Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, SearchProtectToolbar.YR, GenericInjector.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bd5600ddf7f19d2f830362dcf083901c
SHA1: de6c712e849e3ae6f36d8f9a9feb91c25682a8fb
SHA256: 97f7d9dda9ff032aeadf230d62ceb587ac8b2131744fbd4527034c8519a8dc31
SSDeep: 49152:It4Wq 2TWNggtZGCxSkMdU3Zgdbzt5gxzlXMXls0KdRPO6cO:I5QT9CxS3qJm95gPXM1FKjPO6cO
Size: 2326936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2011-07-06 17:31:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
CltMngSvc.exe:2068
CltMngSvc.exe:224
nsm4.exe:148
%original file name%.exe:1276
cltmng.exe:2516
nsq9.exe:1404
The Virus injects its code into the following process(es):
cltmng.exe:2492
Explorer.EXE:1684
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsm4.exe:148 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\inetc.dll (24 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (0 bytes)
The process %original file name%.exe:1276 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\json2.js (784 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winaownli.exe (741 bytes)
%Program Files%\SearchProtect\ffprotect\nsprotector.js (1 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0014EDF8_Rar\%original file name%.exe (15799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.exe (3616 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe (89498 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
%Program Files%\SearchProtect\bin\SPHook32.dll (5520 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook32.dll (5520 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\main.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcp100.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp (741694 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (11 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\popupTransparent.xul (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPRunner.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\FirefoxModule.dll (34773 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (175875 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Program Files%\SearchProtect\bin\uninstall.exe (6584 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\abstraction.js (52 bytes)
%Program Files%\SearchProtect\bin\SPRunner.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz8.tmp (1856 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\main.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcr100.dll (25824 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
%System%\msvcr100.dll (10882 bytes)
%Program Files%\SearchProtect\bin\cltmng.exe (89498 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\ChromeModule.dll (28288 bytes)
%WinDir%\system.ini (72 bytes)
%Program Files%\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm4.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ConduitMsTimestamp.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\CltMngSvc.exe (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (784 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\nsprotector.js (1 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (1 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
%System%\msvcp100.dll (4642 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
%Program Files%\SearchProtect\bin\ChromeModule.dll (28288 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (6 bytes)
%Program Files%\SearchProtect\bin\FirefoxModule.dll (34773 bytes)
%Program Files%\SearchProtect\ffprotect\abstraction.js (52 bytes)
%Program Files%\SearchProtect\bin\msvcr100.dll (25824 bytes)
%Program Files%\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\application.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Program Files%\SearchProtect\bin\CltMngSvc.exe (3312 bytes)
%Program Files%\SearchProtect\ffprotect\application.js (601 bytes)
%Program Files%\SearchProtect\bin\msvcp100.dll (14184 bytes)
%Program Files%\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\Dialogs\lib\json2.js (784 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ConduitMsTimestamp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winaownli.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)
The process nsq9.exe:1404 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\inetc.dll (24 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscA.tmp (0 bytes)
Registry activity
The process CltMngSvc.exe:2068 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 6F DC A3 93 C0 43 1D E6 F2 6B AF 06 FA FC 8D"
The process CltMngSvc.exe:224 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 3F B7 92 E0 A9 4B 56 C6 DE 58 8E 71 5A 21 2C"
The process nsm4.exe:148 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 3C 79 C6 A7 2E F6 ED 2F 09 A0 D7 82 C1 4D EC"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1276 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Aas]
"a4_36" = "258088356"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"Publisher" = "Conduit"
[HKLM\SOFTWARE\SearchProtect]
"Environment" = ""
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_30" = "215073630"
"a1_48" = "262978150"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a1_53" = "1560123974"
"a1_42" = "608335292"
"a1_50" = "4267342224"
"a2_28" = "200730413"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas]
"a2_26" = "186388573"
"a2_27" = "193573873"
[HKCU\Software\Aas\695404737]
"7169121" = "157"
[HKCU\Software\Aas]
"a2_25" = "179228956"
"a2_22" = "157728729"
"a2_20" = "143379083"
"a2_21" = "150544185"
"a2_7" = "50176954"
"a4_11" = "78860331"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas\695404737]
"35845605" = "279"
[HKCU\Software\SearchProtect\ffprotect]
"ffSettings" = "{}"
[HKCU\Software\Aas]
"a4_10" = "71691210"
"a2_6" = "43009444"
"a2_5" = "35841042"
"a2_4" = "28673537"
"a2_3" = "21498089"
"a2_2" = "14346572"
"a2_1" = "7173091"
"a2_0" = "9832"
"a2_44" = "315449677"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\,"
[HKCU\Software\Aas]
"a2_9" = "64528830"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a2_53" = "379972038"
"a3_43" = "324843106"
"a2_51" = "365619674"
"a2_50" = "358449583"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a2_55" = "394299729"
"a2_54" = "387136433"
"a3_51" = "348755322"
"a3_35" = "267899754"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "5E8F4F62667CCCACEB781E90A37BB0A8ADFF5D0207CECC747614EAA681F1DF0F00D65B17772A9DACB325D1E7C4AC55E9F9253BF5993C7E62952C57DF62A6E5FDC9B8A5299A8DBED1FB5A9EB34E350D6061885163CFAE9F1D1D0ECFBA99B9BDAEB650B55175FC1C2A965481E15E9A3CAD71726D65F3CDA5637BF0BE3BC8E374C3"
[HKCU\Software\Aas]
"a2_8" = "57360172"
"a1_28" = "3228685785"
"a1_12" = "1174665665"
"a1_13" = "4076776892"
"a1_10" = "1071546649"
"a1_11" = "2318739959"
"a1_16" = "1472144990"
"a1_17" = "3772702960"
"a1_14" = "4170948361"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_18" = "1449162629"
"a1_19" = "3052690794"
"a2_48" = "344126011"
"a2_49" = "351278618"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"UninstallString" = "%Program Files%\SearchProtect\bin\uninstall.exe /S"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a2_40" = "286766458"
"a2_41" = "293932015"
"a2_42" = "301100597"
"a2_43" = "308266908"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a2_46" = "329785115"
"a2_47" = "336951251"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayVersion" = "1.5.0.71"
[HKCU\Software\Aas]
"a3_36" = "241268621"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayName" = "Search Protect by conduit"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 4C 54 69 16 36 A5 04 DB BB 6F 3F 2D BA 9F D5"
[HKCU\Software\SearchProtect\ffprotect]
"ffHomepage" = "{}"
[HKCU\Software\Aas]
"a2_57" = "408634468"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a2_56" = "401466235"
"a3_42" = "284237251"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a1_0" = "3299283285"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a3_33" = "253401768"
"a4_13" = "93198573"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_41" = "1175678420"
"a1_40" = "3112489572"
"a1_43" = "812055938"
"a4_12" = "86029452"
"a1_45" = "2664743508"
"a1_44" = "806423141"
"a1_47" = "3114940119"
"a1_46" = "382469827"
"a1_49" = "1624578760"
"a4_15" = "107536815"
[HKCU\Software\Aas\695404737]
"43014726" = "0800687474703A2F2F3230322E3134332E3135392E3133352F696D616765732F6C6F676F2E67696600687474703A2F2F62656D2E646B2F696D616765732F6C6F676F662E67696600687474703A2F2F62616E626F6F6E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6264622E636F6D2E6D792F6C6F676F2E67696600687474703A2F2F6261756C61756E672E6F72672F696D616765732F6C6F676F2E67696600687474703A2F2F62617A7961722D617279612E636F6D2F6C6F676F2E67696600687474703A2F2F6261726C696B696E736161742E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F626173616D616B68616C6973692E636F6D2F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_41" = "277248416"
"a4_14" = "100367694"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayIcon" = "%Program Files%\SearchProtect\bin\cltmng.exe"
[HKCU\Software\Aas]
"a4_17" = "121875057"
"a3_28" = "183865525"
"a4_16" = "114705936"
"a3_40" = "269796609"
"a3_29" = "224867540"
"a4_19" = "136213299"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a4_18" = "129044178"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a4_24" = "172058904"
"a4_25" = "179228025"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a3_47" = "353765350"
"a2_29" = "207899426"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a1_22" = "767601794"
"a1_56" = "776211010"
"a1_57" = "3096474560"
"a1_54" = "622265903"
"a1_55" = "2017316994"
"a1_52" = "638804490"
"a2_24" = "172061634"
"a3_37" = "248309804"
"a1_51" = "2008350609"
"a4_55" = "394301655"
"a3_46" = "313221959"
[HKLM\SOFTWARE\SearchProtect]
"SPID" = "SP1D2CC307-73C5-420E-A9B7-FA66CBBB6DAF"
[HKCU\Software\Aas]
"a1_21" = "3088289700"
"a2_23" = "164896728"
"a2_17" = "121878036"
"a2_16" = "114708582"
"a2_15" = "107543232"
"a2_14" = "100362012"
"a2_13" = "93206883"
"a2_12" = "86027549"
"a2_11" = "78860252"
"a2_10" = "71693673"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_26" = "169827315"
"a3_34" = "260325067"
"a2_19" = "136209430"
"a2_18" = "129046589"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_1" = "3386940473"
"a1_2" = "3712339979"
"a1_3" = "2620474486"
"a1_4" = "83174613"
"a1_5" = "616562248"
"a1_6" = "454656014"
"a1_7" = "2401786110"
"a1_8" = "310532945"
"a1_9" = "2948510009"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a4_26" = "186397146"
"a1_23" = "1393522403"
"a1_29" = "2974281407"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_20" = "1050578346"
"a3_44" = "332278405"
"a3_30" = "231909751"
"a1_27" = "889908127"
"a3_31" = "205278614"
"a1_26" = "675954575"
"a1_25" = "2922091070"
"a2_52" = "372799793"
"a3_32" = "212854281"
"a1_24" = "2020335726"
"a3_50" = "341766363"
"a2_45" = "322613994"
"a3_52" = "389745053"
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a4_52" = "372794292"
"a1_38" = "213872447"
"a1_39" = "3964775043"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_30" = "2646907918"
"a1_31" = "3886322426"
"a1_32" = "1167938370"
"a1_33" = "2462240188"
"a1_34" = "2225036716"
"a1_35" = "370808629"
"a1_36" = "2012235382"
"a1_37" = "3198637671"
"a1_15" = "247433699"
"a2_31" = "222234361"
"a2_30" = "215079550"
"a2_33" = "236579903"
"a2_32" = "229414781"
"a2_35" = "250911624"
"a2_34" = "243747348"
"a2_37" = "265263361"
"a2_36" = "258081705"
"a2_39" = "279598592"
"a2_38" = "272431981"
"a3_45" = "305778468"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchProtectAll" = "%Program Files%\SearchProtect\bin\cltmng.exe"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtect" = "%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallCleanUp"
The process cltmng.exe:2516 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 92 CE 45 82 30 DD A3 08 AE AF 56 9A D9 C6 C2"
The process cltmng.exe:2492 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E CB 9C 9D 07 D8 E3 43 6D 1F 7D EC 36 CB DA 3A"
[HKCU\Software\SearchProtect\ffprotect]
"ffSettings" = "{}"
"ffHomepage" = "{}"
The process nsq9.exe:1404 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshB.tmp\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 CA 86 5B 21 B1 A9 9A C0 C8 F2 47 95 7D 48 CA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
427bd933e1e35f75b39ea0e97420672e | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\ChromeModule.dll |
2b9a15dfdc14b4ecb1e8fc13ae43e60f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\CltMngSvc.exe |
47d4e142baff5016f0c5a089b16d629f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\FirefoxModule.dll |
55b460acb7d70c33db75c310c651e095 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\InternetExplorerModule.dll |
9feacad9b427f3eac86200053816bfb2 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPHook32.dll |
ba2d6991a577dc63be639603de1218bf | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPRunner.exe |
e7bfaec48b638814f9da09ff1f4b723a | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\cltmng.exe |
03e9314004f504a14a61c3d364b62f66 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\msvcp100.dll |
67ec459e42d3081dd8fd34356f7cafc1 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\msvcr100.dll |
427bd933e1e35f75b39ea0e97420672e | c:\Program Files\SearchProtect\bin\ChromeModule.dll |
2b9a15dfdc14b4ecb1e8fc13ae43e60f | c:\Program Files\SearchProtect\bin\CltMngSvc.exe |
47d4e142baff5016f0c5a089b16d629f | c:\Program Files\SearchProtect\bin\FirefoxModule.dll |
55b460acb7d70c33db75c310c651e095 | c:\Program Files\SearchProtect\bin\InternetExplorerModule.dll |
9feacad9b427f3eac86200053816bfb2 | c:\Program Files\SearchProtect\bin\SPHook32.dll |
ba2d6991a577dc63be639603de1218bf | c:\Program Files\SearchProtect\bin\SPRunner.exe |
e7bfaec48b638814f9da09ff1f4b723a | c:\Program Files\SearchProtect\bin\cltmng.exe |
03e9314004f504a14a61c3d364b62f66 | c:\Program Files\SearchProtect\bin\msvcp100.dll |
67ec459e42d3081dd8fd34356f7cafc1 | c:\Program Files\SearchProtect\bin\msvcr100.dll |
1ffd12341e910d9be43658b98f1cb9dc | c:\Program Files\SearchProtect\bin\uninstall.exe |
03e9314004f504a14a61c3d364b62f66 | c:\WINDOWS\system32\msvcp100.dll |
67ec459e42d3081dd8fd34356f7cafc1 | c:\WINDOWS\system32\msvcr100.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Static Analysis
VersionInfo
Company Name: Conduit
Product Name: Search Protect
Product Version: 1.5.0.71
Legal Copyright: 2012 (c) Conduit. All rights reserved.
Legal Trademarks:
Original Filename: SearchProtect (R) P
Internal Name: Unknown
File Version: 1.5.0.71
File Description: Search Protect by Conduit
Comments:
Language: English (United States)
Company Name: ConduitProduct Name: Search ProtectProduct Version: 1.5.0.71Legal Copyright: 2012 (c) Conduit. All rights reserved.Legal Trademarks: Original Filename: SearchProtect (R) PInternal Name: UnknownFile Version: 1.5.0.71File Description: Search Protect by ConduitComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 25506 | 25600 | 4.51095 | eaec91b880ba7bb207ca9d4c54420c5d |
.rdata | 32768 | 6386 | 6656 | 3.3883 | 170563e94de7ebfd6e622a164ce38c8a |
.data | 40960 | 419484 | 512 | 0.991115 | 23d69b1e3a55dee07701198b7650a06b |
.ndata | 462848 | 1642496 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 2105344 | 118784 | 115200 | 5.13064 | 99d9329d11a35d3b208487fa4e82d274 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Virus connects to the servers at the folowing location(s):
Strings from Dumps
CltMngSvc.exe_2068:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
RSSSh
RSSSh
D:\builds\27\Search Protector\SP-1.5.0-CI\Binaries\Win32\Release\CltMngSvc.pdb
D:\builds\27\Search Protector\SP-1.5.0-CI\Binaries\Win32\Release\CltMngSvc.pdb
KERNEL32.dll
KERNEL32.dll
RegCloseKey
RegCloseKey
ReportEventW
ReportEventW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MSVCP100.dll
MSVCP100.dll
SHLWAPI.dll
SHLWAPI.dll
WTSAPI32.dll
WTSAPI32.dll
MSVCR100.dll
MSVCR100.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
_crt_debugger_hook
_crt_debugger_hook
CryptMsgGetParam
CryptMsgGetParam
CertFindCertificateInStore
CertFindCertificateInStore
CertGetNameStringW
CertGetNameStringW
CertFreeCertificateContext
CertFreeCertificateContext
CertCloseStore
CertCloseStore
CryptMsgClose
CryptMsgClose
CRYPT32.dll
CRYPT32.dll
/1::::0/
/1::::0/
.8:::;::8.
.8:::;::8.
0"8 8<<5
0"8 8<<5
>633,, ,&36>
>633,, ,&36>
ttt.ttt{mnn
ttt.ttt{mnn
ttt.ttttprp
ttt.ttttprp
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
PAD-----BEGIN PUBLIC KEY-----
PAD-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
-----END PUBLIC KEY-----
%s (Error: %d)
%s (Error: %d)
r\\?\
r\\?\
All Files (*.*)
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
%s [Recovered]
1.5.0.71
1.5.0.71
cltmng.exe_2492:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
QSSSSh
QSSSSh
PSSSSSSSSh
PSSSSSSSSh
j.hDdb
j.hDdb
.EKSWU
.EKSWU
\$$;\$0|
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
Camellia for x86 by <appro></appro>
Camellia for x86 by <appro></appro>
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro></appro>
AES for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
FtPS
FtPS
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
.\boost/exception/detail/exception_ptr.hpp
.\boost/exception/detail/exception_ptr.hpp
CERTIFICATE REQUEST
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
CERTIFICATE
PUBLIC KEY
PUBLIC KEY
RSA part of OpenSSL 1.0.0e 6 Sep 2011
RSA part of OpenSSL 1.0.0e 6 Sep 2011
SHA-512 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-512 part of OpenSSL 1.0.0e 6 Sep 2011
ssl_sess_cert
ssl_sess_cert
ssl_cert
ssl_cert
evp_pkey
evp_pkey
x509_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
passed a null parameter
DSO support routines
DSO support routines
x509 certificate routines
x509 certificate routines
error:lX:%s:%s:%s
error:lX:%s:%s:%s
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
pubkey
pubkey
PEM part of OpenSSL 1.0.0e 6 Sep 2011
PEM part of OpenSSL 1.0.0e 6 Sep 2011
phrase is too short, needs to be at least %d chars
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
Enter PEM pass phrase:
TRUSTED CERTIFICATE
TRUSTED CERTIFICATE
X509 CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
ANY PRIVATE KEY
enc_key
enc_key
key_enc_algor
key_enc_algor
cert
cert
d.encrypted
d.encrypted
d.digest
d.digest
d.signed_and_enveloped
d.signed_and_enveloped
d.enveloped
d.enveloped
d.sign
d.sign
d.data
d.data
d.other
d.other
NETSCAPE_CERT_SEQUENCE
NETSCAPE_CERT_SEQUENCE
certs
certs
X509_PUBKEY
X509_PUBKEY
public_key
public_key
.\crypto\asn1\x_pubkey.c
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.0e 6 Sep 2011
DSA part of OpenSSL 1.0.0e 6 Sep 2011
priv_key
priv_key
pub_key
pub_key
.\crypto\ec\ec_key.c
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
EC_PRIVATEKEY
publicKey
publicKey
privateKey
privateKey
value.implicitlyCA
value.implicitlyCA
value.parameters
value.parameters
value.named_curve
value.named_curve
p.char_two
p.char_two
p.prime
p.prime
p.ppBasis
p.ppBasis
p.tpBasis
p.tpBasis
p.onBasis
p.onBasis
p.other
p.other
Big Number part of OpenSSL 1.0.0e 6 Sep 2011
Big Number part of OpenSSL 1.0.0e 6 Sep 2011
supportedAlgorithms
supportedAlgorithms
crossCertificatePair
crossCertificatePair
certificateRevocationList
certificateRevocationList
cACertificate
cACertificate
userCertificate
userCertificate
userPassword
userPassword
supportedApplicationContext
supportedApplicationContext
Microsoft Local Key set
Microsoft Local Key set
LocalKeySet
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
password based MAC
id-PasswordBasedMAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
X509v3 Certificate Issuer
certificateIssuer
certificateIssuer
certicom-arc
certicom-arc
Proxy Certificate Information
Proxy Certificate Information
proxyCertInfo
proxyCertInfo
Microsoft Smartcardlogin
Microsoft Smartcardlogin
msSmartcardLogin
msSmartcardLogin
joint-iso-itu-t
joint-iso-itu-t
JOINT-ISO-ITU-T
JOINT-ISO-ITU-T
set-rootKeyThumb
set-rootKeyThumb
setAttr-Cert
setAttr-Cert
setCext-cCertRequired
setCext-cCertRequired
setCext-certType
setCext-certType
setct-CertResTBE
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBEX
setct-CertReqTBE
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertInqReqTBS
setct-CertResData
setct-CertResData
setct-CertReqTBS
setct-CertReqTBS
setct-CertReqData
setct-CertReqData
setct-PCertResTBS
setct-PCertResTBS
setct-PCertReqData
setct-PCertReqData
setct-AcqCardCodeMsg
setct-AcqCardCodeMsg
certificate extensions
certificate extensions
set-certExt
set-certExt
set-msgExt
set-msgExt
id-ecPublicKey
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-cmc-getCert
id-regInfo-certReq
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-ct-publishCert
id-smime-mod-msg-v3
id-smime-mod-msg-v3
sdsiCertificate
sdsiCertificate
x509Certificate
x509Certificate
localKeyID
localKeyID
certBag
certBag
pkcs8ShroudedKeyBag
pkcs8ShroudedKeyBag
keyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Client Authentication
TLS Web Server Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
X509v3 Extended Key Usage
extendedKeyUsage
extendedKeyUsage
X509v3 Authority Key Identifier
X509v3 Authority Key Identifier
authorityKeyIdentifier
authorityKeyIdentifier
X509v3 Certificate Policies
X509v3 Certificate Policies
certificatePolicies
certificatePolicies
X509v3 Private Key Usage Period
X509v3 Private Key Usage Period
privateKeyUsagePeriod
privateKeyUsagePeriod
X509v3 Key Usage
X509v3 Key Usage
keyUsage
keyUsage
X509v3 Subject Key Identifier
X509v3 Subject Key Identifier
subjectKeyIdentifier
subjectKeyIdentifier
Netscape Certificate Sequence
Netscape Certificate Sequence
nsCertSequence
nsCertSequence
Netscape CA Policy Url
Netscape CA Policy Url
nsCaPolicyUrl
nsCaPolicyUrl
Netscape Renewal Url
Netscape Renewal Url
nsRenewalUrl
nsRenewalUrl
Netscape CA Revocation Url
Netscape CA Revocation Url
nsCaRevocationUrl
nsCaRevocationUrl
Netscape Revocation Url
Netscape Revocation Url
nsRevocationUrl
nsRevocationUrl
Netscape Base Url
Netscape Base Url
nsBaseUrl
nsBaseUrl
Netscape Cert Type
Netscape Cert Type
nsCertType
nsCertType
Netscape Certificate Extension
Netscape Certificate Extension
nsCertExt
nsCertExt
extendedCertificateAttributes
extendedCertificateAttributes
challengePassword
challengePassword
dhKeyAgreement
dhKeyAgreement
%'%1%=%C%K%O%s%
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
C%C'C3C7C9COCWCiC
ERAND part of OpenSSL 1.0.0e 6 Sep 2011
ERAND part of OpenSSL 1.0.0e 6 Sep 2011
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.0e 6 Sep 2011
lhash part of OpenSSL 1.0.0e 6 Sep 2011
Stack part of OpenSSL 1.0.0e 6 Sep 2011
Stack part of OpenSSL 1.0.0e 6 Sep 2011
value.single
value.single
value.set
value.set
.\crypto\evp\evp_key.c
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
nkey <= EVP_MAX_KEY_LENGTH
EVP part of OpenSSL 1.0.0e 6 Sep 2011
EVP part of OpenSSL 1.0.0e 6 Sep 2011
name.relativename
name.relativename
name.fullname
name.fullname
certificateHold
certificateHold
Certificate Hold
Certificate Hold
cessationOfOperation
cessationOfOperation
Cessation Of Operation
Cessation Of Operation
keyCompromise
keyCompromise
Key Compromise
Key Compromise
%*s%s:
%*s%s:
%*sOnly Attribute Certificates
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
%*sOnly User Certificates
ASN.1 part of OpenSSL 1.0.0e 6 Sep 2011
ASN.1 part of OpenSSL 1.0.0e 6 Sep 2011
d.registeredID
d.registeredID
d.iPAddress
d.iPAddress
d.uniformResourceIdentifier
d.uniformResourceIdentifier
d.ediPartyName
d.ediPartyName
d.directoryName
d.directoryName
d.dNSName
d.dNSName
d.rfc822Name
d.rfc822Name
d.otherName
d.otherName
AUTHORITY_KEYID
AUTHORITY_KEYID
keyid
keyid
cert_info
cert_info
Diffie-Hellman part of OpenSSL 1.0.0e 6 Sep 2011
Diffie-Hellman part of OpenSSL 1.0.0e 6 Sep 2011
PKCS8_PRIV_KEY_INFO
PKCS8_PRIV_KEY_INFO
pkey
pkey
pkeyalg
pkeyalg
EC part of OpenSSL 1.0.0e 6 Sep 2011
EC part of OpenSSL 1.0.0e 6 Sep 2011
USER32.DLL
USER32.DLL
NETAPI32.DLL
NETAPI32.DLL
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
SHA1 part of OpenSSL 1.0.0e 6 Sep 2011
SHA1 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-256 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-256 part of OpenSSL 1.0.0e 6 Sep 2011
RIPE-MD160 part of OpenSSL 1.0.0e 6 Sep 2011
RIPE-MD160 part of OpenSSL 1.0.0e 6 Sep 2011
SHA part of OpenSSL 1.0.0e 6 Sep 2011
SHA part of OpenSSL 1.0.0e 6 Sep 2011
MD5 part of OpenSSL 1.0.0e 6 Sep 2011
MD5 part of OpenSSL 1.0.0e 6 Sep 2011
MD4 part of OpenSSL 1.0.0e 6 Sep 2011
MD4 part of OpenSSL 1.0.0e 6 Sep 2011
CAST part of OpenSSL 1.0.0e 6 Sep 2011
CAST part of OpenSSL 1.0.0e 6 Sep 2011
Blowfish part of OpenSSL 1.0.0e 6 Sep 2011
Blowfish part of OpenSSL 1.0.0e 6 Sep 2011
:RC2 part of OpenSSL 1.0.0e 6 Sep 2011
:RC2 part of OpenSSL 1.0.0e 6 Sep 2011
.pp@0
.pp@0
aEÐ
aEÐ
(#EÚ
(#EÚ
ÚE<<0
ÚE<<0
IDEA part of OpenSSL 1.0.0e 6 Sep 2011
IDEA part of OpenSSL 1.0.0e 6 Sep 2011
libdes part of OpenSSL 1.0.0e 6 Sep 2011
libdes part of OpenSSL 1.0.0e 6 Sep 2011
DES part of OpenSSL 1.0.0e 6 Sep 2011
DES part of OpenSSL 1.0.0e 6 Sep 2011
\X
\X
%s: (%d bit)
%s: (%d bit)
Public-Key
Public-Key
Private-Key
Private-Key
recommended-private-length: %d bits
recommended-private-length: %d bits
public-key:
public-key:
private-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Public-Key: (%d bit)
Private-Key: (%d bit)
Private-Key: (%d bit)
ddddddZ
ddddddZ
ddddddZ
ddddddZ
%d.%d.%d.%d
%d.%d.%d.%d
<unsupported></unsupported>
<unsupported></unsupported>
IP Address:%d.%d.%d.%d
IP Address:%d.%d.%d.%d
URI:%s
URI:%s
DNS:%s
DNS:%s
email:%s
email:%s
EdiPartyName:<unsupported></unsupported>
EdiPartyName:<unsupported></unsupported>
X400Name:<unsupported></unsupported>
X400Name:<unsupported></unsupported>
othername:<unsupported></unsupported>
othername:<unsupported></unsupported>
%d.%d.%d.%d/%d.%d.%d.%d
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_PAIR
X509_CERT_AUX
X509_CERT_AUX
X.509 part of OpenSSL 1.0.0e 6 Sep 2011
X.509 part of OpenSSL 1.0.0e 6 Sep 2011
x%s
x%s
%s - d:d:d%.*s %d%s
%s - d:d:d%.*s %d%s
.\crypto\dh\dh_key.c
.\crypto\dh\dh_key.c
keylen <= sizeof key
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
3ECDSA part of OpenSSL 1.0.0e 6 Sep 2011
3ECDSA part of OpenSSL 1.0.0e 6 Sep 2011
'() ,-./:=?
'() ,-./:=?
%lu:%s:%s:%d:%s
%lu:%s:%s:%d:%s
Verifying - %s
Verifying - %s
Basis Type: %s
Basis Type: %s
Field Type: %s
Field Type: %s
ASN1 OID: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
%s %s%lu (%s0x%lx)
%*sPolicy Text: %s
%*sPolicy Text: %s
%*scrlUrl:
%*scrlUrl:
EXTENDED_KEY_USAGE
EXTENDED_KEY_USAGE
%*sZone: %s, User:
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
.\crypto\x509v3\v3_akey.c
d.usernotice
d.usernotice
d.cpsuri
d.cpsuri
CERTIFICATEPOLICIES
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sExplicit Text: %s
%*sNumber%s:
%*sNumber%s:
%*sOrganization: %s
%*sOrganization: %s
%*sCPS: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
PKEY_USAGE_PERIOD
keyCertSign
keyCertSign
Certificate Sign
Certificate Sign
keyAgreement
keyAgreement
Key Agreement
Key Agreement
keyEncipherment
keyEncipherment
Key Encipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.0e 6 Sep 2011
CONF part of OpenSSL 1.0.0e 6 Sep 2011
PROXY_CERT_INFO_EXTENSION
PROXY_CERT_INFO_EXTENSION
hexkey
hexkey
rsa_keygen_pubexp
rsa_keygen_pubexp
rsa_keygen_bits
rsa_keygen_bits
keylength
keylength
keyfunc
keyfunc
len>=0 && len<=(int)sizeof(ctx->key)
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
.\crypto\pkcs12\p12_key.c
d.receiptList
d.receiptList
d.allOrFirstTier
d.allOrFirstTier
d.compressedData
d.compressedData
d.authenticatedData
d.authenticatedData
d.encryptedData
d.encryptedData
d.digestedData
d.digestedData
d.envelopedData
d.envelopedData
d.signedData
d.signedData
d.ori
d.ori
d.pwri
d.pwri
d.kekri
d.kekri
d.kari
d.kari
d.ktri
d.ktri
CMS_PasswordRecipientInfo
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyDerivationAlgorithm
keyIdentifier
keyIdentifier
CMS_KeyAgreeRecipientInfo
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
CMS_OriginatorIdentifierOrKey
d.originatorKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
CMS_OtherKeyAttribute
keyAttr
keyAttr
keyAttrId
keyAttrId
CMS_KeyTransRecipientInfo
CMS_KeyTransRecipientInfo
encryptedKey
encryptedKey
keyEncryptionAlgorithm
keyEncryptionAlgorithm
certificates
certificates
d.crl
d.crl
d.subjectKeyIdentifier
d.subjectKeyIdentifier
d.issuerAndSerialNumber
d.issuerAndSerialNumber
CMS_CertificateChoices
CMS_CertificateChoices
d.v2AttrCert
d.v2AttrCert
d.v1AttrCert
d.v1AttrCert
d.extendedCertificate
d.extendedCertificate
d.certificate
d.certificate
CMS_OtherCertificateFormat
CMS_OtherCertificateFormat
otherCert
otherCert
otherCertFormat
otherCertFormat
crlUrl
crlUrl
certStatus
certStatus
certId
certId
OCSP_CERTSTATUS
OCSP_CERTSTATUS
value.unknown
value.unknown
value.revoked
value.revoked
value.good
value.good
value.byKey
value.byKey
value.byName
value.byName
reqCert
reqCert
OCSP_CERTID
OCSP_CERTID
issuerKeyHash
issuerKeyHash
CONF_def part of OpenSSL 1.0.0e 6 Sep 2011
CONF_def part of OpenSSL 1.0.0e 6 Sep 2011
[[%s]]
[[%s]]
[%s] %s=%s
[%s] %s=%s
ECDH part of OpenSSL 1.0.0e 6 Sep 2011
ECDH part of OpenSSL 1.0.0e 6 Sep 2011
value.bag
value.bag
value.safes
value.safes
value.shkeybag
value.shkeybag
value.keybag
value.keybag
value.sdsicert
value.sdsicert
value.x509cert
value.x509cert
value.other
value.other
%s.dll
%s.dll
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
P%d_T%d_Dld_ld_ld_Tld_ld_ld
P%d_T%d_Dld_ld_ld_Tld_ld_ld
Main.cpp
Main.cpp
09:15:37
09:15:37
FileHandler.cpp
FileHandler.cpp
Logger\Log4cxxWrapper.cpp
Logger\Log4cxxWrapper.cpp
WM_DDE_EXECUTE
WM_DDE_EXECUTE
WM_KEYLAST
WM_KEYLAST
WM_SYSKEYUP
WM_SYSKEYUP
WM_SYSKEYDOWN
WM_SYSKEYDOWN
WM_KEYUP
WM_KEYUP
WM_KEYDOWN
WM_KEYDOWN
WM_VKEYTOITEM
WM_VKEYTOITEM
WM_CTLCOLORMSGBOX
WM_CTLCOLORMSGBOX
\StringFileInfo\xx\%s
\StringFileInfo\xx\%s
%d/%d/%d d:d:d
%d/%d/%d d:d:d
Module %d
Module %d
Image Base: 0xx Image Size: 0xx
Image Base: 0xx Image Size: 0xx
Checksum: 0xx Time Stamp: 0xx
Checksum: 0xx Time Stamp: 0xx
File Size: %-10d File Time: %s
File Size: %-10d File Time: %s
Company: %s
Company: %s
Product: %s
Product: %s
FileDesc: %s
FileDesc: %s
FileVer: %d.%d.%d.%d
FileVer: %d.%d.%d.%d
ProdVer: %d.%d.%d.%d
ProdVer: %d.%d.%d.%d
kernel32.dll
kernel32.dll
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows 7
Windows 7
Windows Server 2008 R2
Windows Server 2008 R2
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Windows 9
Windows 9
Windows Server 9
Windows Server 9
Web Server Edition
Web Server Edition
Windows Server 2003 R2
Windows Server 2003 R2
Windows Storage Server 2003
Windows Storage Server 2003
Windows Home Server
Windows Home Server
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Windows Server 2003
Windows Server 2003
Web Edition
Web Edition
Windows XP
Windows XP
Windows 2000
Windows 2000
(build %d)
(build %d)
This sample does not support this version of Windows.
This sample does not support this version of Windows.
Error occurred at %s.
Error occurred at %s.
Operating system: %s
Operating system: %s
Operating system: Could not Determine
Operating system: Could not Determine
%d processor(s), type %d.
%d processor(s), type %d.
%d%% memory in use.
%d%% memory in use.
%d MBytes physical memory.
%d MBytes physical memory.
%d MBytes physical memory free.
%d MBytes physical memory free.
%d MBytes paging file.
%d MBytes paging file.
%d MBytes paging file free.
%d MBytes paging file free.
%d MBytes user address space.
%d MBytes user address space.
%d MBytes user address space free.
%d MBytes user address space free.
a Float Denormal Operand
a Float Denormal Operand
a Float Invalid Operation
a Float Invalid Operation
0xx:
0xx:
EDI: 0xx ESI: 0xx EAX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
%s\CRASH_REPORT_%s.txt
%s\CRASH_REPORT_%s.txt
%s caused %s (0xx)
%s caused %s (0xx)
in module %s at x:x.
in module %s at x:x.
%s location x caused an access violation.
%s location x caused an access violation.
===== [end of %s] =====
===== [end of %s] =====
%s\CRASH_DUMP_%s.dmp
%s\CRASH_DUMP_%s.dmp
Exception code is 0xX
Exception code is 0xX
Crash dump file: %s
Crash dump file: %s
Crash report file :%s
Crash report file :%s
Error creating dump file, err=%d
Error creating dump file, err=%d
Utils.cpp
Utils.cpp
Utils::GetHttpHeaderData
Utils::GetHttpHeaderData
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows 7
Windows 7
Windows Server 2008 R2
Windows Server 2008 R2
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Windows 9
Windows 9
Windows Server 9
Windows Server 9
PingSender.cpp
PingSender.cpp
the value the Arg has been passed.
the value the Arg has been passed.
Main\CommandLineHandler.cpp
Main\CommandLineHandler.cpp
(1 , 5 , 0 , 71)
(1 , 5 , 0 , 71)
Main\SearchProtector.cpp
Main\SearchProtector.cpp
SearchProtector_::InitLoginService
SearchProtector_::InitLoginService
SearchProtector_::GetAppDataExePath
SearchProtector_::GetAppDataExePath
SelfProtector\SelfProtector.cpp
SelfProtector\SelfProtector.cpp
key path:
key path:
Settings\SettingsManager.cpp
Settings\SettingsManager.cpp
SettingsManager_::ParseKeyValueSettings
SettingsManager_::ParseKeyValueSettings
Services\ServiceManager.cpp
Services\ServiceManager.cpp
ServiceManager_::GetDefaultServiceMapUrl
ServiceManager_::GetDefaultServiceMapUrl
ServiceManager_::SetServiceMapUrl
ServiceManager_::SetServiceMapUrl
ServiceManager_::SetServiceMapUrlToSettings
ServiceManager_::SetServiceMapUrlToSettings
ServiceManager_::HttpAsyncCallBack
ServiceManager_::HttpAsyncCallBack
BrowserManager.cpp
BrowserManager.cpp
TranslationManager.cpp
TranslationManager.cpp
TranslationManager_::GetServiceUrl
TranslationManager_::GetServiceUrl
Dialogs\DialogsManager.cpp
Dialogs\DialogsManager.cpp
DialogsManager_::HandleDialogInvokeSync
DialogsManager_::HandleDialogInvokeSync
Navigation URL=
Navigation URL=
ToolbarManager.cpp
ToolbarManager.cpp
Main\FinishInstallHandler.cpp
Main\FinishInstallHandler.cpp
UninstallManager.cpp
UninstallManager.cpp
UninstallManager::RemoveSelfFromPendingFileRenameOperations
UninstallManager::RemoveSelfFromPendingFileRenameOperations
ErrorManager.cpp
ErrorManager.cpp
ErrorManager_::ReportError
ErrorManager_::ReportError
ErrorManager_::ReportErrors
ErrorManager_::ReportErrors
SearchAssetsManager.cpp
SearchAssetsManager.cpp
SearchAssetsManager_::GetCtidAssetUrl
SearchAssetsManager_::GetCtidAssetUrl
SearchAssetsManager_::GetCurrentAssetUrl
SearchAssetsManager_::GetCurrentAssetUrl
SearchAssetsManager_::SetUrlByCtidAndAsset
SearchAssetsManager_::SetUrlByCtidAndAsset
SearchAssetsManager_::GetUrlByCtidAndAsset
SearchAssetsManager_::GetUrlByCtidAndAsset
LoginManager::LoginManager
LoginManager::LoginManager
LoginManager.cpp
LoginManager.cpp
LoginManager::~LoginManager
LoginManager::~LoginManager
LoginManager::RequestService
LoginManager::RequestService
LoginManager::CreateInitialJson
LoginManager::CreateInitialJson
LoginManager::GetBrowserSpecificData
LoginManager::GetBrowserSpecificData
LoginManager::GetInstalledCompetitors
LoginManager::GetInstalledCompetitors
LoginManager::ReqestServiceByBrowser
LoginManager::ReqestServiceByBrowser
AutoUpdateManager.cpp
AutoUpdateManager.cpp
ShellExecute error
ShellExecute error
SelfProtector\FilesProtector.cpp
SelfProtector\FilesProtector.cpp
SelfProtector\ProtectorBase.cpp
SelfProtector\ProtectorBase.cpp
SelfProtector\RegistryProtector.cpp
SelfProtector\RegistryProtector.cpp
Settings\RepositoryManager.cpp
Settings\RepositoryManager.cpp
Settings\InitDataManager.cpp
Settings\InitDataManager.cpp
Settings\ServerSettingsManager.cpp
Settings\ServerSettingsManager.cpp
Services\TimerBasedServiceHandler.cpp
Services\TimerBasedServiceHandler.cpp
TimerBasedServiceHandler::HttpAsyncCallBack
TimerBasedServiceHandler::HttpAsyncCallBack
Services\ServiceHandler.cpp
Services\ServiceHandler.cpp
ServiceHandler::HttpAsyncCallBack
ServiceHandler::HttpAsyncCallBack
ServiceHandler::GetServiceUrl
ServiceHandler::GetServiceUrl
AliasManager.cpp
AliasManager.cpp
Settings\ModuleSettingsManager.cpp
Settings\ModuleSettingsManager.cpp
ModuleSettingsManager::GetAssetUrl
ModuleSettingsManager::GetAssetUrl
AssetHandlers\AssetHandler.cpp
AssetHandlers\AssetHandler.cpp
, using default url :
, using default url :
, using url as is
, using url as is
AssetHandler::UpdateUrlParams
AssetHandler::UpdateUrlParams
AssetHandler::MergeSearchUrlParameters
AssetHandler::MergeSearchUrlParameters
Usages\TakeoverUsageData.cpp
Usages\TakeoverUsageData.cpp
Usages\UsageManager.cpp
Usages\UsageManager.cpp
UsageManager_::FlushReportsQueue
UsageManager_::FlushReportsQueue
UsageManager_::EnqueueReport
UsageManager_::EnqueueReport
UsageManager_::FlushReport
UsageManager_::FlushReport
AssetHandlerClassFactory.cpp
AssetHandlerClassFactory.cpp
Settings\InitData.cpp
Settings\InitData.cpp
Dialogs\SettingsDialog.cpp
Dialogs\SettingsDialog.cpp
SettingsDialog::GetNavigationURL
SettingsDialog::GetNavigationURL
Dialogs\DialogBase.cpp
Dialogs\DialogBase.cpp
DialogBase::CompetitorURL
DialogBase::CompetitorURL
BrowserUserCtid.cpp
BrowserUserCtid.cpp
Usages\FunnelDataManager.cpp
Usages\FunnelDataManager.cpp
FunnelDataManager_::ReportFunnelData
FunnelDataManager_::ReportFunnelData
FunnelDataManager_::CreateInitialReportJson
FunnelDataManager_::CreateInitialReportJson
Usages\ProtectionUserChangedAssetUsageData.cpp
Usages\ProtectionUserChangedAssetUsageData.cpp
Usages\ProtectionUsageData.cpp
Usages\ProtectionUsageData.cpp
Usages\BrowserSpecificUsageData.cpp
Usages\BrowserSpecificUsageData.cpp
Usages\UsageData.cpp
Usages\UsageData.cpp
AssetHandlers\FFAssetHandler.cpp
AssetHandlers\FFAssetHandler.cpp
FFAssetHandler::UpdateUrlParams
FFAssetHandler::UpdateUrlParams
FFAssetHandler::GetRevertSettingsRegKeyByOS
FFAssetHandler::GetRevertSettingsRegKeyByOS
AssetHandlers\IEAssetHandler.cpp
AssetHandlers\IEAssetHandler.cpp
RegistryHandler.cpp
RegistryHandler.cpp
RegistryHandler::CreateKey
RegistryHandler::CreateKey
RegistryHandler::GetKey
RegistryHandler::GetKey
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc
HTTP\HTTPManager.cpp
HTTP\HTTPManager.cpp
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc_
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc_
Conduit::SearchProtector::Utils::HTTPManager::RequestAsync
Conduit::SearchProtector::Utils::HTTPManager::RequestAsync
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc_
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc_
Conduit::SearchProtector::Utils::HTTPManager::DownloadFileAsync
Conduit::SearchProtector::Utils::HTTPManager::DownloadFileAsync
Conduit::SearchProtector::Utils::HTTPManager::CheckInternetConnection
Conduit::SearchProtector::Utils::HTTPManager::CheckInternetConnection
TimerWindow.cpp
TimerWindow.cpp
DataChangeNotifier.cpp
DataChangeNotifier.cpp
CompressionHandler.cpp
CompressionHandler.cpp
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
https
https
HTTP/1.0
HTTP/1.0
http://
http://
https://
https://
Content-Length: %u
Content-Length: %u
Data\UsersProfileData.cpp
Data\UsersProfileData.cpp
BrowserModule.cpp
BrowserModule.cpp
Data\UserBrowserAsset.cpp
Data\UserBrowserAsset.cpp
ToolbarSettings.cpp
ToolbarSettings.cpp
Data\SearchAssetData.cpp
Data\SearchAssetData.cpp
Data\BrowserAsset.cpp
Data\BrowserAsset.cpp
Events\Event.cpp
Events\Event.cpp
ModuleAction.cpp
ModuleAction.cpp
WebBrowserDefs.cpp
WebBrowserDefs.cpp
WebBrowserContainer::WebBrowserContainer
WebBrowserContainer::WebBrowserContainer
WebBrowserContainer.cpp
WebBrowserContainer.cpp
WebBrowserContainer::~WebBrowserContainer
WebBrowserContainer::~WebBrowserContainer
WebBrowserContainer::Initialize
WebBrowserContainer::Initialize
WebBrowserContainer::CreateExternal
WebBrowserContainer::CreateExternal
WebBrowserContainer::Navigate
WebBrowserContainer::Navigate
Calling Navigate bsUrl=
Calling Navigate bsUrl=
Failed Navigate bsUrl=
Failed Navigate bsUrl=
WebBrowserContainer::InitContainer
WebBrowserContainer::InitContainer
WebBrowserContainer::Finalize
WebBrowserContainer::Finalize
WebBrowserContainer::SetLocation
WebBrowserContainer::SetLocation
WebBrowserContainer::SetVisible
WebBrowserContainer::SetVisible
WebBrowserContainer::AddBehaviorToBodyElement
WebBrowserContainer::AddBehaviorToBodyElement
WebBrowserContainer::GetWindowContext
WebBrowserContainer::GetWindowContext
WebBrowserContainer::OnBeforeNavigate
WebBrowserContainer::OnBeforeNavigate
WebBrowserContainer::OnDocumentComplete
WebBrowserContainer::OnDocumentComplete
WebBrowserContainer::OnNavigateComplete
WebBrowserContainer::OnNavigateComplete
WebBrowserContainer::OnNavigateError
WebBrowserContainer::OnNavigateError
WebBrowserContainer::InjectJs
WebBrowserContainer::InjectJs
WebBrowserContainer::OnFocus
WebBrowserContainer::OnFocus
WebBrowserContainer::UIActivateIO
WebBrowserContainer::UIActivateIO
WebBrowserContainer::HasFocusIO
WebBrowserContainer::HasFocusIO
WebBrowserContainer::TranslateAcceleratorIO
WebBrowserContainer::TranslateAcceleratorIO
WebBrowserContainer::OnRefresh
WebBrowserContainer::OnRefresh
WebBrowserContainer::OnSize
WebBrowserContainer::OnSize
WebBrowserContainer::FocusChange
WebBrowserContainer::FocusChange
WebBrowserContainer::SetAlphaColorKey
WebBrowserContainer::SetAlphaColorKey
WebBrowserContainer::OnRefreshComplete
WebBrowserContainer::OnRefreshComplete
WebBrowserContainer::SetDragAndDropFiles
WebBrowserContainer::SetDragAndDropFiles
, m_pWebBrowser =
, m_pWebBrowser =
WebBrowserContainer::SetMainToolbarBrowserTransparent
WebBrowserContainer::SetMainToolbarBrowserTransparent
WebBrowserContainer::InvokeSync
WebBrowserContainer::InvokeSync
WebBrowserContainer::InvokeASync
WebBrowserContainer::InvokeASync
WebBrowserContainer::SetInvokeSyncCallback
WebBrowserContainer::SetInvokeSyncCallback
n%D,3
n%D,3
WebWindow::WebWindow
WebWindow::WebWindow
WebWindow.cpp
WebWindow.cpp
WebWindow::~WebWindow
WebWindow::~WebWindow
WebWindow::WindowProc_
WebWindow::WindowProc_
WebWindow::OnKillFocus
WebWindow::OnKillFocus
WebWindow::OnSetFocus
WebWindow::OnSetFocus
WebWindow::Create
WebWindow::Create
WebWindow::Show
WebWindow::Show
WebWindow::GetWindowRect
WebWindow::GetWindowRect
WebWindow::GetClientRect
WebWindow::GetClientRect
WebWindow::SetAlphaColorKey
WebWindow::SetAlphaColorKey
WebWindow::OnEraseBackground
WebWindow::OnEraseBackground
WebBrowserDispatcher::WebBrowserDispatcher
WebBrowserDispatcher::WebBrowserDispatcher
WebBrowserDispatcher.cpp
WebBrowserDispatcher.cpp
WebBrowserDispatcher::~WebBrowserDispatcher
WebBrowserDispatcher::~WebBrowserDispatcher
WebBrowserDispatcher::InitGIT
WebBrowserDispatcher::InitGIT
WebBrowserDispatcher::GetDocumentInterface
WebBrowserDispatcher::GetDocumentInterface
WebBrowserDispatcher::GetIDsOfNames
WebBrowserDispatcher::GetIDsOfNames
WebBrowserDispatcher::Invoke
WebBrowserDispatcher::Invoke
WebBrowserDispatcher::DisconnectAllHtmlEvents
WebBrowserDispatcher::DisconnectAllHtmlEvents
WebBrowserDispatcher::ConnectEvents
WebBrowserDispatcher::ConnectEvents
WebBrowserDispatcher::DisconnectEvents
WebBrowserDispatcher::DisconnectEvents
WebBrowserDispatcher::OnDocumentComplete
WebBrowserDispatcher::OnDocumentComplete
WebBrowserDispatcher::OnBeforeNavigate
WebBrowserDispatcher::OnBeforeNavigate
WebBrowserDispatcher::OnNavigateComplete
WebBrowserDispatcher::OnNavigateComplete
WebBrowserDispatcher::OnNavigateError
WebBrowserDispatcher::OnNavigateError
WebBrowserDispatcher::OnWindowStateChanged
WebBrowserDispatcher::OnWindowStateChanged
WebBrowserDispatcher::OnDownloadComplete
WebBrowserDispatcher::OnDownloadComplete
WebBrowserDispatcher::OnDownloadBegin
WebBrowserDispatcher::OnDownloadBegin
WebBrowserDispatcher::OnWindowClosing
WebBrowserDispatcher::OnWindowClosing
WebBrowserExternal::WebBrowserExternal
WebBrowserExternal::WebBrowserExternal
WebBrowserExternal.cpp
WebBrowserExternal.cpp
WebBrowserExternal::~WebBrowserExternal
WebBrowserExternal::~WebBrowserExternal
WebBrowserExternal::Invoke
WebBrowserExternal::Invoke
WebBrowserExternal::OnApiWriteDebugString
WebBrowserExternal::OnApiWriteDebugString
WebBrowserExternal::GetTypeInfo
WebBrowserExternal::GetTypeInfo
WebBrowserExternal::GetTypeInfoCount
WebBrowserExternal::GetTypeInfoCount
WebBrowserExternal::GetDispatch
WebBrowserExternal::GetDispatch
WebBrowserExternal::GenerateFunctionsAndDISPIDs
WebBrowserExternal::GenerateFunctionsAndDISPIDs
CWebBrowserFocusWnd::CWebBrowserFocusWnd
CWebBrowserFocusWnd::CWebBrowserFocusWnd
WebBrowserFocusWnd.cpp
WebBrowserFocusWnd.cpp
CWebBrowserFocusWnd::~CWebBrowserFocusWnd
CWebBrowserFocusWnd::~CWebBrowserFocusWnd
BaseWnd.cpp
BaseWnd.cpp
D:\builds\27\Search Protector\SP-1.5.0-CI\Binaries\Win32\Release\cltmng.pdb
D:\builds\27\Search Protector\SP-1.5.0-CI\Binaries\Win32\Release\cltmng.pdb
SetProcessShutdownParameters
SetProcessShutdownParameters
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
MSVCP100.dll
MSVCP100.dll
SHLWAPI.dll
SHLWAPI.dll
VERSION.dll
VERSION.dll
PSAPI.DLL
PSAPI.DLL
MSVCR100.dll
MSVCR100.dll
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
dbghelp.dll
dbghelp.dll
CryptMsgGetParam
CryptMsgGetParam
CertFindCertificateInStore
CertFindCertificateInStore
CertGetNameStringW
CertGetNameStringW
CertFreeCertificateContext
CertFreeCertificateContext
CertCloseStore
CertCloseStore
CryptMsgClose
CryptMsgClose
CRYPT32.dll
CRYPT32.dll
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHeap
GetProcessHeap
GDI32.dll
GDI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
UrlUnescapeW
UrlUnescapeW
InternetCrackUrlW
InternetCrackUrlW
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExW
HttpSendRequestExW
HttpEndRequestW
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoA
WININET.dll
WININET.dll
GetProcessWindowStation
GetProcessWindowStation
RegCreateKeyExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegQueryInfoKeyW
RegQueryInfoKeyW
ReportEventA
ReportEventA
COMCTL32.dll
COMCTL32.dll
.?AVwindows_file_codecvt@@
.?AVwindows_file_codecvt@@
.?AVIHttpAsyncCallback@Utils@SearchProtector@Conduit@@
.?AVIHttpAsyncCallback@Utils@SearchProtector@Conduit@@
.?AVCmdLine@TCLAP@@
.?AVCmdLine@TCLAP@@
.?AVCmdLineInterface@TCLAP@@
.?AVCmdLineInterface@TCLAP@@
.?AVCmdLineOutput@TCLAP@@
.?AVCmdLineOutput@TCLAP@@
.?AVCmdLineParseException@TCLAP@@
.?AVCmdLineParseException@TCLAP@@
.?AV?$sp_counted_impl_p@VLoginManager@@@detail@boost@@
.?AV?$sp_counted_impl_p@VLoginManager@@@detail@boost@@
.PA_W
.PA_W
.?AV?$thread_data@V?$bind_t@XV?$BindThis2@_NVDialogsManager_@@PAVIWebBrowserContainer@@PAUtagDISPPARAMS@@@@V?$list2@V?$value@PAVIWebBrowserContainer@@@_bi@boost@@V?$value@PAUtagDISPPARAMS@@@23@@_bi@boost@@@_bi@boost@@@detail@boost@@
.?AV?$thread_data@V?$bind_t@XV?$BindThis2@_NVDialogsManager_@@PAVIWebBrowserContainer@@PAUtagDISPPARAMS@@@@V?$list2@V?$value@PAVIWebBrowserContainer@@@_bi@boost@@V?$value@PAUtagDISPPARAMS@@@23@@_bi@boost@@@_bi@boost@@@detail@boost@@
.?AVLoginManager@@
.?AVLoginManager@@
.?AVWebBrowserDispatcher@@
.?AVWebBrowserDispatcher@@
.?AVWebWindow@@
.?AVWebWindow@@
.?AVIWebBrowserContainer@@
.?AVIWebBrowserContainer@@
.?AVWebBrowserContainer@@
.?AVWebBrowserContainer@@
.?AVWebBrowserExternal@@
.?AVWebBrowserExternal@@
.?AVCWebBrowserFocusWnd@@
.?AVCWebBrowserFocusWnd@@
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\
/1::::0/
/1::::0/
.8:::;::8.
.8:::;::8.
0"8 8<<5
0"8 8<<5
>633,, ,&36>
>633,, ,&36>
ttt.ttt{mnn
ttt.ttt{mnn
ttt.ttttprp
ttt.ttttprp
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
PAD-----BEGIN PUBLIC KEY-----
PAD-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
-----END PUBLIC KEY-----
5U5l6
5U5l6
8"8'8@8{8
8"8'8@8{8
;%;.;@;[;
;%;.;@;[;
8Ÿ9|9
8Ÿ9|9
6%6.6@6[6
6%6.6@6[6
4%5U5-6`6e6
4%5U5-6`6e6
9&:2:[:`:
9&:2:[:`:
8%8X8a8s8
8%8X8a8s8
9):.:4:~:
9):.:4:~:
1/2u2
1/2u2
;&<5><pre>3<4><pre>7%7X7</pre><pre>>%? ?2?\?</pre><pre>7t7D7L7[7w7|7</pre><pre>:":):0:7:</pre><pre>< <&<,<2><pre>6,6064686<6><pre>4%4S4Z4c4l4</pre><pre>8&81888~8</pre><pre>; <$<(<,<0><pre>9;<#=(=2=</pre><pre>9Â9J9P9f9</pre><pre>4L4</pre><pre>4#41494~4</pre><pre>6 6,646<6><pre>? ?$?(?,?0?4?8?<?php@?</pre><pre>3 3$3(3,30343</pre><pre>9 9$9(9,909</pre><pre>: :$:(:,:0:</pre><pre>6 6$6(6,6064686<6</pre><pre>4,=0=4=8=</pre><pre>3 3$3(3,3034383<3</pre><pre>: :$:$;(;,;0;4;8;</pre><pre>7,787\7|7</pre><pre>Login</pre><pre>LoggerConfig.xml</pre><pre>1.5.0.71</pre><pre>SetProcessShutdownParameters ,bRet:</pre><pre>CreateIoCompletionPort, hFile=</pre><pre>Error in CreateIoCompletionPort, err</pre><pre>Exit function. uiKey=</pre><pre>uiMonitorKey=</pre><pre>MonitorDirectoryThread(): I/O Operation has been canceled, Stopped=</pre><pre>CloseHandle on hDirOPPort, GetLastError=</pre><pre>PWM_SYSKEYDOWN</pre><pre>RWM_KEYUP</pre><pre>TWM_CTLCOLORMSGBOX</pre><pre>AIDispatch error #%d</pre><pre>user32.dll</pre><pre>Blog4cxx.dll</pre><pre>Firefox</pre><pre>Chrome</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion</pre><pre>rep.dat</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>msvcp100.dll</pre><pre>msvcr100.dll</pre><pre>yGetProccessID Failed on explorer.exe!</pre><pre>Integrity level is high while explorer.exe is not!</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>m_InitDataChangeQueue.size() =</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/smart_ptr/shared_ptr.hpp</pre><pre>ChromeModule.dll</pre><pre>FirefoxModule.dll</pre><pre>InternetExplorerModule.dll</pre><pre>Enter function. wkey=</pre><pre>GetSetting wkey=</pre><pre>GetSetting failed getting wkey=</pre><pre>Overwritting previous setting. key=</pre><pre>wUrl=</pre><pre>https://servicemap.conduit-services.com/sp</pre><pre>https://servicemap.qaconduit-services.com/sp</pre><pre>Exit function. wUrl=</pre><pre>Missing Export entries in DLL</pre><pre>t!pAssetChangedData</pre><pre>pAssetEvent == NULL</pre><pre>translatedKeys</pre><pre>Missing array of translated keys!</pre><pre>keyId</pre><pre>Couldn't find translation for key</pre><pre>Couldn't find default translation for key</pre><pre>Enter function. wKey=</pre><pre>Unsupported dialog position =</pre><pre>cNot enough arguments were passed</pre><pre>Finish Reason is unsupported =</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/auto_buffer.hpp</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/signal_template.hpp</pre><pre>_shared_state.unique()</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/slot_groups.hpp</pre><pre>this_map_it != _group_map.end()</pre><pre>it != _list.end()</pre><pre>map_it != _group_map.end()</pre><pre>weakly_equivalent(map_it->first, key)</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/optional/optional.hpp</pre><pre>members_.capacity_ >= N</pre><pre>members_.capacity_ >= n</pre><pre>size_ <= members_.capacity_</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/thread/win32/thread_primitives.hpp</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/thread/win32/thread_heap_alloc.hpp</pre><pre>detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/smart_ptr/scoped_ptr.hpp</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/variant/detail/visitation_impl.hpp</pre><pre>D:\builds\27\Search Protector\SP-1.5.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/variant/detail/forced_return.hpp</pre><pre>SPSetup.exe</pre><pre>sPendingFileRenameOperations</pre><pre>Deleted the error report from requests map =</pre><pre>tKeepCrashReports</pre><pre>CRASH*.txt</pre><pre>CRASH*.dmp</pre><pre>Maxed out retries count for error report:</pre><pre>HomePageUrl</pre><pre>SearchUrl</pre><pre>Unable to get current Asset URL for</pre><pre>Sending login for browser =</pre><pre>LoginData=</pre><pre>Not sending login for browser =</pre><pre>autoUpdateModuleUrl</pre><pre>AutoUpdateDownloadUrl</pre><pre>.Invalid URL</pre><pre>Starting download: m_wAutoUpdateURL=</pre><pre>DownloadFileAsync Error. Unable to download auto-update file, URL:</pre><pre>SPUpdater.exe</pre><pre>Key has changed!</pre><pre>Software\Mozilla\Mozilla Firefox</pre><pre>tPathToExe</pre><pre>Change in exe directory detected.</pre><pre>serviceMapUrl</pre><pre>3.6.0.0</pre><pre>3.7.0.0</pre><pre>CustomizedAssetUrl</pre><pre>Unknown server setting. key =</pre><pre>Interval hasn't passed yet for</pre><pre>data.iRefreshInterval=</pre><pre>. HTTP Code:</pre><pre>Getting service failed. URL:</pre><pre>Exit function. Failed getting Client Log service, Not reporting error on it,Avoid Poison Reverse</pre><pre>eSet key path [</pre><pre>No knowledge of current url for asset.</pre><pre>Current url:</pre><pre>KnownUrlForState</pre><pre>No last known url (Shouldn't happen). Sending Asset change event</pre><pre>CurrentUrl=</pre><pre>, Known url=</pre><pre>e wCurrentUrl=</pre><pre>!pAssetChangeEvent || !pAssetChangeEvent->NewAssetData()</pre><pre>PreviousUrl=</pre><pre>NewUrl=</pre><pre>MyKnownUrl=</pre><pre>Unable to parse CTID from new conduit search URL:</pre><pre>Not protecting firefox!</pre><pre>This lose event already executed.</pre><pre>, prev URL</pre><pre>, new URL</pre><pre>Url found as invalid</pre><pre>http://search.conduit.com/?ctid=</pre><pre>Failed to build default url :</pre><pre>No valid url to takeover with</pre><pre>Url before update:</pre><pre>m_pSearchAssetData->Url()=</pre><pre>SearchAssetManaget->GetCtidAssetUrl failed for CTID:</pre><pre>aggressiveTakeoverWindowSec</pre><pre>Enter function. wMainUrl=</pre><pre>wNewUrl=</pre><pre>wMainUrl=</pre><pre>Enter function. wSearchApiCtidUrl=</pre><pre>New url and search api urls are identical. Nothing to merge or takeover.</pre><pre>takeover_url</pre><pre>Enqueuing usage report:</pre><pre>Unable to build usage report</pre><pre>No queued usages to report</pre><pre>..\Dialogs\spsd\main.html</pre><pre>Reg Key:</pre><pre>revertedUrl</pre><pre>Url Reverted to</pre><pre>different from new url</pre><pre>d-d-d d:d:d</pre><pre>RegCloseKey failed. Name=</pre><pre>hKey is null. Error code:</pre><pre>, bKeyExist=</pre><pre>RegCloseKey failed</pre><pre>RegCreateKeyExW failed</pre><pre>yExitFunction hKey = 0x</pre><pre>RegNotifyChangeKeyValue failed</pre><pre>pHttpAsyncData == NULL</pre><pre>wUrl=</pre><pre>Exception while trying to send HTTP request</pre><pre>Exception(...) while trying to send HTTP request</pre><pre>Deleting pHttpAsyncData</pre><pre>Qsearch.conduit.com</pre><pre>search.qasite.com</pre><pre>%s%s%s</pre><pre>], Url[</pre><pre>Shell.Explorer</pre><pre>Failed reciving IWebBrowser 2 from IUnknown</pre><pre>WebWindow::Create failed</pre><pre>EnterFunction bsUrl=</pre><pre>Navigate received null Url</pre><pre>m_pWebBrowser is NULL !!!</pre><pre>Browser is busy navigation will not be execute</pre><pre>Exception: Navigate failed!!! url=</pre><pre>Stoping IWebBrowser2 ...</pre><pre>m_pWebBrowser->Stop failed. hRes=</pre><pre>get_URL failed</pre><pre>EnterFunction clrColorKey =</pre><pre>SetAlphaColorKey failed</pre><pre>SP_Web_Window</pre><pre>Failed to load user32.dll</pre><pre>m_pWebBrowser is NULL</pre><pre>Windows.External.writeDebugString</pre><pre>Windows.External.InvokePlatformAction: param 1 is not string</pre><pre>SetWindowSubclass Failed</pre><pre>TSPHOOK_MSG_NEW_WINDOW_CREATED</pre><pre>SPHOOK_MSG_USER_CHANGED_HOMEPAGE</pre><pre>SPHOOK_MSG_USER_CHANGED_SEARCH_PROVIDER</pre><pre>SPHOOK_MSG_IE_FRAME_ACTIVATED</pre><pre>SPHOOK_MSG_END_HOOK</pre><pre>SPHOOK_REGISTRY_CHANGED_MSG</pre><pre>All Files (*.*)</pre><pre>No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.</pre><pre>Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.</pre><pre>Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.</pre><pre>#Unable to load mail system support.</pre><pre>Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents</pre><pre>%s [Recovered]</pre><b>cltmng.exe_2492_rwx_011D0000_00002000:</b><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>.rsrc</pre><pre>.text</pre><b>cltmng.exe_2492_rwx_011E0000_00001000:</b><pre>|cltmng.exeM_2492_</pre><b>Explorer.EXE_1684_rwx_00EE0000_00002000:</b><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>.rsrc</pre><pre>.text</pre><b>Explorer.EXE_1684_rwx_00EF0000_00001000:</b><pre>|explorer.exeM_1684_</pre><b>Explorer.EXE_1684_rwx_038D0000_0108E000:</b><pre>c:\windows</pre><pre>http://202.143.159.135/images/logo.gif</pre><pre>http://bem.dk/images/logof.gif</pre><pre>http://banboon.com/images/logo.gif</pre><pre>http://bdb.com.my/logo.gif</pre><pre>http://baulaung.org/images/logo.gif</pre><pre>http://bazyar-arya.com/logo.gif</pre><pre>http://barlikinsaat.com.tr/images/logo.gif</pre><pre>http://basamakhalisi.com/logo.gif</pre><pre>%System%\drivers\hlmihn.sys</pre><pre>13714532319</pre><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>.rsrc</pre><pre>.text</pre><pre>http://89.119.67.154/testo5/</pre><pre>http://kukutrustnet777.info/home.gif</pre><pre>http://kukutrustnet888.info/home.gif</pre><pre>http://kukutrustnet987.info/home.gif</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>h.rdata</pre><pre>H.data</pre><pre>.reloc</pre><pre>ntoskrnl.exe</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)</pre><pre>Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>http://www.klkjwre9fqwieluoi.info/</pre><pre>http://kukutrustnet777888.info/</pre><pre>Software\Microsoft\Windows\CurrentVersion\policies\system</pre><pre>Software\Microsoft\Windows\ShellNoRoam\MUICache</pre><pre>%s:*:Enabled:ipsec</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced</pre><pre>GdiPlus.dll</pre><pre>http://</pre><pre>ipfltdrv.sys</pre><pre>www.microsoft.com</pre><pre>?%x=%d</pre><pre>&%x=%d</pre><pre>SYSTEM.INI</pre><pre>USER32.DLL</pre><pre>.%c%s</pre><pre>\\.\amsint32</pre><pre>NTDLL.DLL</pre><pre>autorun.inf</pre><pre>ADVAPI32.DLL</pre><pre>win%s.exe</pre><pre>%s.exe</pre><pre>WININET.DLL</pre><pre>InternetOpenUrlA</pre><pre>avast! Web Scanner</pre><pre>Avira AntiVir Premium WebGuard</pre><pre>cmdGuard</pre><pre>cmdAgent</pre><pre>Eset HTTP Server</pre><pre>ProtoPort Firewall service</pre><pre>SpIDer FS Monitor for Windows NT</pre><pre>Symantec Password Validation</pre><pre>WebrootDesktopFirewallDataService</pre><pre>WebrootFirewall</pre><pre>%d%d.tmp</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</pre><pre>%s\%s</pre><pre>%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Stats</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects</pre><pre>Explorer.exe</pre><pre>A2CMD.</pre><pre>ASHWEBSV.</pre><pre>AVGCC.AVGCHSVX.</pre><pre>DRWEB</pre><pre>DWEBLLIO</pre><pre>DWEBIO</pre><pre>FSGUIEXE.</pre><pre>MCVSSHLD.</pre><pre>NPFMSG.</pre><pre>SYMSPORT.</pre><pre>WEBSCANX.</pre><pre>.adata</pre><pre>M_%d_</pre><pre>%c%d_%d</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>SHFileOperationA</pre><pre>&3&3&3&389</pre><pre>.rdata</pre><pre>.data</pre><pre>Bkrnl.exe?</pre><pre>= =$=(=,=</pre><pre>322%2`.50728)</pre><pre>.klkjw:9fqwi</pre><pre>FamXf39.sys</pre><pre>.pBTa8</pre><pre>%s:*:</pre><pre>Bg.laXV</pre><pre>&?%x=</pre><pre>GUrlA'</pre><pre>Web%w|nc</pre><pre>HTTP)</pre><pre>2GUARDCMD.</pre><pre>.ENHCDM</pre><pre>PL/KPCKwWEB</pre><pre>MM.PFW.</pre><pre>.bssf</pre><pre>J:CRT</pre><pre>ADVAPI32.dll</pre><pre>MSVCRT.dll</pre><pre>SHELL32.dll</pre><pre>WS2_32.dll</pre></div><div class="blog_tab" id="tab3"><p><strong class="font_20"><span style="font-size:medium;">Remove it with Ad-Aware</span></strong></p><ol><li>Click (<a href="http://lavasoft.com/thankyou.php?internal=true&inter=encyclopedia"><span style="color: #0000ff;">here</span></a>) to download and install Ad-Aware Free Antivirus.</li><li>Update the definition files.</li><li>Run a full scan of your computer.</li></ol><p><strong class="font_20"><span style="font-size:medium;">Manual removal*</span></strong></p><ol><li>Terminate malicious process(es) (<a href="http://www.lavasoft.com/mylavasoft/malware-removal-support/blog/how-to-end-a-process-with-the-task-manager"><span style="color: #0000ff;">How to End a Process With the Task Manager</span></a>):<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">CltMngSvc.exe:2068<br>CltMngSvc.exe:224<br>nsm4.exe:148<br>%original file name%.exe:1276<br>cltmng.exe:2516<br>nsq9.exe:1404<br></p></li><li>Delete the original Virus file.<br></li><li>Delete or disinfect the following files created/modified by the Virus:<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\inetc.dll (24 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\json2.js (784 bytes)<br>%Program Files%\SearchProtect\Dialogs\spsd\settings.js (11 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\winaownli.exe (741 bytes)<br>%Program Files%\SearchProtect\ffprotect\nsprotector.js (1 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\0014EDF8_Rar\%original file name%.exe (15799 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.exe (3616 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe (89498 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\settings.js (11 bytes)<br>%Program Files%\SearchProtect\bin\SPHook32.dll (5520 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook32.dll (5520 bytes)<br>%Program Files%\SearchProtect\Dialogs\spsd\main.html (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcp100.dll (14184 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp (741694 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (11 bytes)<br>%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (3312 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\popupTransparent.xul (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPRunner.exe (11048 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\FirefoxModule.dll (34773 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)<br>%Program Files%\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (175875 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)<br>%Program Files%\SearchProtect\bin\uninstall.exe (6584 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\abstraction.js (52 bytes)<br>%Program Files%\SearchProtect\bin\SPRunner.exe (11048 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsz8.tmp (1856 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\main.html (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\msvcr100.dll (25824 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)<br>%System%\msvcr100.dll (10882 bytes)<br>%Program Files%\SearchProtect\bin\cltmng.exe (89498 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\ChromeModule.dll (28288 bytes)<br>%WinDir%\system.ini (72 bytes)<br>%Program Files%\SearchProtect\Dialogs\dialogsApi.js (1 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsm4.exe (3616 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ConduitMsTimestamp.dll (3616 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\dialogsApi.js (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (3 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\CltMngSvc.exe (3312 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (784 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\nsprotector.js (1 bytes)<br>%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (1 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)<br>%Program Files%\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (986 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\main.html (986 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)<br>%System%\msvcp100.dll (4642 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)<br>%Program Files%\SearchProtect\bin\ChromeModule.dll (28288 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (6 bytes)<br>%Program Files%\SearchProtect\bin\FirefoxModule.dll (34773 bytes)<br>%Program Files%\SearchProtect\ffprotect\abstraction.js (52 bytes)<br>%Program Files%\SearchProtect\bin\msvcr100.dll (25824 bytes)<br>%Program Files%\SearchProtect\bin\InternetExplorerModule.dll (33877 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (938 bytes)<br>%Program Files%\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)<br>%Program Files%\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\application.js (3312 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)<br>%Program Files%\SearchProtect\bin\CltMngSvc.exe (3312 bytes)<br>%Program Files%\SearchProtect\ffprotect\application.js (601 bytes)<br>%Program Files%\SearchProtect\bin\msvcp100.dll (14184 bytes)<br>%Program Files%\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\main.html (986 bytes)<br>%Program Files%\SearchProtect\Dialogs\lib\json2.js (784 bytes)<br>%Program Files%\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp\inetc.dll (24 bytes)</p></li><li>Delete the following value(s) in the autorun key (<a href="http://www.lavasoft.com/mylavasoft/malware-removal-support/blog/how-to-work-with-the-system-registry"><span style="color: #0000ff;">How to Work with System Registry</span></a>):<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br>"SearchProtectAll" = "%Program Files%\SearchProtect\bin\cltmng.exe"<br><br>[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]<br>"SearchProtect" = "%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe"</p></li><li>Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.<br></li><li>Reboot the computer.<br></li></ol>*Manual removal may cause unexpected system behaviour and should be performed at your own risk.</div></di?></pre></6></pre></0></pre></6></pre></2></pre></4></pre></5>