicalDrive%i

[%C] %s

[%C] %s [MD5: %S] [Flags: X.%i]

[%C] %s [MD5: %S] [Flags: X.%i] [Threat: %S]

[%S] - CPU: %i%%, Physical Memory: %i%%, Virtual Memory: %i%%, Page File: %i%%, Processes: %i

res%i.db

-%i-%i.tmp

bcdedit.exe

autorun.inf

\services.exe

\drivers\pciide.sys

\drivers\smbe.sys

\drivers\eubkmon.sys

\drivers\acpi.sys

\drivers\wdf01000.sys

\drivers\cdrom.sys

\drivers\serial.sys

\drivers\ipsec.sys

\drivers\tcpip.sys

\drivers\afd.sys

\drivers\rdbss.sys

\drivers\mrxsmb.sys

\drivers\netbt.sys

\microsoft.net\

.crdownload

.partial

\windows\installer\

\config.msi\

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

Software\Microsoft\Windows\CurrentVersion\Uninstall

{98C3BECF-DD5F-44D2-8EF3-

rundll32.exe

http*://

hXXp://VVV.

opera

%S(%s, %.*S)

%S(%s, %s)

%S(%s, 0x%S)

Temp\%.*S-%S-%.*S.WR

\\.\pipe\WRSVCPipe

%S(%i)

desktop.ini

%s %s %s

%i (%s %s)

%s: %s

PKG\WRSyncManager.exe

PKG\files_zh_cn_qt.qm

PKG\files_zh_cn.qm

PKG\files_de_de_qt.qm

PKG\files_de_de.qm

PKG\files_es_es_qt.qm

PKG\files_es_es.qm

PKG\files_ja_jp_qt.qm

PKG\files_ja_jp.qm

PKG\files_en_us_qt.qm

PKG\files_en_us.qm

PKG\WRBar.dll

%s (%s)

*.mpeg, *.avi, *.mp4

*.mp3, *.m4a

*.jpg, *.jpeg, *.png

*.xls, *.xlsx

*.doc, *.docx

%s (%S)

%s - %S

%s\Administrator

%C:%s

A:\%s

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

WRHTTP

dst%2S.db

Chrome

Opera

Software\Mozilla\Mozilla Firefox

http\shell\open\command

Software\Classes\http\shell\open\command

&OLDLIC=%s

hXXp://products.webroot.com/disp2012/?CMD=P40IPM&LIC=%S&LANG=%S&email=%s&optin=%S&DeviceMID=%S&InstanceMID=%S

partnerno=%S&MIDHEX=%S&datelogged=%S&Lastinfected=%S&Currentbads=%i&highbads=%i&mediumbads=%i&Lowbads=%i&identifynownowvalue=%S

I%S(%s\%s\%s, %s)

%S(%s\%s\%s, %s%s%s)

%S(%s, 0)

%s\drivers\%s.sys

%s\2i

Pipe

%s\%s\%i

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

dow.lac

centro.txt

1.pac

AutoConfigUrl

hXXp://

Software\classes\clsid\{871c5380-42a0-1069-a2ea-08002b30309d}\shell\openhomepage\command

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe

ekrn.exe

"%ProgramFiles%\Mozilla Firefox\firefox.exe" -safe-mode

firefox.exe\shell\safemode\command

firefox.exe\shell\open\command

iexplore.exe\shell\open\command

\WRSYNAPSEPORT

%s\%s.lnk

%s\%s\%s.lnk

%s\%s\%s\%s.lnk

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs

{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}

{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}

{C14874EA-ACE4-4A47-8A81-18C4D1C40868}

{1914B27A-33C8-46F8-A1C2-F993268D4564}

{69D72956-317C-44bd-B369-8E44D4EF9802}

SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData

"%S%s" %S%S

Software\Microsoft\Windows\CurrentVersion\Run

XXX.tmp

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Microsoft\Windows\CurrentVersion\Uninstall\Webroot Software

\Webroot\Security\Current\Products\WISE

\Webroot\Security\Current\Products\WAV

\Webroot\Security\Current\Products\WISC

rSoftware\Web Filtering

Software\Microsoft\Windows\CurrentVersion\RunOnce

5db%i.db

System\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

%s %S %S

dbo%i-e.db

dbo%i-%I64X.db

dbm%i.db

tPKG\WRBar.exe

PKG\LPBar.dll

%s\wrSync%i.dat

%s\icon%i.ico

t%s_%i

%s %s %S - %s

%s %s %s %S - %s

%S?LANG=%S

%s\Webroot\Spy Sweeper\install.dat

Software\Webroot\Install

notepad.exe

hXXp://VVV.webroot.com

%S %S

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

%s %i:00 %s %s

*.exe

%s %i %s

WRSA.exe

%i:i %s

SystemCleaner.log

%s\SecureAnywhere Console.lnk

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

UMTX-%s

CURRENT_USER\%s

MACHINE\%s

\explorer.exe

%s\sysnative

%s\WRData

%s - [%S] %i files scanned, %i %s found in %s

si3112r.sys

atmdlc.sys

C:\$MBR.1

\??\%c:\

%S(%s\%s\%s\)

