Win32.Expiro.CM (B) (Emsisoft), Win32.Expiro.CM (AdAware), Trojan.Win32.Alureon.FD, Virus.Win32.Expiro.FD, Virus.Win32.Expiro.FD, VirusExpiro.YR (Lavasoft MAS)Behaviour: Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: cb076733c9685d3ea5995c133dca2595
SHA1: 69cf0e504a565fe0a5d0b949fb4a052ca2a29255
SHA256: 402e565483bd1d5990590ebb26203cb3b0d5b5d51a610be56fde43747aa67c18
SSDeep: 196608:7XbbU8FQGjzNdLQJJ8pI7VFPqgfs9cDDGZEEd2jB05d0mxew/IvzSOgofQproxtE:7XbA8OGvN6mIxFSgfsCyWkqmxewAvzxz
Size: 12096512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: setupprocess
Created at: 2007-05-02 06:18:38
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Virus creates the following process(es):
BBSetup.exe:1124
infocard.exe:160
MsiExec.exe:1584
%original file name%.exe:272
cidaemon.exe:1376
The Virus injects its code into the following process(es):
cisvc.exe:340
dmadmin.exe:1684
File activity
The process cisvc.exe:340 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
C:\System Volume Information\catalog.wci\00000002.ps2 (65 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
C:\System Volume Information\catalog.wci\00000002.ps1 (65 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.001 (8 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.000 (1680 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.002 (8 bytes)
%System%\CatRoot2 (96 bytes)
C:\System Volume Information\catalog.wci\INDEX.002 (20 bytes)
C:\System Volume Information\catalog.wci\INDEX.000 (3840 bytes)
C:\System Volume Information\catalog.wci\INDEX.001 (20 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (4 bytes)
C:\$Directory (3376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIec7c0.LOG (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (108 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\Prefetch (960 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mlhmlmci.tmp (3733 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System% (8936 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (45 bytes)
%System%\oobe\html (4 bytes)
%System%\sessmgr.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (8 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
C:\$ConvertToNonresident (4 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
C:\ (8 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
C:\System Volume Information\catalog.wci\CiST0000.000 (240 bytes)
C:\System Volume Information\catalog.wci\CiP10000.000 (5280 bytes)
C:\System Volume Information\catalog.wci\CiP10000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiP10000.002 (20 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%System%\dllhost.exe (4185 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%System%\config\AppEvent.Evt (1264 bytes)
%WinDir%\WinSxS (12 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (972 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (8 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
C:\System Volume Information\catalog.wci\CiVP0000.000 (240 bytes)
%Documents and Settings% (8 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\dadacani.tmp (7972 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%System%\aakckbok.tmp (3703 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%System%\config\SysEvent.Evt (456 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\Installer (192 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
C:\System Volume Information\catalog.wci\CiP20000.002 (20 bytes)
C:\System Volume Information\catalog.wci\CiP20000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiP20000.000 (5280 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%System%\nikpbefm.tmp (3785 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
C:\System Volume Information\catalog.wci\propstor.bk2 (32328 bytes)
C:\System Volume Information\catalog.wci\propstor.bk1 (16960 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (4 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%System%\mpcjkned.tmp (3678 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
%System%\neijblpa.tmp (3679 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (440 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (1064 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (96 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%System%\cbdgekje.tmp (3812 bytes)
C:\System Volume Information\catalog.wci (8 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (4545 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Program Files%\Movie Maker (4 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%System%\netdde.exe (4545 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\msdtc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings (8 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.000 (4560 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.002 (16 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\Prefetch\INFOCARD.EXE-14622E55.pf (28 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%WinDir%\Installer\e493a.msi (756 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
C:\System Volume Information\catalog.wci\cicat.hsh (12 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
C:\System Volume Information (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
C:\System Volume Information\catalog.wci\CiCL0001.000 (480 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%WinDir%\Web\printers (4 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%System%\mui (4 bytes)
C:\System Volume Information\catalog.wci\cicat.fid (44 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%System%\wbem\Logs (8 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
C:\System Volume Information\catalog.wci\CiSL0001.000 (240 bytes)
C:\System Volume Information\catalog.wci\CiFLfffd.000 (480 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%System%\mnmsrvc.exe (4185 bytes)
The Virus deletes the following file(s):
%System%\cbdgekje.tmp (0 bytes)
%System%\neijblpa.tmp (0 bytes)
%System%\mpcjkned.tmp (0 bytes)
%System%\aakckbok.tmp (0 bytes)
%System%\nikpbefm.tmp (0 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mlhmlmci.tmp (0 bytes)
C:\System Volume Information\catalog.wci\00000001.ps2 (0 bytes)
C:\System Volume Information\catalog.wci\00000001.ps1 (0 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\dadacani.tmp (0 bytes)
The process BBSetup.exe:1124 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF\BBSetupConfig.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIec7c0.LOG (190 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF\BBSetupConfig.xml (0 bytes)
The process %original file name%.exe:272 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PF.cab (187080 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\dlejknpg.tmp (3798 bytes)
%System%\nmlmjcen.tmp (3679 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (9098 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBarPartnerConfig.cab (7 bytes)
%System%\clipsrv.exe (4185 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (4185 bytes)
%System%\jpfilhdf.tmp (3896 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\njakmpdb.tmp (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetupConfig.xml (2 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\lhddmehn.tmp (3697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetup.exe (3624 bytes)
%System%\dmadmin.exe (5873 bytes)
%System%\finngebb.tmp (3679 bytes)
%System%\mqkdhfhm.tmp (3705 bytes)
%System%\cisvc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBar.msi (14377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PD.cab (1290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (4 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PF.cab (0 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\dlejknpg.tmp (0 bytes)
%System%\nmlmjcen.tmp (0 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\njakmpdb.tmp (0 bytes)
%System%\mqkdhfhm.tmp (0 bytes)
%System%\jpfilhdf.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBarPartnerConfig.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetupConfig.xml (0 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\lhddmehn.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetup.exe (0 bytes)
%System%\finngebb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBar.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PD.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (0 bytes)
The process dmadmin.exe:1684 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%WinDir% (300 bytes)
%System%\config (8 bytes)
C:\$Directory (1752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (4 bytes)
%WinDir%\Installer (96 bytes)
C:\System Volume Information\catalog.wci (4 bytes)
%System% (6448 bytes)
Registry activity
The process cisvc.exe:340 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCR\EngUSWrdBrk.EngUSWrdBrk]
"(Default)" = "EngUSWrdBrk Class"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"(Default)" = "%System%\query.dll"
[HKCR\MSIDXS]
"(Default)" = "Microsoft OLE DB Provider for Indexing Service"
[HKCR\IXSSO.Query\CurVer]
"(Default)" = "IXSSO.Query.3"
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\ProgID]
"(Default)" = "EngUKWrdBrk.EngUKWrdBrk.1"
[HKCR\IXSSO.Util.2\CLSID]
"(Default)" = "{0C16C27E-A6E7-11D0-BFC3-0020F8008024}"
[HKCR\CLSID\{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
"(Default)" = "MSIDXS"
[HKCR\CLSID\{c1243ca0-bf96-11cd-b579-08002b30bfeb}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}]
"(Default)" = "Microsoft Office Persistent Handler"
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\ProgID]
"(Default)" = "ItlItlWrdBrk.ItlItlWrdBrk.1"
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}]
"(Default)" = "Microsoft Index Server Administration Object"
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\VersionIndependentProgID]
"(Default)" = "FrnFrnWrdBrk.FrnFrnWrdBrk"
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
"(Default)" = "Microsoft.ISScopeAdm"
[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\.htw\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\.css\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{AA205A4D-681F-11D0-A243-08002B36FCA4}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{9478f640-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{6d36ce10-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "Italian_Italian Stemmer"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral]
"WBreakerClass" = "{369647e0-17b0-11ce-9950-00aa004bbb1f}"
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\VersionIndependentProgID]
"(Default)" = "EngUSWrdBrk.EngUSWrdBrk"
[HKCR\CLSID\{01c6b350-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{00020811-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{860d28d0-8bf4-11ce-be59-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US]
"StemmerClass" = "{eeed4c20-7f1b-11ce-be57-00aa0051fe20}"
[HKCR\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors]
"(Default)" = "Extended Error Service"
[HKCR\.stm\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\IXSSO.Query.2]
"(Default)" = "Indexing Service Query SSO V2."
[HKCR\CLSID\{5645C8C0-E277-11CF-8FDA-00AA00A14F93}]
"(Default)" = "NNTP filter"
[HKCR\CLSID\{5645C8C0-E277-11CF-8FDA-00AA00A14F93}\PersistentHandler]
"(Default)" = "{5645C8C1-E277-11CF-8FDA-00AA00A14F93}"
[HKCR\.xlc\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}]
"(Default)" = "Indexing Service Utility SSO V2."
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"(Default)" = "%System%\ciodm.dll"
[HKCR\ItlItlWrdBrk.ItlItlWrdBrk.1]
"(Default)" = "ItlItlWrdBrk Class"
[HKCR\MSIDXS ErrorLookup\Clsid]
"(Default)" = "{F9AE8981-7E52-11d0-8964-00C04FD611D7}"
[HKCR\CLSID\{C04EFA90-E221-11D2-985E-00C04F575153}\InProcServer32]
"(Default)" = "%System%\query.dll"
[HKCR\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{510a4910-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "German_German Stemmer"
[HKCR\CLSID\{95ad72f0-44ce-11d0-ae29-00aa004b9986}]
"(Default)" = "Indexing Service Snapin"
[HKCR\IXSSO.Query.3]
"(Default)" = "Indexing Service Query SSO V3."
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
"(Default)" = "Microsoft.ISAdm.1"
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}]
"(Default)" = "FrnFrnWrdBrk Class"
[HKCR\IXSSO.Util]
"(Default)" = "Indexing Service Utility SSO V2."
[HKCR\MSIDXS\Clsid]
"(Default)" = "{F9AE8980-7E52-11d0-8964-00C04FD611D7}"
[HKCR\CLSID\{6d36ce10-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"(Default)" = "%System%\ciodm.dll"
[HKCR\CLSID\{00020C01-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}]
"(Default)" = "Plain Text persistent handler"
[HKCR\CLSID\{b0516ff0-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "Spanish_Modern Stemmer"
[HKCR\Microsoft Internet News Message\CLSID]
"(Default)" = "{5645C8C0-E277-11CF-8FDA-00AA00A14F93}"
[HKCR\CLSID\{e0ca5340-4534-11cf-b952-00aa0051fe20}\InprocServer32]
"(Default)" = "nlhtml.dll"
[HKCR\IXSSO.Query\CLSID]
"(Default)" = "{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}"
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"
[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}\InProcServer32]
"(Default)" = "%System%\ixsso.dll"
[HKCR\Interface\{F4EB8260-8DDA-11D1-B3AA-00A0C9063796}]
"(Default)" = "IFilterStatus"
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\ProgID]
"(Default)" = "EngUSWrdBrk.EngUSWrdBrk.1"
[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}]
"(Default)" = "Indexing Service Query SSO V3."
[HKCR\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\.odc\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\German_German]
"StemmerClass" = "{510a4910-7f1c-11ce-be57-00aa0051fe20}"
[HKCR\CLSID\{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{66b37110-8bf2-11ce-be59-00aa0051fe20}]
"(Default)" = "Dutch_Dutch Word Breaker"
[HKCR\CLSID\{eeed4c20-7f1b-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{EA7BAE71-FB3B-11CD-A903-00AA00510EA3}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}]
"(Default)" = "Italian_Italian Word Breaker"
[HKCR\IXSSO.Query.2\CLSID]
"(Default)" = "{A4463024-2B6F-11D0-BFBC-0020F8008024}"
[HKCR\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32]
"(Default)" = "OffFilt.dll"
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\InprocServer32]
"ThreadingModel" = "Free"
[HKCR\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{5645C8C2-E277-11CF-8FDA-00AA00A14F93}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\French_French]
"StemmerClass" = "{2a6eb050-7f1c-11ce-be57-00aa0051fe20}"
[HKCR\.htm\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{c3278e90-bea7-11cd-b579-08002b30bfeb}]
"(Default)" = "Null filter"
[HKCR\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\InprocServer32]
"ThreadingModel" = "Free"
[HKCR\Microsoft.ISScopeAdm]
"(Default)" = "Microsoft Index Server Scope Administration Object"
[HKCR\.pot\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{c1243ca0-bf96-11cd-b579-08002b30bfeb}]
"(Default)" = "Plain Text filter"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\German_German]
"WBreakerClass" = "{9b08e210-e51b-11cd-bc7f-00aa003db18e}"
[HKCR\CLSID\{AA205A4D-681F-11D0-A243-08002B36FCA4}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Swedish_Default]
"Locale" = "1053"
[HKCR\CLSID\{5645C8C3-E277-11CF-8FDA-00AA00A14F93}\PersistentHandler]
"(Default)" = "{5645C8C4-E277-11CF-8FDA-00AA00A14F93}"
[HKCR\CLSID\{369647e0-17b0-11ce-9950-00aa004bbb1f}]
"(Default)" = "Neutral Word Breaker"
[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}\ProgID]
"(Default)" = "IXSSO.Query.2"
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\ProgID]
"(Default)" = "SpnMdrWrdBrk.SpnMdrWrdBrk.1"
[HKCR\CLSID\{78fe669a-186e-4108-96e9-77b586c1332f}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{00020810-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\French_French]
"WBreakerClass" = "{59e09848-8099-101b-8df3-00000b65c3b5}"
[HKCR\EngUKWrdBrk.EngUKWrdBrk.1]
"(Default)" = "EngUKWrdBrk Class"
[HKCR\CLSID\{78fe669a-186e-4108-96e9-77b586c1332f}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{2a6eb050-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "French_French Stemmer"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
"(Default)" = "MSIDXS Error Lookup"
[HKCR\CLSID\{C04EFA90-E221-11D2-985E-00C04F575153}]
"(Default)" = "PSFactoryBuffer"
[HKCR\CLSID\{59e09848-8099-101b-8df3-00000b65c3b5}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Spanish_Modern]
"WBreakerClass" = "{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}"
[HKCR\Microsoft.ISCatAdm.1]
"(Default)" = "Microsoft Index Server Catalog Administration Object"
[HKCR\Microsoft Internet Mail Message]
"(Default)" = "Internet E-Mail Message"
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
"(Default)" = "MSIDXS ErrorLookup"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}]
"(Default)" = "MSIDXS"
[HKCR\CLSID\{1E9685E6-DB6D-11d0-BB63-00C04FC2F410}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{95ad72f0-44ce-11d0-ae29-00aa004b9986}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{9478f640-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "Swedish_Default Stemmer"
[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk.1\CLSID]
"(Default)" = "{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Italian_Italian]
"StemmerClass" = "{6d36ce10-7f1c-11ce-be57-00aa0051fe20}"
[HKCR\ItlItlWrdBrk.ItlItlWrdBrk]
"(Default)" = "ItlItlWrdBrk Class"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Italian_Italian]
"Locale" = "1040"
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Microsoft.ISCatAdm\CurVer]
"(Default)" = "Microsoft.ISCatAdm.1"
[HKCR\IXSSO.Query]
"(Default)" = "Indexing Service Query SSO V3."
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\InprocServer32]
"(Default)" = "%System%\query.dll"
[HKCR\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32]
"(Default)" = "%System%\mimefilt.dll"
[HKCR\CLSID\{e0ca5340-4534-11cf-b952-00aa0051fe20}]
"(Default)" = "HTML filter"
[HKCR\.htx\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK]
"StemmerClass" = "{d99f7670-7f1a-11ce-be57-00aa0051fe20}"
[HKLM\System\CurrentControlSet\Control\Server Applications]
"{95AD72F0-44CE-11D0-AE29-00AA004B9986}" = "Indexing Service"
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\VersionIndependentProgID]
"(Default)" = "ISSimpleCommandCreator"
[HKCR\CLSID\{510a4910-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk.1\CLSID]
"(Default)" = "{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}"
[HKCR\CLSID\{b0516ff0-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{9b08e210-e51b-11cd-bc7f-00aa003db18e}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
"(Default)" = "MSIDXSErrorLookup"
[HKCR\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{c1243ca0-bf96-11cd-b579-08002b30bfeb}"
[HKCR\EngUKWrdBrk.EngUKWrdBrk.1\CLSID]
"(Default)" = "{363F1015-FD5F-4ba8-AC58-29634F378A42}"
[HKCR\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk.1]
"(Default)" = "SpnMdrWrdBrk Class"
[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"About" = "{95ad72f0-44ce-11d0-ae29-00aa004b9986}"
[HKCR\CLSID\{95ad72f0-44ce-11d0-ae29-00aa004b9986}\InprocServer32]
"(Default)" = "CIAdmin.dll"
[HKCR\EngUSWrdBrk.EngUSWrdBrk.1]
"(Default)" = "EngUSWrdBrk Class"
[HKCR\.asp\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{6d36ce10-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\ProgID]
"(Default)" = "ISSimpleCommandCreator.1"
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}]
"(Default)" = "ItlItlWrdBrk Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 2A 5C 0A E5 F6 7E D0 31 33 4A 96 B6 7B DF 10"
[HKCR\Microsoft.ISAdm.1]
"(Default)" = "Microsoft Index Server Administration Object"
[HKCR\CLSID\{b0516ff0-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Italian_Italian]
"WBreakerClass" = "{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}"
[HKCR\CLSID\{9478f640-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"Version" = "1.0"
[HKCR\CLSID\{2a6eb050-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk\CurVer]
"(Default)" = "SpnMdrWrdBrk.SpnMdrWrdBrk.1"
[HKCR\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}]
"(Default)" = "Content Index ISearch Creator Object"
[HKCR\.eml]
"(Default)" = "Microsoft Internet Mail Message"
[HKCR\.ascx\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\Interface\{F4EB8260-8DDA-11D1-B3AA-00A0C9063796}\ProxyStubClsid32]
"(Default)" = "{C04EFA90-E221-11D2-985E-00C04F575153}"
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\VersionIndependentProgID]
"(Default)" = "ItlItlWrdBrk.ItlItlWrdBrk"
[HKCR\CLSID\{00022603-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{01c6b350-12c7-11ce-bd31-00aa004bbb1f}]
"(Default)" = "Swedish_Default Word Breaker"
[HKCR\CLSID\{2A488070-6FD9-11D0-A808-00A0C906241A}]
"(Default)" = "File System Client DocStore Locator Object"
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{00022602-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKCR\.aspx\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{d99f7670-7f1a-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ProgID]
"(Default)" = "MSIDXS.1"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Swedish_Default]
"StemmerClass" = "{9478f640-7f1c-11ce-be57-00aa0051fe20}"
[HKCR\CLSID\{59e09848-8099-101b-8df3-00000b65c3b5}]
"(Default)" = "French_French Word Breaker"
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}]
"(Default)" = "SpnMdrWrdBrk Class"
[HKCR\Microsoft.ISAdm.1\CLSID]
"(Default)" = "{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}"
[HKCR\Microsoft.ISScopeAdm\CurVer]
"(Default)" = "Microsoft.ISScopeAdm.1"
[HKCR\CLSID\{9b08e210-e51b-11cd-bc7f-00aa003db18e}]
"(Default)" = "German_German Word Breaker"
[HKCR\CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKCR\EngUSWrdBrk.EngUSWrdBrk.1\CLSID]
"(Default)" = "{80A3E9B0-A246-11D3-BB8C-0090272FA362}"
[HKCR\.html\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk]
"(Default)" = "SpnMdrWrdBrk Class"
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"
[HKCR\CLSID\{5645C8C3-E277-11CF-8FDA-00AA00A14F93}]
"(Default)" = "NNTP filter"
[HKCR\CLSID\{EA7BAE70-FB3B-11CD-A903-00AA00510EA3}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\.nws]
"(Default)" = "Microsoft Internet News Message"
[HKCR\Microsoft.ISScopeAdm.1\CLSID]
"(Default)" = "{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}"
[HKCR\.xls\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\ItlItlWrdBrk.ItlItlWrdBrk.1\CLSID]
"(Default)" = "{91870674-DE84-4313-B07D-A387415BB4F5}"
[HKCR\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}]
"(Default)" = "Null persistent handler"
[HKCR\CLSID\{860d28d0-8bf4-11ce-be59-00aa0051fe20}]
"(Default)" = "Dutch_Dutch Stemmer"
[HKCR\EngUSWrdBrk.EngUSWrdBrk\CurVer]
"(Default)" = "EngUSWrdBrk.EngUSWrdBrk.1"
[HKCR\.hta\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
"(Default)" = "Microsoft.ISScopeAdm.1"
[HKCR\CLSID\{e0ca5340-4534-11cf-b952-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Microsoft.ISCatAdm.1\CLSID]
"(Default)" = "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}"
[HKCR\.doc\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\IXSSO.Util\CLSID]
"(Default)" = "{0C16C27E-A6E7-11D0-BFC3-0020F8008024}"
[HKCR\CLSID\{66b37110-8bf2-11ce-be59-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk.1]
"(Default)" = "FrnFrnWrdBrk Class"
[HKCR\Microsoft.ISScopeAdm\CLSID]
"(Default)" = "{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}"
[HKCR\CLSID\{d99f7670-7f1a-11ce-be57-00aa0051fe20}]
"(Default)" = "English_UK Stemmer"
[HKCR\Microsoft.ISAdm\CLSID]
"(Default)" = "{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}"
[HKCR\CLSID\{AA205A4D-681F-11D0-A243-08002B36FCA4}]
"(Default)" = "File System Client Filter Object"
[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}\ProgID]
"(Default)" = "IXSSO.Util"
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\InprocServer32]
"ThreadingModel" = "Free"
[HKCR\CLSID\{C04EFA90-E221-11D2-985E-00C04F575153}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\IXSSO.Util.2]
"(Default)" = "Indexing Service Utility SSO V2."
[HKCR\Microsoft.ISScopeAdm.1]
"(Default)" = "Microsoft Index Server Scope Administration Object"
[HKCR\.hhc\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"(Default)" = "%System%\ciodm.dll"
[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}\InProcServer32]
"(Default)" = "%System%\ixsso.dll"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Spanish_Modern]
"Locale" = "3082"
[HKCR\.xlt\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\VersionIndependentProgID]
"(Default)" = "EngUKWrdBrk.EngUKWrdBrk"
[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"Provider" = "Microsoft Corporation"
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
"(Default)" = "Microsoft.ISCatAdm"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US]
"Locale" = "1033"
[HKCR\CLSID\{eeed4c20-7f1b-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{F4EB8260-8DDA-11D1-B3AA-00A0C9063796}\NumMethods]
"(Default)" = "7"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Dutch_Dutch]
"WBreakerClass" = "{66b37110-8bf2-11ce-be59-00aa0051fe20}"
[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}\InProcServer32]
"(Default)" = "%System%\ixsso.dll"
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}]
"(Default)" = "EngUKWrdBrk Class"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral]
"Locale" = "0"
[HKCR\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{5645C8C2-E277-11CF-8FDA-00AA00A14F93}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\German_German]
"Locale" = "1031"
[HKCR\CLSID\{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}]
"(Default)" = "Spanish_Modern Word Breaker"
[HKCR\EngUKWrdBrk.EngUKWrdBrk]
"(Default)" = "EngUKWrdBrk Class"
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\VersionIndependentProgID]
"(Default)" = "SpnMdrWrdBrk.SpnMdrWrdBrk"
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\ProgID]
"(Default)" = "FrnFrnWrdBrk.FrnFrnWrdBrk.1"
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}]
"(Default)" = "EngUSWrdBrk Class"
[HKCR\CLSID\{01c6b350-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\EngUKWrdBrk.EngUKWrdBrk\CurVer]
"(Default)" = "EngUKWrdBrk.EngUKWrdBrk.1"
[HKCR\Microsoft.ISCatAdm]
"(Default)" = "Microsoft Index Server Catalog Administration Object"
[HKCR\CLSID\{2a6eb050-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk\CurVer]
"(Default)" = "FrnFrnWrdBrk.FrnFrnWrdBrk.1"
[HKCR\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{f07f3920-7b8c-11cf-9be8-00aa004b9986}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Dutch_Dutch]
"StemmerClass" = "{860d28d0-8bf4-11ce-be59-00aa0051fe20}"
[HKCR\.xlb\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{e0ca5340-4534-11cf-b952-00aa0051fe20}"
[HKCR\.htt\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"
[HKCR\CLSID\{00020900-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{c3278e90-bea7-11cd-b579-08002b30bfeb}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}]
"(Default)" = "Microsoft Index Server Scope Administration Object"
[HKCR\.dot\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
"(Default)" = "Microsoft.ISAdm"
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
"(Default)" = "Microsoft.ISCatAdm.1"
[HKCR\CLSID\{59e09848-8099-101b-8df3-00000b65c3b5}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{00020820-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}\ProgID]
"(Default)" = "IXSSO.Query"
[HKCR\CLSID\{2A488070-6FD9-11D0-A808-00A0C906241A}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}]
"(Default)" = "Microsoft Index Server Catalog Administration Object"
[HKLM\SOFTWARE\Microsoft\MMC\NodeTypes\{476e6449-aaff-11d0-b944-00c04fd8d5b0}\Dynamic Extensions]
"{95AD72F0-44CE-11D0-AE29-00AA004B9986}" = "Indexing Service Snapin"
[HKCR\CLSID\{369647e0-17b0-11ce-9950-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}\InprocServer32]
"(Default)" = "infosoft.dll"
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}]
"(Default)" = "IndexServer Simple Command Creator"
[HKCR\IXSSO.Util\CurVer]
"(Default)" = "IXSSO.Util.2"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Dutch_Dutch]
"Locale" = "1043"
[HKLM\SOFTWARE\Microsoft\MMC\NodeTypes\{476e6449-aaff-11d0-b944-00c04fd8d5b0}\Extensions\NameSpace]
"{95AD72F0-44CE-11D0-AE29-00AA004B9986}" = "Indexing Service Snapin"
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\InprocServer32]
"ThreadingModel" = "Free"
[HKCR\.pps\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\MSIDXS ErrorLookup]
"(Default)" = "Microsoft OLE DB Error Lookup for Indexing Service"
[HKCR\CLSID\{c3278e90-bea7-11cd-b579-08002b30bfeb}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{eeed4c20-7f1b-11ce-be57-00aa0051fe20}]
"(Default)" = "English_US Stemmer"
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"(Default)" = "%System%\query.dll"
[HKLM\SOFTWARE\Microsoft\MMC\NodeTypes\{5401E3E9-F5F6-11D1-B4F7-00C04FC2DB8D}]
"(Default)" = "Indexing Service Root Subtree"
[HKCR\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}]
"(Default)" = "Microsoft Office Filter"
[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk]
"(Default)" = "FrnFrnWrdBrk Class"
[HKCR\CLSID\{00020821-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{78fe669a-186e-4108-96e9-77b586c1332f}]
"(Default)" = "Content Index Null Stemmer"
[HKCR\CLSID\{369647e0-17b0-11ce-9950-00aa004bbb1f}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{1E9685E6-DB6D-11d0-BB63-00C04FC2F410}]
"(Default)" = "Content Index Framework Control Object"
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\OLE DB Provider]
"(Default)" = "Microsoft OLE DB Provider for Indexing Service"
[HKCR\CLSID\{2A488070-6FD9-11D0-A808-00A0C906241A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{9b08e210-e51b-11cd-bc7f-00aa003db18e}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"
[HKCR\CLSID\{66b37110-8bf2-11ce-be59-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\.ppt\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\ProgID]
"(Default)" = "MSIDXSErrorLookup.1"
[HKCR\ItlItlWrdBrk.ItlItlWrdBrk\CurVer]
"(Default)" = "ItlItlWrdBrk.ItlItlWrdBrk.1"
[HKCR\Microsoft Internet Mail Message\CLSID]
"(Default)" = "{5645C8C3-E277-11CF-8FDA-00AA00A14F93}"
[HKCR\CLSID\{48123bc4-99d9-11d1-a6b3-00c04fd91555}\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}]
"(Default)" = "Indexing Service Query SSO V2."
[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"NameString" = "Indexing Service"
[HKCR\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{c3278e90-bea7-11cd-b579-08002b30bfeb}"
[HKCR\IXSSO.Query.3\CLSID]
"(Default)" = "{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}"
[HKCR\CLSID\{c1243ca0-bf96-11cd-b579-08002b30bfeb}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{00020906-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"
[HKCR\Microsoft.ISCatAdm\CLSID]
"(Default)" = "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK]
"Locale" = "2057"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\French_French]
"Locale" = "1036"
[HKCR\CLSID\{1E9685E6-DB6D-11d0-BB63-00C04FC2F410}\InprocServer32]
"(Default)" = "query.dll"
[HKCR\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}]
"(Default)" = "HTML File persistent handler"
[HKCR\.xsl\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"
[HKCR\CLSID\{d99f7670-7f1a-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{510a4910-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\InprocServer32]
"ThreadingModel" = "Free"
[HKCR\CLSID\{860d28d0-8bf4-11ce-be59-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"NodeType" = "{5401E3E9-F5F6-11D1-B4F7-00C04FC2DB8D}"
[HKCR\Microsoft.ISAdm]
"(Default)" = "Microsoft Index Server Administration Object"
[HKCR\Microsoft Internet News Message]
"(Default)" = "Internet News Message"
[HKCR\.xml\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Spanish_Modern]
"StemmerClass" = "{b0516ff0-7f1c-11ce-be57-00aa0051fe20}"
[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Swedish_Default]
"WBreakerClass" = "{01c6b350-12c7-11ce-bd31-00aa004bbb1f}"
[HKCR\Microsoft.ISAdm\CurVer]
"(Default)" = "Microsoft.ISAdm.1"
The Virus deletes the following registry key(s):
[HKCR\MSIDXS ErrorLookup\Clsid]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}]
[HKCR\MSIDXS\Clsid]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\InprocServer32]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\Programmable]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\ProgID]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\InprocServer32]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\InprocServer32]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\VersionIndependentProgID]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\ProgID]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\Programmable]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\VersionIndependentProgID]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\ProgID]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ProgID]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\ProgID]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\VersionIndependentProgID]
[HKCR\MSIDXS ErrorLookup]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\InprocServer32]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\InprocServer32]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\InprocServer32]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\ProgID]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\ProgID]
[HKCR\MSIDXS]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\Programmable]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\OLE DB Provider]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\ProgID]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}]
The process BBSetup.exe:1124 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 54 1E 78 42 2D 7D E7 A7 55 8E 7C C7 DB D4 FC"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\BingBar]
"ECPoint"
The process infocard.exe:160 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 7D 0D 2E E9 13 3F FA DF 9E 35 39 B7 94 13 5D"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process MsiExec.exe:1584 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\BingBar]
"ECPoint" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 88 47 8A 23 57 18 99 0B 1D FB 9D EC D4 AB D7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:272 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A DD 5D B0 09 E7 44 66 C5 E1 18 AB 9A 54 D4 7A"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process cidaemon.exe:1376 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 9F EB 7A 4E 86 74 3E B7 F9 8D 38 B5 0C 78 A4"
The process dmadmin.exe:1684 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD E3 79 14 CA 88 9D F0 5F 9E D1 91 B6 B9 8A D4"
Dropped PE files
MD5 | File path |
---|---|
e898d59a617e2e65c390830479ef0bac | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\BBSetup.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
BBSetup.exe:1124
infocard.exe:160
MsiExec.exe:1584
%original file name%.exe:272
cidaemon.exe:1376 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
C:\System Volume Information\catalog.wci\00000002.ps2 (65 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
C:\System Volume Information\catalog.wci\00000002.ps1 (65 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.001 (8 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.000 (1680 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.002 (8 bytes)
%System%\CatRoot2 (96 bytes)
C:\System Volume Information\catalog.wci\INDEX.002 (20 bytes)
C:\System Volume Information\catalog.wci\INDEX.000 (3840 bytes)
C:\System Volume Information\catalog.wci\INDEX.001 (20 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
C:\$Directory (3376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIec7c0.LOG (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (108 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\Prefetch (960 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mlhmlmci.tmp (3733 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%System%\oobe\html (4 bytes)
%System%\sessmgr.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (8 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
C:\$ConvertToNonresident (4 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
C:\System Volume Information\catalog.wci\CiST0000.000 (240 bytes)
C:\System Volume Information\catalog.wci\CiP10000.000 (5280 bytes)
C:\System Volume Information\catalog.wci\CiP10000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiP10000.002 (20 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%System%\dllhost.exe (4185 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%System%\config\AppEvent.Evt (1264 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (8 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
C:\System Volume Information\catalog.wci\CiVP0000.000 (240 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\dadacani.tmp (7972 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%System%\aakckbok.tmp (3703 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%System%\config\SysEvent.Evt (456 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\Installer (192 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
C:\System Volume Information\catalog.wci\CiP20000.002 (20 bytes)
C:\System Volume Information\catalog.wci\CiP20000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiP20000.000 (5280 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%System%\nikpbefm.tmp (3785 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
C:\System Volume Information\catalog.wci\propstor.bk2 (32328 bytes)
C:\System Volume Information\catalog.wci\propstor.bk1 (16960 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (4 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%System%\mpcjkned.tmp (3678 bytes)
%WinDir%\Web (4 bytes)
%System%\neijblpa.tmp (3679 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (440 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (1064 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%System%\cbdgekje.tmp (3812 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (4545 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%System%\netdde.exe (4545 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\msdtc.exe (4185 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.000 (4560 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.002 (16 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\Prefetch\INFOCARD.EXE-14622E55.pf (28 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%WinDir%\Installer\e493a.msi (756 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
C:\System Volume Information\catalog.wci\cicat.hsh (12 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
C:\System Volume Information\catalog.wci\CiCL0001.000 (480 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%WinDir%\Web\printers (4 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%System%\mui (4 bytes)
C:\System Volume Information\catalog.wci\cicat.fid (44 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%System%\wbem\Logs (8 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
C:\System Volume Information\catalog.wci\CiSL0001.000 (240 bytes)
C:\System Volume Information\catalog.wci\CiFLfffd.000 (480 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%System%\mnmsrvc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF\BBSetupConfig.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PF.cab (187080 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\dlejknpg.tmp (3798 bytes)
%System%\nmlmjcen.tmp (3679 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (9098 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBarPartnerConfig.cab (7 bytes)
%System%\clipsrv.exe (4185 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (4185 bytes)
%System%\jpfilhdf.tmp (3896 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\njakmpdb.tmp (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetupConfig.xml (2 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\lhddmehn.tmp (3697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetup.exe (3624 bytes)
%System%\dmadmin.exe (5873 bytes)
%System%\finngebb.tmp (3679 bytes)
%System%\mqkdhfhm.tmp (3705 bytes)
%System%\cisvc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBar.msi (14377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PD.cab (1290 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: Bing Bar
Product Version: 7.3.132.0
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 7.3.132.0
File Description: Bing Bar Setup
Comments:
Language: Language Neutral
Company Name: Microsoft CorporationProduct Name: Bing BarProduct Version: 7.3.132.0Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 7.3.132.0File Description: Bing Bar SetupComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 43516 | 43520 | 4.52066 | 5aaf18b0265b228406b74943da74970c |
.data | 49152 | 8796 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
.rsrc | 61440 | 11448200 | 11448320 | 5.54479 | f5dc50d13f40ef315a22acefac8de6be |
.reloc | 11509760 | 2465792 | 602112 | 5.49384 | b52df8df2c5674426da93c028f61e5ce |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://toolbar.search.msn.com.akadns.net/8SE/711?MI=560BE6998B924FEEB7F6347C0BAFC17D&OS=5.1.2600&TE=1&TV=pcB8DF|iv7.3.132.0|tloem|ts20140527012527102|mu0|buProd|db|io0 | |
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 188.43.73.9 |
hxxp://g.ceipmsn.com/8SE/711?MI=560BE6998B924FEEB7F6347C0BAFC17D&OS=5.1.2600&TE=1&TV=pcB8DF|iv7.3.132.0|tloem|ts20140527012527102|mu0|buProd|db|io0 | 157.55.34.241 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 188.43.73.9 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 24 May 2014 05:04:51 GMT
Accept-Ranges: bytes
ETag: "96bfbfb1d77cf1:0"
Server: Microsoft-IIS/8.5
VTag: 438365225700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Tue, 27 May 2014 01:26:03 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..140523204817Z..140822090816Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......%0... .....7......140821205816Z0...*.H..............3@..V....9...f(..w.R.m..!.....4.....F....t...e...h~...y9..F..^.yp^.)...V.. .........i......[.2.3coIRE..[...3..S.-..R...p..(.... "V n.R."....0.5....P.....Ex..U..`.4S.p..ceE...a..8.N.....a...! ..\i.........7.e).....2.P.9%.]..".R.4.....3~B..l..RA..8..e.O....kim..."X..o..M......0C..Q...?R....;XG....B......~.......[N........Q.........fI.........OJ.x....l....?.E...rS.....9#.hP_z?3....D_.X.........S<.Bi.-*#.M......H...L.]s....J.x T....D...h.l..UU.!K..........r!}.Q.....k8..n*.*.....O..A&..y..6/...#$.....](.Y.%....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Sat, 24 May 2014 05:04:51 GMT..Accept-Ranges: bytes..ETag: "96bfbfb1d77cf1:0"..Server: Microsoft-IIS/8.5..VTag: 438365225700000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..Cache-Control: max-age=900..Date: Tue, 27 May 2014 01:26:03 GMT..Connection: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..140523204817Z..140822090816Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......%0... .....7......14
<<
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 29 Apr 2014 05:04:18 GMT
Accept-Ranges: bytes
ETag: "5c09f796863cf1:0"
Server: Microsoft-IIS/8.5
VTag: 438809327800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Tue, 27 May 2014 01:26:05 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..140428200830Z..140729082830Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......H0... .....7......140728201830Z0...*.H............. E.6..A..r....V.-..a...d%2..|......=X...|....V.'..X.}.:.H..u.....q.{%....7.....V."...);....ur....#..]..=.z.xMb....9c.....NX.s5S...Z..4../.k...A........_..~.....y.b.].5...NK,./..3..}*...>..XF..78.....X........`.3....m.b.sI.\...hd..t..SH..q{.4.l.)<..d.I...K.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Tue, 29 Apr 2014 05:04:18 GMT..Accept-Ranges: bytes..ETag: "5c09f796863cf1:0"..Server: Microsoft-IIS/8.5..VTag: 438809327800000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Tue, 27 May 2014 01:26:05 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..140428200830Z..140729082830Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......H0... .....7......140728201830Z0...*.H............. E.6..A..r....V.-..a...d%2..|......=X...|....V.'..X.}.:.H..u......
<<
<<< skipped >>>
GET /8SE/711?MI=560BE6998B924FEEB7F6347C0BAFC17D&OS=5.1.2600&TE=1&TV=pcB8DF|iv7.3.132.0|tloem|ts20140527012527102|mu0|buProd|db|io0 HTTP/1.1
User-Agent: BingBar 7.3.132.0
Host: g.ceipmsn.com
HTTP/1.1 200 OK
Content-Length: 0
Date: Tue, 27 May 2014 01:25:28 GMT
HTTP/1.1 200 OK..Content-Length: 0..Date: Tue, 27 May 2014 01:25:28 GMT..
Map
The Virus connects to the servers at the folowing location(s):
Strings from Dumps
cisvc.exe_340:
.text
.text
`.data
`.data
.rsrc
.rsrc
query.dll
query.dll
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
cisvc.pdb
cisvc.pdb
.data
.data
.idata
.idata
.reloc
.reloc
.edata
.edata
.Fk?Z
.Fk?Z
p^.nh
p^.nh
%.C<1
%.C<1
C.QV>
C.QV>
3W.GS
3W.GS
@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C
@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C
SZ9LiXk$Y<e><pre>B}%fgc</pre><pre>8PPP [Aq;su%Xd]LBu</pre><pre>< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt</pre><pre>Z/t.wG_(>2ZH3B</pre><pre>.sz~f</pre><pre>.cevy</pre><pre>3HE%c</pre><pre>.dohA</pre><pre>`%C@'0.&_`au</pre><pre> X|}9.PFg.6&JmEx}7o</pre><pre>7GX[,%s</pre><pre>*.GjMJ]"Md</pre><pre>*.Gj~jqtN6</pre><pre>.DqT`</pre><pre>K-fc}c1</pre><pre>'EgUch\L</pre><pre>~)%UbaG</pre><pre>.up61</pre><pre>>;& JbYTX.WDi*.61</pre><pre>s-%!.Vu</pre><pre>9qp.NdIA</pre><pre>CRTDLL.DLL</pre><pre>1 2%2.242>2</pre><pre>1!1'1-13191?1</pre><pre>5%6U6q6~6</pre><pre>9":.:9:?:</pre><pre>4M4T4Z4t4</pre><pre>>$>*>^>}></pre><pre>>$>,>2>[></pre><pre>kkqvx_.dll</pre><pre>.rdata</pre><pre>@.data</pre><pre>.pdata</pre><pre>@.idata</pre><pre>9 *\ ,]8</pre><pre>7".lf</pre><pre>['[??^</pre><pre>.DU7)2)</pre><pre>%dz(3</pre><pre>%.pzMWdz</pre><pre>.fga]LM</pre><pre>gIC.Ux>U*1@a8Dig|@</pre><pre>M/ ac[=/M.CZ"SE*X</pre><pre>/H%cJ!LQ*P</pre><pre>r>lz{-L(hM.Zq</pre><pre>@E)HVL' z~w.Fpp/bHM#_S%Y ]</pre><pre>A"p/%uMJOlQ*</pre><pre>A;(@qm-v}</pre><pre>X.DUIQsdD_X></pre><pre>`a$K.Y.QAuoa!-S</pre><pre>N##<,P%4X(</pre><pre>%DW7 :#</pre><pre>[!x%c@M</pre><pre>vKV%c</pre><pre>*<P></P><pre>\[{"SShG$UK;Y3$h*=</pre><pre>sh2}@j.NGVc5</pre><pre>UV.McpOvxrq"m[C}gT<wGjL><pre>/OC2M#:]".Gb9}ZC64]o;}g</pre><pre>kkqvx_64.dll</pre><pre>pstorec.dll</pre><pre>#pstorec.dll</pre><pre>0oleaut32.dll</pre><pre>Ishell32.dll</pre><pre>.SYSTEM</pre><pre>%sfc_os.dll</pre><pre>sfc_os.dll</pre><pre>22EnumDesktopWindows</pre><pre>user32.dll</pre><pre>47PeekNamedPipe</pre><pre>09WinExec</pre><pre>48CreatePipe</pre><pre>R.tmp</pre><pre>chrome.exe</pre><pre>consent.exe</pre><pre>rsvp.exe</pre><pre><CertAddCertificateContextToStore><pre>CertEnumCertificatesInStore</pre><pre>;CertOpenStore</pre><pre>CertCloseStore</pre><pre>CryptFindCertificateKeyProvInfo</pre><pre>PFXExportCertStore</pre><pre>xCertOpenSystemStoreA</pre><pre>CertFreeCertificateContext</pre><pre> CertGetNameStringA</pre><pre>Pcrypt32.dll</pre><pre>sfc.dll</pre><pre>}sfc.dll</pre><pre>%s_%u</pre><pre>eole32.dll</pre><pre>04RegCloseKey</pre><pre>02RegCreateKeyExA</pre><pre>00RegOpenKeyExA</pre><pre>32RegSetKeySecurity</pre><pre>31RegEnumKeyExA</pre><pre>advapi32.dll</pre><pre>crtdll.dll</pre><pre>`crtdll.dll</pre><pre>\\?\UN</pre><pre>5.1.2600.5512 (xpsp.080413-0852)</pre><pre>cisvc.exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><b>cisvc.exe_340_rwx_01001000_00001000:</b><pre>cisvc.pdb</pre><pre>query.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>\\?\UN</pre><b>cisvc.exe_340_rwx_01003000_0025A000:</b><pre>.text</pre><pre>.data</pre><pre>.idata</pre><pre>.reloc</pre><pre>.edata</pre><pre>.Fk?Z </pre><pre>p^.nh</pre><pre>%.C<1</pre><pre>C.QV></pre><pre>3W.GS</pre><pre>@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C</pre><pre>SZ9LiXk$Y<e><pre>B}%fgc</pre><pre>8PPP [Aq;su%Xd]LBu</pre><pre>< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt</pre><pre>Z/t.wG_(>2ZH3B</pre><pre>.sz~f</pre><pre>.cevy</pre><pre>3HE%c</pre><pre>.dohA</pre><pre>`%C@'0.&_`au</pre><pre> X|}9.PFg.6&JmEx}7o</pre><pre>7GX[,%s</pre><pre>*.GjMJ]"Md</pre><pre>*.Gj~jqtN6</pre><pre>.DqT`</pre><pre>K-fc}c1</pre><pre>'EgUch\L</pre><pre>~)%UbaG</pre><pre>.up61</pre><pre>>;& JbYTX.WDi*.61</pre><pre>s-%!.Vu</pre><pre>9qp.NdIA</pre><pre>KERNEL32.dll</pre><pre>CRTDLL.DLL</pre><pre>1 2%2.242>2</pre><pre>1!1'1-13191?1</pre><pre>5%6U6q6~6</pre><pre>9":.:9:?:</pre><pre>4M4T4Z4t4</pre><pre>>$>*>^>}></pre><pre>>$>,>2>[></pre><pre>kkqvx_.dll</pre><pre>.rdata</pre><pre>@.data</pre><pre>.pdata</pre><pre>@.idata</pre><pre>9 *\ ,]8</pre><pre>7".lf</pre><pre>['[??^</pre><pre>.DU7)2)</pre><pre>%dz(3</pre><pre>%.pzMWdz</pre><pre>.fga]LM</pre><pre>gIC.Ux>U*1@a8Dig|@</pre><pre>M/ ac[=/M.CZ"SE*X</pre><pre>/H%cJ!LQ*P</pre><pre>r>lz{-L(hM.Zq</pre><pre>@E)HVL' z~w.Fpp/bHM#_S%Y ]</pre><pre>A"p/%uMJOlQ*</pre><pre>A;(@qm-v}</pre><pre>X.DUIQsdD_X></pre><pre>`a$K.Y.QAuoa!-S</pre><pre>N##<,P%4X(</pre><pre>%DW7 :#</pre><pre>[!x%c@M</pre><pre>vKV%c</pre><pre>*<P></P><pre>\[{"SShG$UK;Y3$h*=</pre><pre>sh2}@j.NGVc5</pre><pre>UV.McpOvxrq"m[C}gT<wGjL><pre>/OC2M#:]".Gb9}ZC64]o;}g</pre><pre>kkqvx_64.dll</pre><pre>pstorec.dll</pre><pre>#pstorec.dll</pre><pre>0oleaut32.dll</pre><pre>Ishell32.dll</pre><pre>.SYSTEM</pre><pre>%sfc_os.dll</pre><pre>sfc_os.dll</pre><pre>22EnumDesktopWindows</pre><pre>user32.dll</pre><pre>47PeekNamedPipe</pre><pre>09WinExec</pre><pre>48CreatePipe</pre><pre>R.tmp</pre><pre>chrome.exe</pre><pre>consent.exe</pre><pre>rsvp.exe</pre><pre><CertAddCertificateContextToStore><pre>CertEnumCertificatesInStore</pre><pre>;CertOpenStore</pre><pre>CertCloseStore</pre><pre>CryptFindCertificateKeyProvInfo</pre><pre>PFXExportCertStore</pre><pre>xCertOpenSystemStoreA</pre><pre>CertFreeCertificateContext</pre><pre> CertGetNameStringA</pre><pre>Pcrypt32.dll</pre><pre>sfc.dll</pre><pre>}sfc.dll</pre><pre>%s_%u</pre><pre>eole32.dll</pre><pre>04RegCloseKey</pre><pre>02RegCreateKeyExA</pre><pre>00RegOpenKeyExA</pre><pre>32RegSetKeySecurity</pre><pre>31RegEnumKeyExA</pre><pre>advapi32.dll</pre><pre>crtdll.dll</pre><pre>`crtdll.dll</pre><pre>5.1.2600.5512 (xpsp.080413-0852)</pre><pre>cisvc.exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><b>dmadmin.exe_1684:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>USER32.dll</pre><pre>ole32.dll</pre><pre>RPCRT4.dll</pre><pre>SETUPAPI.dll</pre><pre>CLUSAPI.dll</pre><pre>dmutil.dll</pre><pre>OSUNINST.dll</pre><pre>%S,%lX</pre><pre>%S, %ld</pre><pre>%lx,%S</pre><pre>%S, %lX</pre><pre>{lX-X-X-XX-XXXXXX}</pre><pre>Dmserver.ProductType</pre><pre>\Device\%s%c</pre><pre>\\.\FtControl</pre><pre>dmadmin.pdb</pre><pre>HtAHt.Ht</pre><pre>PSSSSh</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>ReportEventW</pre><pre>RegOpenKeyExW</pre><pre>RegLoadKeyW</pre><pre>RegUnLoadKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyW</pre><pre>RegOpenKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegDeleteKeyW</pre><pre>GetProcessHeap</pre><pre>ntdll.dll</pre><pre>DynamicSupport</pre><pre>Error loading operating system</pre><pre>Missing operating system</pre><pre>WG4%UG4</pre><pre>EYG4%UG4</pre><pre>hSB\%UWd</pre><pre>lSRP%UW;R</pre><pre>fSW=%X</pre><pre>Í11'V$n</pre><pre>2%Ds6%</pre><pre>2%Dw6%</pre><pre>.WG4D</pre><pre>Q~q%X</pre><pre>SW=%X</pre><pre>URlG</pre><pre>.Ds6%</pre><pre>mSW=%X</pre><pre>n.Cod</pre><pre>%FmVt/</pre><pre>WG4QUG4%UG41TG4</pre><pre>%x4UWG</pre><pre>.USD.m</pre><pre>>.Sv0U~</pre><pre>~"65.MnI=</pre><pre>.GV~z</pre><pre>?pv%F</pre><pre>.Otha.</pre><pre>.GqpvU</pre><pre>Ww.do%</pre><pre>%s`(m</pre><pre>nJô'</pre><pre>.tAGq</pre><pre>?{trC%c</pre><pre>:|.fb</pre><pre>w.ldjhkpw7</pre><pre>.DJ_#</pre><pre>>Ðj_c</pre><pre>P?Z.ZFW</pre><pre>B.DRh</pre><pre>Fcrt</pre><pre>.pX]?</pre><pre>TD_%S</pre><pre>Meh.nEDMc</pre><pre>/*7.GZ_n</pre><pre>.Fk?Z </pre><pre>pstorec.dll</pre><pre>#pstorec.dll</pre><pre>p^.nh</pre><pre>0oleaut32.dll</pre><pre>lshell32.dll</pre><pre>Ishell32.dll</pre><pre>.SYSTEM</pre><pre>%.C<1</pre><pre>C.QV></pre><pre>3W.GS</pre><pre>@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C</pre><pre>SZ9LiXk$Y<e><pre>B}%fgc</pre><pre>8PPP [Aq;su%Xd]LBu</pre><pre>< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt</pre><pre>%sfc_os.dll</pre><pre>sfc_os.dll</pre><pre>22EnumDesktopWindows</pre><pre>user32.dll</pre><pre>Z/t.wG_(>2ZH3B</pre><pre>.sz~f</pre><pre>.cevy</pre><pre>47PeekNamedPipe</pre><pre>09WinExec</pre><pre>48CreatePipe</pre><pre>`%C@'0.&_`au</pre><pre> X|}9.PFg.6&JmEx}7o</pre><pre>7GX[,%s</pre><pre>*.GjMJ]"Md</pre><pre>*.Gj~jqtN6</pre><pre>.DqT`</pre><pre>K-fc}c1</pre><pre>'EgUch\L</pre><pre>~)%UbaG</pre><pre>.up61</pre><pre>>;& JbYTX.WDi*.61</pre><pre><CertAddCertificateContextToStore><pre>CertEnumCertificatesInStore</pre><pre>;CertOpenStore</pre><pre>CertCloseStore</pre><pre>CryptFindCertificateKeyProvInfo</pre><pre>PFXExportCertStore</pre><pre>xCertOpenSystemStoreA</pre><pre>CertFreeCertificateContext</pre><pre> CertGetNameStringA</pre><pre>Pcrypt32.dll</pre><pre>sfc.dll</pre><pre>}sfc.dll</pre><pre>%s_%u</pre><pre>eole32.dll</pre><pre>s-%!.Vu</pre><pre>9qp.NdIA</pre><pre>04RegCloseKey</pre><pre>02RegCreateKeyExA</pre><pre>00RegOpenKeyExA</pre><pre>32RegSetKeySecurity</pre><pre>31RegEnumKeyExA</pre><pre>advapi32.dll</pre><pre>crtdll.dll</pre><pre>`crtdll.dll</pre><pre>\DosDevices\%s</pre><pre>\\.\MountPointManager</pre><pre>signature({lx-x-x-xx-xxxxxx}-lx-6I64x-6I64x)%s</pre><pre>%s\%s</pre><pre>boot.ini</pre><pre>%s,%lX,%s,%lX,%s,%lX</pre><pre>%s\Partition0</pre><pre>%s\Partition1\</pre><pre>%s\Partition1</pre><pre>%s\Partition%d</pre><pre>\??\%c:</pre><pre>signature({lx-x-x-xx-xxxxxx}-lx-6I64x-6I64x)</pre><pre>oNETAPI32.DLL</pre><pre>\Device\CdRom%d</pre><pre>\Device\Harddisk%d\Partition%d</pre><pre>\Device\Harddisk%d</pre><pre>\pipe\dmserver.pnp.dmadmin</pre><pre>System\%s</pre><pre>%c:\SYSTEM</pre><pre>%s\*.*</pre><pre>fmifs.dll</pre><pre>MSG_FORMAT_FAILED</pre><pre>MSG_CLUSTER_COUNT_TOO_HIGH</pre><pre>MSG_CLUSTER_SIZE_TOO_BIG</pre><pre>MSG_CLUSTER_SIZE_TOO_SMALL</pre><pre>MSG_VOL_TOO_BIG</pre><pre>MSG_VOL_TOO_SMALL</pre><pre>MSG_IO_ERROR</pre><pre>MSG_CANT_QUICK_FORMAT</pre><pre>MSG_BAD_LABEL</pre><pre>MSG_FORMAT_CANT_LOCK</pre><pre>MSG_WRITE_PROTECTED</pre><pre>MSG_FORMAT_ACCESS_DENIED</pre><pre>MSG_INCOMPATIBLE_MEDIA</pre><pre>MSG_INCOMPATIBLE_FILE_SYSTEM</pre><pre>:* =|\;.,<>?/[]"</pre><pre>\PAGEFILE.SYS</pre><pre>%s\partition%u</pre><pre>\Device\HarddiskDmVolumes\%S\%S</pre><pre>Drive: %c:\, Device:</pre><pre>\Device\%S</pre><pre>%c%cmulti(0)disk(0)rdisk(%ld)partition(%ld)</pre><pre>signature(xxxxxxxxxxxxxxxx)</pre><pre>%1 (%2).</pre><pre>Failed to load DmConfig.dll. Error: %1</pre><pre>The Logical Disk Manager Administrative Service reported an error. Error: %1</pre><pre>2600.5512.503.0</pre><pre>Portions Copyright</pre><pre>dmadmin.exe</pre><pre>Logical Disk Manager for Windows NT</pre><pre>Logical Disk Manager Administrative Service encountered a failure updating boot.ini (x86) or NVRAM (IA64). Do not reboot until you have corrected the problem with your boot entry. Old partition number for current boot partition: 3. New partition number for current boot partition:</pre><b>dmadmin.exe_1684_rwx_010CA000_001C7000:</b><pre>.Fk?Z </pre><pre>pstorec.dll</pre><pre>#pstorec.dll</pre><pre>p^.nh</pre><pre>0oleaut32.dll</pre><pre>lshell32.dll</pre><pre>Ishell32.dll</pre><pre>.SYSTEM</pre><pre>%.C<1</pre><pre>C.QV></pre><pre>3W.GS</pre><pre>@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C</pre><pre>SZ9LiXk$Y<e><pre>B}%fgc</pre><pre>8PPP [Aq;su%Xd]LBu</pre><pre>< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt</pre><pre>%sfc_os.dll</pre><pre>sfc_os.dll</pre><pre>22EnumDesktopWindows</pre><pre>user32.dll</pre><pre>Z/t.wG_(>2ZH3B</pre><pre>.sz~f</pre><pre>.cevy</pre><pre>47PeekNamedPipe</pre><pre>09WinExec</pre><pre>48CreatePipe</pre><pre>`%C@'0.&_`au</pre><pre> X|}9.PFg.6&JmEx}7o</pre><pre>7GX[,%s</pre><pre>*.GjMJ]"Md</pre><pre>*.Gj~jqtN6</pre><pre>.DqT`</pre><pre>K-fc}c1</pre><pre>'EgUch\L</pre><pre>~)%UbaG</pre><pre>.up61</pre><pre>>;& JbYTX.WDi*.61</pre><pre><CertAddCertificateContextToStore><pre>CertEnumCertificatesInStore</pre><pre>;CertOpenStore</pre><pre>CertCloseStore</pre><pre>CryptFindCertificateKeyProvInfo</pre><pre>PFXExportCertStore</pre><pre>xCertOpenSystemStoreA</pre><pre>CertFreeCertificateContext</pre><pre> CertGetNameStringA</pre><pre>Pcrypt32.dll</pre><pre>sfc.dll</pre><pre>}sfc.dll</pre><pre>%s_%u</pre><pre>eole32.dll</pre><pre>s-%!.Vu</pre><pre>9qp.NdIA</pre><pre>04RegCloseKey</pre><pre>02RegCreateKeyExA</pre><pre>00RegOpenKeyExA</pre><pre>32RegSetKeySecurity</pre><pre>31RegEnumKeyExA</pre><pre>advapi32.dll</pre><pre>crtdll.dll</pre><pre>`crtdll.dll</pre><b>cidaemon.exe_1376:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>query.dll</pre><pre>ntdll.dll</pre><pre>ole32.dll</pre><pre>cidaemon.pdb</pre><pre>\\?\UN</pre><pre>5.1.2600.0 (xpclient.010817-1148)</pre><pre>cidaemon.exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.0</pre><b>DW20.EXE_1380:</b><pre>.text</pre><pre>`.data</pre><pre>.cdata</pre><pre>.rsrc</pre><pre>watson.microsoft.com</pre><pre>.mdmp</pre><pre>%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S</pre><pre>/dw/stagetwo.asp</pre><pre>%s/%S/%S/%S/%S/%S/%S/%S/%S.htm</pre><pre>Failed to fill report params from generic params</pre><pre>Not offering reporting</pre><pre>%s Mode</pre><pre>Failed to get a reporting destination</pre><pre>Nothing to report from queue</pre><pre>No reports left to send. Removing queue triggers and bailing.</pre><pre>Failed to plug UI; LCID=%u</pre><pre>Ignoring %S due to unknown queue version</pre><pre>Reporting is disabled</pre><pre>SignOff queue reporting is disabled</pre><pre>Queued Reporting Mode called but still want to report to the queue</pre><pre>Bad queue type to report from</pre><pre>No reports for given queue mask - %u</pre><pre>Invalid queue mask - %u</pre><pre>Suspending: Force cancel to queued reporting</pre><pre>Suspending: Force cancel to network reporting</pre><pre>CreateWindowExA failed with %d.</pre><pre>Application Error Reporting %d</pre><pre>WatsonQueuedReportingInstanceVerification</pre><pre>riched20.dll</pre><pre>qMicrosoft\PCHealth\ErrorReporting\DW</pre><pre>msaccess.exe</pre><pre>http://watson.microsoft.com/dw/dcp.asp</pre><pre>http://watson.microsoft.com/dw/watsoninfo.asp</pre><pre>dwintl20.dll</pre><pre>Launching lightweight browser with URL</pre><pre>mshtml.dll</pre><pre>Not reporting</pre><pre>Reporting</pre><pre>DWBypassQueue</pre><pre>DWExplainerURL</pre><pre>DWNoSignOffQueueReporting</pre><pre>DWAlwaysReport</pre><pre>DWReporteeName</pre><pre>DWURLLaunch</pre><pre>DWNoExternalURL</pre><pre>DWStressReport</pre><pre>ole32.dll</pre><pre>imm32.dll</pre><pre>BTLog.dll</pre><pre>Microsoft\PCHealth\ErrorReporting\DW</pre><pre>HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger</pre><pre>http://</pre><pre>https://</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW\Debug</pre><pre>%s\%s</pre><pre>https</pre><pre>DwBTLog.log</pre><pre>Failed to get minidump for %S!</pre><pre>szAppName=%s</pre><pre>szAppVer=%d.%d.%d.%d</pre><pre>szAppStamp=x</pre><pre>szModName=%s</pre><pre>szModVer=%d.%d.%d.%d</pre><pre>szModStamp=x</pre><pre>fDebug=%s</pre><pre>offset=x</pre><pre>microsoft.com</pre><pre>.msn.com</pre><pre>.microsoft.com</pre><pre>d:d:d d-d-d</pre><pre>/dw/generictwo.asp</pre><pre>kernel32.dll</pre><pre>psapi.dll</pre><pre>mso.dll</pre><pre>MsoDWRecover%x</pre><pre>MsoDWHang%x</pre><pre>Launching browser with URL</pre><pre>shell32.dll</pre><pre>%d.%d.%d.%d</pre><pre>%d.%d.%d.%d.x.%d.%d</pre><pre>shfolder.dll</pre><pre>unknown.sig</pre><pre>%s dw20.exe %d.%d.%d.%d</pre><pre>RegKey=</pre><pre>ResponseURL=</pre><pre>URLLaunch=</pre><pre>NoExternalURL=</pre><pre>%s:(%s) XX</pre><pre>%s:(%s) X</pre><pre>%s:(%s)</pre><pre>%s:(%s) %s</pre><pre>registry.txt</pre><pre>wql.txt</pre><pre>Windows NT Version %d.%d Build: %d</pre><pre>Stage 1 server response: %s</pre><pre>Stage 2 server response: %s</pre><pre>Stage 4 server response: %s</pre><pre>StatusCode: %d</pre><pre>Opening server: %s</pre><pre>HttpOpen failed.</pre><pre>Opening %s Request:</pre><pre>HTTPS</pre><pre>HttpSend Failed.</pre><pre>HttpWrite Failed, GLE=%d.</pre><pre>HttpEndReq failed.</pre><pre>Count filename length greater than MAX_PATH, can't report.</pre><pre>Filesystem reporting: count file updated</pre><pre>FReportToQueue: GetLastError=%u</pre><pre>FReportToQueue: File Tree Root does not exist: %S</pre><pre>Failed to add heap file to cab: %S</pre><pre>memory.dmp</pre><pre>mdmpmem.hdmp</pre><pre>version.txt</pre><pre>Network reporting complete.</pre><pre>Network reporting failed.</pre><pre>Application Error Reporting Transfer %d</pre><pre>Filesystem reporting complete</pre><pre>Filesystem reporting: cab successfully written</pre><pre>Filesystem reporting: could not find/create directory for cab/count</pre><pre>Filesystem reporting: redirection failure, too many redirects</pre><pre>Filesystem reporting: redirection failure, no previous roots</pre><pre>Filesystem reporting: improper file tree root</pre><pre>Filesystem reporting cancelled</pre><pre>Filesystem reporting: file tree root is too long</pre><pre>Record: 0xxx</pre><pre>Address: 0xxx</pre><pre>Code: 0xx</pre><pre>Flags: 0xx</pre><pre>x:x</pre><pre>(%d.%d:%d.%d)</pre><pre>Checksum: 0xx</pre><pre>Time Stamp: 0xx</pre><pre>Image Base: 0xx</pre><pre>Image Size: 0xx</pre><pre>Module %d</pre><pre>Windows NT %d.%d Build: %d</pre><pre>CPU AMD Feature Code: X</pre><pre>CPU Version: X CPU Feature Code: X</pre><pre>CPU Vendor Code: X - X - X</pre><pre>0xx:</pre><pre>0xx: x x x x</pre><pre>EFlags: 0xx ESP: 0xx SegSs: 0xx</pre><pre>EIP: 0xx EBP: 0xx SegCs: 0xx</pre><pre>EBX: 0xx ECX: 0xx EDX: 0xx</pre><pre>EDI: 0xx ESI: 0xx EAX: 0xx</pre><pre>Thread ID: 0xx</pre><pre>Thread %d</pre><pre>Memory Range %d</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW</pre><pre>OkToReportFromTheseQueues</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Failed to obtain queue mutex. GetLastError=%u</pre><pre>FGetQueueMutex: WaitForSingleObject returned %u</pre><pre>Failed to open or create queue mutex. GetLastError=%u</pre><pre>Failed queued reporting pester check</pre><pre>Failed to create run reg key</pre><pre>Persistent run key is set.</pre><pre>CoInitializeEx() returned 0x%x.</pre><pre>Reporting to Admin Queue</pre><pre>Reporting to Regular Queue</pre><pre>Reporting to SignOff Queue</pre><pre>Reporting to Headless Queue</pre><pre>Reporting from Regular Queue</pre><pre>Reporting from SignOff Queue</pre><pre>Reporting from Headless Queue</pre><pre>OOM Failed to alloc QueuedReportData</pre><pre>FAllocSD: GetLastError=%u</pre><pre>%s%s%s</pre><pre>FEnsureQueueDirW: GetLastError=%u</pre><pre>Failed to write snt. GLE: %u</pre><pre>Failed to create snt. GLE: %u</pre><pre>Failed to set info; bad queue type: %u</pre><pre>Failed to open reg key for queue</pre><pre>Failed to get windows folder path for queue: %u</pre><pre>Failed to move instr file from queue A to queue B - %u</pre><pre>Failed to move cab file from queue A to queue B - %u</pre><pre>Did not move any reports from admin q to user q</pre><pre>Did not move any reports from user q to headless q</pre><pre>Queue types that have reports: %u</pre><pre>Setting triggerAtConnectionMade to: %u</pre><pre>Setting triggerAtLogon to: %u</pre><pre>Setting the queue trigger based upon: %u</pre><pre>SUCCESS adding report to queue</pre><pre>Launched (%S)</pre><pre>Failed to store the SensSubscription. hr: %d</pre><pre>failed to allocate PROGID string: %S</pre><pre>Failed putting SubscriberInterface. hr: %d</pre><pre>Failed putting PerUser. hr: %d</pre><pre>Failed putting Enabled. hr: %d</pre><pre>Failed putting MachineName. hr: %d</pre><pre>Failed putting OwnerSID. hr: %d</pre><pre>Failed putting Description. hr: %d</pre><pre>Failed putting InterfaceID. hr: %d</pre><pre>Failed putting EventClassID. hr: %d</pre><pre>Failed putting MethodName. hr: %d</pre><pre>Failed putting SubscriptionName. hr: %d</pre><pre>Failed putting PublisherID. hr: %d</pre><pre>Failed putting SubscriberCLSID. hr: %d</pre><pre>Failed putting SubscriptionID. hr: %d</pre><pre>Failed CoCreateInstance on EventSubscription. hr: %d</pre><pre>Failed to remove the SensSubscription. hr: %d</pre><pre>failed to allocate query string: %S</pre><pre>Failed CoCreateInstance on EventSystem. hr: %d</pre><pre>SENS: StringFromIID() returned <%x></pre><pre>DWSHARED: SysAllocString(%s) failed!</pre><pre>Failed to subscribe subscription %u. hr: %d</pre><pre>Failed to get data for subscription %u. hr: %d</pre><pre>Failed to query install reg key</pre><pre>Failed to open install reg key</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW\Installed</pre><pre>HKEY_USERS\</pre><pre>HKEY_CURRENT_CONFIG\</pre><pre>HKEY_CLASSES_ROOT\</pre><pre>HKEY_LOCAL_MACHINE\</pre><pre>HKEY_CURRENT_USER\</pre><pre>initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>creating CDwAccessible: hwnd %x, idc %d</pre><pre>WriteAtOffset.Write(0x%x) failed, 0xx</pre><pre>WriteAtOffset.Seek(0x%x) failed, 0xx</pre><pre>WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>WriteStringToPool.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTableList.Seek(0x%x) failed, 0xx</pre><pre>WriteDirectoryEntry.Write(0x%x) failed, 0xx</pre><pre>Thread(0x%x) callback returned FALSE</pre><pre>WriteSystemInfo.GetOsCsdString failed, 0xx</pre><pre>WriteSystemInfo.GetCpuInfo failed, 0xx</pre><pre>CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx</pre><pre>WriteHeader.GetCurrentTimeDate failed, 0xx</pre><pre>WriteDirectoryTable.Seek(0x%x) failed, 0xx</pre><pre>WriteMemoryInfo.Write(0x%x) failed, 0xx</pre><pre>WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx</pre><pre>WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)</pre><pre>WriteFullMemory.Memory.Write(0x%x) failed, 0xx</pre><pre>WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx</pre><pre>WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx</pre><pre>WriteFullMemory.Desc.Write(0x%x) failed, 0xx</pre><pre>WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx</pre><pre>Kernel minidump write failed, 0xx</pre><pre>MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>Invalid exception record parameter count (0x%x)</pre><pre>Invalid exception record size (0x%x)</pre><pre>Invalid CPU type (0x%x)</pre><pre>Invalid function table size (0x%x)</pre><pre>GetSystemType.GetOsInfo failed, 0xx</pre><pre>GetSystemType.GetCpuType failed, 0xx</pre><pre>Write.Start failed, 0xx</pre><pre>Dump type requires streaming but output provider does not support streaming</pre><pre>Invalid dump type 0x%x</pre><pre>dbghelp.dll</pre><pre>Alloc(0x%x) failed</pre><pre>Thread(0x%x) will not be included</pre><pre>GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGetImageSections.GenImageNtHeader(0x%I64x) failed</pre><pre>GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx</pre><pre>GenAllocateThreadObject.GetContext(0x%x) failed, 0xx</pre><pre>GenAllocateThreadObject.Open(0x%x) failed, 0xx</pre><pre>GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx</pre><pre>GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x</pre><pre>GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx</pre><pre>GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGenTebMemory.TLS(0x%I64x) failed, 0xx</pre><pre>GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx</pre><pre>0GenGetAuxMemory(%ws) failed, 0xx</pre><pre>GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumUnloadedModules(0x%x) looped</pre><pre>GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumFunctionTables(0x%x) looped</pre><pre>GenGetProcessInfo.EnumModules(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumModules(0x%x) looped</pre><pre>GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumThreads(0x%x) looped</pre><pre>GenGetProcessInfo.Start(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Desc.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Header.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Start(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Seek(0x%x) failed, 0xx</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls</pre><pre>version.dll</pre><pre>ntdll.dll</pre><pre>%$%,%4%<%</pre><pre>S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%</pre><pre>b%c%d%e%f%g%h%i%j%k%l%</pre><pre>!"#$%&'()* ,-./0123456789:;<=</pre><pre>!!!!2222</pre><pre>%%%f||||</pre><pre>!!!!2222||||</pre><pre>!"#$%&'(</pre><pre>'()* ,-./0</pre><pre>&'()* ,-./</pre><pre>&'()* ,-./012345</pre><pre>3456789</pre><pre>.ASex</pre><pre>!"#$%&'()* ,-./012</pre><pre>!"#$%&'()</pre><pre>?msodatad.dat</pre><pre>msodatalast.dat</pre><pre>Unicows.dll</pre><pre>Kernel32.dll</pre><pre>SHLWAPI.DLL</pre><pre>GDI32.DLL</pre><pre>wintrust.dll</pre><pre>1108160</pre><pre>0u.hN</pre><pre>0SSh </pre><pre>t.WWWj</pre><pre>PSSh07</pre><pre>t5SSh(</pre><pre>PSSSSSSh</pre><pre>0SSSSh</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>KERNEL32.dll</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>MSVCRT.dll</pre><pre>RPCRT4.dll</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>urlmon.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyExA</pre><pre>ReportEventA</pre><pre>ReportEventW</pre><pre>RegEnumKeyExA</pre><pre>RegQueryInfoKeyA</pre><pre>RegQueryInfoKeyW</pre><pre>GetProcessHeap</pre><pre>GetSystemWindowsDirectoryW</pre><pre>_amsg_exit</pre><pre>_acmdln</pre><pre>ShellExecuteExA</pre><pre>UrlGetPartA</pre><pre>CreateURLMoniker</pre><pre>CreateDialogIndirectParamA</pre><pre>EnumWindows</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestExA</pre><pre>HttpOpenRequestA</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>HttpEndRequestA</pre><pre>dw20.pdb</pre><pre>\devsplab1\otools\BBT_TEMP\DW20O.pdb</pre><pre>winword.exe</pre><pre>wwordlt.exe</pre><pre>excel.exe</pre><pre>excellt.exe</pre><pre>mspub.exe</pre><pre>frontpg.exe</pre><pre>outlook.exe</pre><pre>powerpnt.exe</pre><pre>powpntlt.exe</pre><pre>onenote.exe</pre><pre>infopath.exe</pre><pre>winproj.exe</pre><pre>ois.exe</pre><pre>visio.exe</pre><pre>`!`'`)` `</pre><pre>e%f-f|3 f'f/f</pre><pre>]!^"^#^ ^$^</pre><pre>t.uGuHu</pre><pre>x4x7x%x-x x</pre><pre>h&h(h.hMh:h%h h,k/k-k1k4kmk</pre><pre>k%lzmcmdmvm</pre><pre>^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP</pre><pre>]8^6^3^7^</pre><pre>ichczc]eVeQeYeWe_UOeXeUeTe</pre><pre>{1{ {-{/{2{8{</pre><pre>r6s%s4s)s:t*t3t"t%t5t6t4t/t</pre><pre>t&t(t%u&ukuju</pre><pre>WHX%X</pre><pre>`IaJa aEa6a2a.aFa/aOa)a@a bh</pre><pre>d@d%d'd</pre><pre>duewexei</pre><pre>kCpDpJpHpIpEpFp</pre><pre>S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S</pre><pre>U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU</pre><pre>c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c</pre><pre>m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm</pre><pre>nRsSsh</pre><pre>evg%f</pre><pre>m.tRa</pre><pre>gtr%x</pre><pre>Q%SKg</pre><pre>f.ebp>QI</pre><pre>y.yxT</pre><pre>fn:q%uN</pre><pre>aw.Toiz</pre><pre>RMeXe</pre><pre>S#S$S%S;ScSdSrSsStSuS</pre><pre>`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`</pre><pre>^ ^!^"^#^$^%^&^'^.^}^</pre><pre>c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe</pre><pre>f f!f"f#f$f%f&f'f(f)f*f f,f-f</pre><pre>m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm</m></pre><pre>u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu</pre><pre>U U!U"U#U$U%U&U'U(U4UJU</pre><pre>](^)^*^ ^,^-^/^0^1^</pre><pre>m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m</pre><pre>x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x>x?x@xAxXy_yaycydyeygyiyjykylynyoy</x></pre><pre>} }!}"}#}$}%}&}'}</pre><pre>] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]</pre><pre>]2^3^4^5^6^7^8^9^:^;^<^>^</pre><pre>cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe</pre><pre>X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX</X></pre><pre>d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele</pre><pre>s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs</pre><pre>u$u%u&u/ujukulumunuouqurusutu</pre><pre>duewexeyeze{e</pre><pre>~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0</pre><pre>| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|</pre><pre>{3~3}3|3</pre><pre>eZl%u</pre><pre>Q.YeY</pre><pre>R:\Sg|p5rL</pre><pre>e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei</pre><pre>s4s/s)s%s>sNsOs</pre><pre>s&t*t)t.tbt</pre><pre>2%2.bx</pre><pre>{ | }9},</pre><pre>d6exe9j</pre><pre>]%sOu4](n</pre><pre>m.t.zB}</pre><pre>w%xIyWy</pre><pre>^vcÓv</pre><pre>%f?iCt</pre><pre>U>_.lE</pre><pre>f.ebp</pre><pre>.nrR=</pre><pre>{fn:q%uN</pre><pre>infocard.exe</pre><pre>name="Microsoft.Windows.ErrorReporter"</pre><pre>version="5.1.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df" /></pre><pre><description>Windows Error Reporting</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>1%s\%s\%s\%s\%s\%s\%s\%s</pre><pre>AppName: %s AppVer: %s AppStamp:%s</pre><pre>ModName: %s ModVer: %s ModStamp:%s</pre><pre>fDebug: %s Offset: %s</pre><pre>Main_AlwaysReportBtn=</pre><pre>Main_NoReportBtn=</pre><pre>Main_ReportBtn=</pre><pre>General_Reportee=</pre><pre>CheckBoxRegKey=</pre><pre>ReportingFlags=</pre><pre>Stage1URL=</pre><pre>Stage2URL=</pre><pre>%General_Reportee%</pre><pre>%u %s</pre><pre>%u.%u %s</pre><pre>%s %s %s %s in %s %s %s fDebug %s at offset %s</pre><pre>Bucket: d</pre><pre>BucketTable %d</pre><pre>%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s</pre><pre>\dw.log</pre><pre>policy.txt</pre><pre>crash.log</pre><pre>status.txt</pre><pre>hits.log</pre><pre>count.txt</pre><pre>%s\%s\%s</pre><pre>%s\%s\%s\%s</pre><pre>eDWQueuedReporting</pre><pre>DWPersistentQueuedReporting</pre><pre>"%s\%s" -%c</pre><pre>dwtrig20.exe</pre><pre>ReportSize=</pre><pre>\*.cab</pre><pre>dwq.snt</pre><pre>"%s" -%c %u</pre><pre>SEventSystem.EventSubscription</pre><pre>SubscriptionID=%s</pre><pre>#$%&%&'(</pre><pre>Comctl32.dll</pre><pre>%WinDir%\TEMP\F0C3B.tmp</pre><pre>%WinDir%\TEMP\F014F.dmp</pre><pre>%WinDir%\TEMP</pre><pre>Windows CardSpace</pre><pre>.NET Runtime 2.0 Error Reporting</pre><pre>%WinDir%\TEMP\dw.log</pre><pre>Microsoft Application Error Reporting</pre><pre>11.0.8160</pre><pre>Windows</pre><pre>DW20.Exe</pre></CertAddCertificateContextToStore></pre></e></pre></CertAddCertificateContextToStore></pre></e></pre></CertAddCertificateContextToStore></pre></wGjL></pre></pre></e></pre></CertAddCertificateContextToStore></pre></wGjL></pre></pre></e>