%System%\webcheck.dll

rundll32 shell32,Control_RunDLL "sysdm.cpl"

logonui.exe

userinit.exe,

%S(%s\%.*s\, %I64X)

W%S(%s\%.*s, %I64X-%I64X)

%S(%s\%.*s\)

%S(%s\%.*s\%.*s)

%S(%s\%.*s, %.*s)

%S(%I64X, %I64X)

_reg.tmp

%UserProfile%\Local Settings\Application Data

%UserProfile%

hXXp://twitter.com/*

hXXp://VVV.facebook.com/*

Generating license key... (less than two minutes remaining)

Building your SecureAnywhere web console... (less than one minute remaining)

Preparing the web console for first time use... (less than one minute remaining)

Finalizing your SecureAnywhere web console... (less than 10 seconds remaining)

SysAnalyzerLog-%S.log

%s (%i bytes)

%S(%s, %S)

%S(Removing %s...#(PX5: %S - MD5: %S))

TcpTimedWaitDelay

MaxUserPort

TcpNumConnections

ActiveProcesses.log

webdrive

\Dell Support Center\

;"%s"

WR.mof

wbem\mofcomp.exe

%S - Removing %s

%S - Removing %s - %s

%S - Removing %s - %i bytes

%s\%i.bat

WRTemp_%i_X

%s\WR%i.exe

libAllegro.dll

Lang.dat

dbq.db

5WRupdate%i.exe

%s\%S.html

%s\%S.bmp

Duration: %s

%S (Hostname: %S - Local IP: %S)

Scan Started: %S

%s/%s

%s\System\CurrentControlSet\Enum\ROOT\LEGACY_%s\0000

%s\Services\%s

Embedded Web Browser from: hXXp://bsalsa.com/

Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

Software\Classes\.exe\shell

Software\Policies\Microsoft\Windows\System

Software\Microsoft\Windows\CurrentVersion\Policies\Associations

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

System\CurrentControlSet\Services\Tcpip\Parameters

%S(Removing rootkits - Please wait...#)

Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

SavUI.exe

SymCorpUI.exe

DoScan.EXE

SNAC.EXE

Rtvscan.exe

DefWatch.exe

ccSvcHst.exe

SmcGui.exe

Smc.exe

SemSvc.exe

dbsrv9.exe

CCApp.exe

vptray.exe

AMSadmin.exe

VPC32.exe

NMain.exe

Msiexec.exe

"%s\installTeefer.exe" -u -l2 -f "\install.log"

Microsoft.VC90.CRT.manifest

msvcr90.dll

msvcp90.dll

%s\temp

%s\checksum.exe

%s\temp\tmpremove.exe

dbp.db

Webroot\Sync

This removal tool only supports Windows XP.

PKG\WebrootShellExt.dll

\AGENTCOMMANDS.txt

Software\Classes\CLSID\%s\%s

%s\shell\open\command

%S\%s

%s\prefetch

%SYSTEMDRIVE%\RECYCLER

%SYSTEMDRIVE%

~tmp.hiv

%s\temp\WR-X.tmp

%s\Start Menu\Programs\Startup

WSATemp.exe

dbn.db

%s-%i

*.log

lwrSync.dll

PxPlugin.dll

A file was in use during the cleanup operation and could not be cleaned. A reboot is required to fully remove this file.

PKG.tmp

Software\Google\Chrome

ace%i.db

Win32.%S %s

\%s%s

NetworkEvents.log

WRLog.log

WEH-Tcp

RDP-Tcp

WRrem%i.exe

&CNTID=%S&SNUM=%S&CType=%S

&%S=%S

hXXp://%S?%S=%S%S&%S=%S&%S=%S&%S=%S&LANG=%S&VER=%i%i%i%i

%S?UPD=%S&LANG=%S

To ensure the highest quality experience with SecureAnywhere, we recommend contacting our Support and Sales team to assist with your deployment. Would you like to contact them now?

Opening your web console...

Your web console has been created and you can now easily deploy SecureAnywhere to other PCs and centrally manage configuration policies without needing any extra hardware.

Log-in to your Web Console

SecureAnywhere Endpoint Protection provides an easy to use, web-based console to manage the security of all of the devices in your organization.

By clicking Agree and Begin, you accept the terms of the Webroot software license agreement.

rtmp%d

\\.\DISPLAY

\Windows\explorer.exe

\Device\Tcp

\Device\Udp

\Device\NamedPipe

\System32\spoolsv.exe

\System32\services.exe

\System32\winlogon.exe

\System32\lsass.exe

\System32\svchost.exe

\System32\lsm.exe

\System32\csrss.exe

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*

{X-X-X-XX-XXXXXX}

WRkrn.sys

user32.dll

shdocvw.dll

ieframe.dll

rpcrt4.dll

WINDOW: %s - %s

ShXXps://

tmpremove.exe

smc.exe

msctf.dll

browseui.dll

dwmapi.dll

uxtheme.dll

"%s" %S"%s"

hXXps://VVV.webroot.com

eSoftware\Microsoft\Windows\CurrentVersion\Internet Settings

RapportKE64

RapportKELL

wsock32.dll

%s\%s\%s\%s

wrSync4.dat

wrSync3.dat

wrSync2.dat

wrSync1.dat

Webr

WRSA.exe_352_rwx_01001000_00205000: