Skip to main content

SearchProtectToolbar_pcap_d9733faefd


SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: d9733faefd72af02877de4dc3eb8642d

SHA1: 460473831eabd8e986857087e70ff22cd762e54d

SHA256: e0ca9398808f469c2aea96319b644e58171b769810bec5118645be8c29865319

SSDeep: 393216:atIHFMEzHsW 9G989/L NgUxmHl4h/2sSQC6stH5UZT6lGF:aqFDzsW 9GsL Am/e5WZTLF

Size: 18818672 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: AOL Inc.

Created at: 2009-12-06 00:50:46

Analyzed on: Windows7Ada SP1 64-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

dnupdatersetup.exe:2392
WerFault.exe:3408
aol-messaging_trio1C76.exe:2744
aimtbServer.exe:2388
aimtbServer.exe:1676
aimtbServer.exe:3896
aimtbServer.exe:3388
aol-messaging_toolbar_ff.exe:2736
dlupd.exe:2712
RunDll32.exe:3852
%original file name%.exe:3300
%original file name%.exe:2728
aol-messaging_toolbar_ie.exe:3716
regsvr32.exe:3468
dnu.exe:4024
dnu.exe:3420
dnu.exe:2956
dnu.exe:2372

The Malware injects its code into the following process(es):

aim.exe:692
AOL_Search.exe:3728

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process dnupdatersetup.exe:2392 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\nsJSON.dll (15 bytes)
%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe (313 bytes)
%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe (6526 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State (2156387 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\System.dll (23 bytes)

The process WerFault.exe:3408 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_dnupdatersetup.e_50eae638e7cd79cff7e41844acbd428498edc5_0d5c7e53\Report.wer (156854 bytes)

The process aol-messaging_trio1C76.exe:2744 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\vc9rt.msi (39033 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\182NGY1Y\nocontentxml[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\timestamp[1].htm (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (27962 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P3RWXGAD.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spr5.htm (85 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ToolbarDetector.dll (16476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\upgrade.xml (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\timestamp.txt (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ZipDLL.dll (5667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe (14383 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWR9ROHK\nocontentxml[1].htm (34 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ff.exe (48083 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\nocontentxml[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JOM1A130.txt (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\dnupdatersetup.exe (6665 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe (166927 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V8U5K4H\nocontentxml[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\Processes.dll (1461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\UAC.dll (32 bytes)

The process aim.exe:692 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\update\config.xml (223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000005 (394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000004 (87 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000007 (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000006 (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000001 (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000003 (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000002 (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000009 (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000008 (69 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FAP56A8.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\manifest.bin (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies (383 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage-journal (5114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_9QXbgnrIl1bcXkL (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\index (368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies-journal (2799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\fcs4AB5.tmp (703 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_3 (6376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_2 (12792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_1 (32536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_0 (186740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (5416 bytes)

The process aol-messaging_toolbar_ff.exe:2736 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IaimUninstallObserver.xpt (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\pinit.zip (2903 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa7FBB.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll (6762 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\share.zip (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\youtube.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\weather.zip (8430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\aolmail.zip (3355 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\amazon.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\mailcount.dll (1228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\trendingtopics.zip (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\surfometer.zip (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\source.dat (1368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimUninstallObserver.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAddonObserver.js (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\calendar.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\facebook.zip (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAutoSuggest.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IMailUtil.xpt (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome\aimtoolbar.jar (11620 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome.manifest (975 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\sqlite3.exe (11050 bytes)

The process dlupd.exe:2712 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe (1764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\UserInfo.dll (8 bytes)
%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe (6689 bytes)

The process AOL_Search.exe:3728 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\sqlite3.exe (11050 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-search.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\System.dll (23 bytes)

The process %original file name%.exe:3300 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdres.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locales\en-US.pak (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsisext.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\manifest.bin (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdl10n.ini (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\credits.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\icudt.dll (325923 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\NPSWF32.dll (524009 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\Uninstaller.exe (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll (26610 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\register.bat (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\config.xml (321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aolload.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\unregister.bat (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuEA4F.tmp (1220470 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe (33504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aoldiag.dll (13368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\libcef.dll (766772 bytes)
C:\Users\"%CurrentUserName%"\Desktop\AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\tbdiag.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\Uninstall AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\dlupd.exe (5211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\modern-header.bmp (5 bytes)

The process %original file name%.exe:2728 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE946.tmp (28210 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\nsisext.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\modern-header.bmp (5 bytes)

The process aol-messaging_toolbar_ie.exe:3716 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\trendingtopics.zip (11 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_0.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addbuddybutton.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_0.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_left.gif (138 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\jquery.js (3436 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevdown.gif (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints_frame.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_bot.gif (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_left.gif (138 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll (8320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buddy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\09.gif (317 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints_frame.htm (4 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\amazon.zip (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\privacy_icon.gif (468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdown.gif (477 bytes)
%Program Files% (x86)\AIM Toolbar\uninstall.exe (8368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_2.gif (914 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\content.html (828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupover.gif (445 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_0.gif (908 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.css (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\06.gif (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttonManager.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_left.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_large.gif (170 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsearch.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\evergreen.html (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addbuddybutton.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_bot.gif (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\bullet.gif (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enabletoolbar.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html (714 bytes)
%Program Files% (x86)\AIM Toolbar\7z.dll (19117 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dropcustombutton.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\buttons\defaultButtons.xml (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\bullet.gif (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtb.cfg (1568 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownover.gif (452 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\weather.zip (8430 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\latest.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\renamecustombutton.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_0.gif (905 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\07.gif (307 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\firsttimepage.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_2.gif (906 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enabletoolbar.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.htm (495 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints_confirm.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\qap.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_large.gif (170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\olderversion.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\04.gif (310 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bottom.gif (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsearch.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply_over.png (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevover.gif (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_top.gif (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_frame.htm (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttonManager.js (6 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_right.gif (108 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_large.gif (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextover.gif (155 bytes)
%Program Files%\AIM Toolbar\7z.dll (31890 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_0.gif (909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.htm (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowright.png (939 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\weather.zip (8430 bytes)
%Program Files%\AIM Toolbar\uninstall.exe (8368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownover.gif (452 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\share.zip (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\UserInfo.dll (8 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdisabled.gif (456 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_2.gif (914 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dots32.gif (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_left.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.css (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_2.gif (900 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabOver.gif (904 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\json2.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowleft.png (938 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enable_bg.jpg (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndown.gif (482 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_1.gif (820 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\pinit.zip (2903 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\calendar.zip (16 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\youtube.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_right_tile.gif (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options_frame.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_0.gif (908 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons_frame.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\09.gif (317 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\resettoolbar.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_top.gif (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\surfometer.zip (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_1.gif (820 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_0.gif (909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\jquery.js (3436 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addcustombutton.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\03.gif (314 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_0.gif (911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\share.zip (4 bytes)
%Program Files% (x86)\AIM Toolbar\aimtbServer.exe (6897 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_icon.gif (582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dot.gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\07.gif (307 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_1.gif (820 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_2.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\facebook.zip (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevup.gif (219 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabActive.gif (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\metrics.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\00.gif (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndown.gif (482 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_2.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\about.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\branding.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextdown.gif (159 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownup.gif (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_left_tile.gif (54 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\olderversion.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_0.gif (910 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdown.gif (477 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\03.gif (314 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\about.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options_frame.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabActive.gif (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevdown.gif (157 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popup_icon.gif (240 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextover.gif (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\aolmail.zip (3355 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_right.gif (108 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\surfometer.zip (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_frame.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\02.gif (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\calendar.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextup.gif (222 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupover.gif (445 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_1.gif (821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_bot.gif (72 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\ani_media_icon.gif (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blocker.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_2.gif (911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_2.gif (906 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\02.gif (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_right_tile.gif (54 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_frame.htm (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownup.gif (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\qap.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\privacy_icon.gif (468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsprompt.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addcustombutton.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blocker.js (6 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\amazon.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bg.gif (64 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_tile.gif (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevup.gif (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.html (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\general_icon.gif (470 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.css (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_icon.gif (462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndisabled.gif (455 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dot.gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextup.gif (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabNormal.gif (884 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\content.html (828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply_over.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\upgradeToolbar.exe (3428 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll (8320 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\customize_icon.gif (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints_confirm.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupup.gif (488 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_0.gif (905 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\nsArray.dll (14 bytes)
%Program Files%\AIM Toolbar\aimtbServer.exe (11642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\metrics.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.html (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\08.gif (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_2.gif (907 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\general_icon.gif (470 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\00.gif (313 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtb.cfg (1568 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_2.gif (911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buddy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\firsttimepage.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupup.gif (488 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowleft.png (938 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\resettoolbar.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\latest.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\customize_icon.gif (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bottom.gif (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dropcustombutton.htm (4 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\05.gif (314 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndisabled.gif (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_1.gif (820 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_frame.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\06.gif (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\pinit.zip (2903 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\01.gif (201 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons_frame.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_1.gif (820 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bg.gif (64 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_0.gif (908 bytes)
%Program Files% (x86)\AIM Toolbar\aimtb.dll (63702 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply.png (1 bytes)
%Program Files%\AIM Toolbar\aimtb.dll (82243 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_0.gif (908 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\ani_media_icon.gif (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\facebook.zip (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\renamecustombutton.htm (4 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsprompt.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\local\search.html (714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_1.gif (820 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_left_tile.gif (54 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_tile.gif (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\branding.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_bot.gif (72 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabNormal.gif (884 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\youtube.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\05.gif (314 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabOver.gif (904 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\04.gif (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\json2.js (18 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\01.gif (201 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\buttons\defaultButtons.xml (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\aolmail.zip (3355 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_2.gif (910 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popup_icon.gif (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_icon.gif (582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_2.gif (900 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextdown.gif (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dots32.gif (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_2.gif (907 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\evergreen.html (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\stylesheet.css (7 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\trendingtopics.zip (11 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\08.gif (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left.gif (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll (8320 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enable_bg.jpg (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_0.gif (911 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left.gif (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\custombutton.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdisabled.gif (456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_2.gif (910 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_tile.gif (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtbres.dll (8696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\stylesheet.css (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_tile.gif (53 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_0.gif (910 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_icon.gif (462 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_1.gif (821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevover.gif (152 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_large.gif (171 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\custombutton.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowright.png (939 bytes)

The process regsvr32.exe:3468 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll (376 bytes)
%Program Files%\AIM Toolbar\aimtb.dll (291 bytes)

The process dnu.exe:4024 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe (1181785 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\prd1AA1.tmp (1444 bytes)

The process dnu.exe:3420 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\user.js (68 bytes)

The process dnu.exe:2372 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\user.js (68 bytes)

Registry activity

The process dnupdatersetup.exe:2392 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility]
"DisplayIcon" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe, 201"
"UninstallString" = "%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe"
"NoModify" = "1"
"VersionMinor" = "2"
"NoRepair" = "1"
"VersionMajor" = "1"
"InstallLocation" = "%Program Files% (x86)\Common Files\Software Update Utility"
"Publisher" = "AOL Inc."
"DisplayName" = "Download Updater (AOL Inc.)"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility]

The process WerFault.exe:3408 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 92 37 0A 77"

The process aol-messaging_trio1C76.exe:2744 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "76 1E 30 BD 29 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"silent" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "2A 6E 80 C8 29 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "2A 6E 80 C8 29 1A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallMsg"
"Reboot"

The process aimtbServer.exe:2388 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "c:\program files\aim toolbar\aimtbServer.exe"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

The Malware deletes the following registry key(s):

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\Programmable]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]

The process aimtbServer.exe:1676 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}]
"(Default)" = "_IAolToolbarHelperEvents"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}]
"(Default)" = "IAolToolbarHelper"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}]
"(Default)" = "IAolToolbarHelper"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtbServer.exe"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\AIM Toolbar"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtbServer.exe"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}]
"(Default)" = "_IAolToolbarHelperEvents"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0]
"(Default)" = "AIMToolbarServer 1.0 Type Library"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\FLAGS]
"(Default)" = "0"

The process aimtbServer.exe:3896 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtbServer.exe"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\0\win64]
"(Default)" = "%Program Files%\AIM Toolbar\aimtbServer.exe"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

The process aimtbServer.exe:3388 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "c:\program files (x86)\aim toolbar\aimtbServer.exe"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\Programmable]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]

The process aim.exe:692 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\America Online\AOL Diagnostics\AOLChromelyAIMUSGMWin328.0.7.1]
"aim.exe" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"

[HKCU\Software\Classes\aim\shell\open\command]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe -appcmd=%1"

[HKCU\Software\Classes\aim\Content Type]
"(Default)" = "application/x-aim"

[HKCU\Software\Classes\aim]
"URL Protocol" = ""

[HKCU\Software\Classes\aim\DefaultIcon]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe,0"

The process dlupd.exe:2712 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility]
"DisplayIcon" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe, 201"
"UninstallString" = "%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe"
"NoModify" = "1"
"VersionMinor" = "2"
"NoRepair" = "1"
"VersionMajor" = "1"
"InstallLocation" = "%Program Files% (x86)\Common Files\Software Update Utility"
"Publisher" = "AOL Inc."
"DisplayName" = "Download Updater (AOL Inc.)"

The process AOL_Search.exe:3728 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 32 7F C4 47"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"SuggestionsURL_JSON" = "http://autocomplete.search.aol.com/autocomplete/get?q={searchTerms}&count=10&it={source}-en-us&output=json&it=aimright-ie"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"ShowSearchSuggestions" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3921C115C15D0ECA5CCB5BC4F07D21D8050B566A]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 B3 1D A1 8F"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"URL" = "http://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}&s_it=aimright-ie&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014"
"FaviconURL" = "http://search.aol.com/favicon.ico"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"DisplayName" = "AOL Search"

The Malware deletes the following registry key(s):

[HKCU\Software\Classes\Local Settings\MuiCache\2A]
[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"503006091D97D4F5AE39F7CBE7927D7D652D3431"
"3921C115C15D0ECA5CCB5BC4F07D21D8050B566A"

The process RunDll32.exe:3852 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "DB 35 4E 89 16 19 D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process %original file name%.exe:3300 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{7A02967B-018E-41c9-953E-3DCAB144538B}]
"AppName" = "aim.exe"
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"DisplayName" = "AIM for Windows"
"Publisher" = "AOL Inc."
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{7A02967B-018E-41c9-953E-3DCAB144538B}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"VersionMajor" = "8"
"NoRepair" = "1"
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"
"NoModify" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM for Windows" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"

The process %original file name%.exe:2728 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process aol-messaging_toolbar_ie.exe:3716 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"AppID" = ""

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallDate" = "17-12-2014"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}]
"(Default)" = "IDownloader"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}]
"(Default)" = "IMailUtil"

[HKCU\Software\AIM Toolbar\ieToolbar]
"Installed" = "0"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"brand" = "AIM"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"(Default)" = "ToolbarInfo Class"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"partner" = ""

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"PostInst" = "http://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1&upg=0"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"DisplayName" = "AOL Messaging Toolbar"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\AIMTb.Downloader\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"PostInst" = "http://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1&upg=0&upg=0"

[HKCR\AIMTb.MailUtil\CurVer]
"(Default)" = "AIMTb.MailUtil.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"CLSID" = "aimtbServer.exe"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}]
"(Default)" = "IAOLToolBand"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"(Default)" = "ContentObject Class"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"removeButtons" = ";aol_mail;aim_express;aim_newIM;aim_thisPage;aim_goAway;aol_radio_1100;aol_video_1000;share_this;aim_express_7238;aim_new_im_8051;im2sms_7871;set_away_7889;lifestream_8042;aimexpress;aol_mail;newim;send2cell;setaway;lifestream;aolradio;share;aol_mail_32168;send2cell_32191;share_32235;aolradio_32224;facebook_42091;share_this_page_46128;aol_mail_37735_url;ebay_46844"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}]
"(Default)" = "IToolbarPrefs"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}]
"(Default)" = "IAOLTBSearch"

[HKCR\AIMTb.ToolbarParams]
"(Default)" = "ToolbarParams Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}]
"(Default)" = "ICurtainInfo"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"(Default)" = "WidgetController Class"

[HKCR\AIMTb.Downloader.1\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\NumMethods]
"(Default)" = "25"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.AOLTBSearch.1]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.CurtainInfo]
"(Default)" = "CurtainInfo Class"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"(Default)" = "Downloader Class"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"partner" = ""

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"Build" = "5.96.10.10013"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.MailUtil.1]
"(Default)" = "MailUtil Class"

[HKCR\AIMTb.ToolbarParams.1\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.ToolbarParams\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\AIMTb.WinampUtil\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"ToolbarID" = "aol-messaging"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\VersionIndependentProgID]
"(Default)" = "AIMTb.CurtainInfo"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

[HKCR\AIMTb.ContentObject\CurVer]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"Version" = "1.0"

[HKCR\AIMTb.ContentObject\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}]
"(Default)" = "IWinampUtil"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}]
"(Default)" = "IToolbarParams"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCR\AIMTb.MailUtil.1\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0]
"(Default)" = "AOL Messaging Toolbar 1.0 Type Library"

[HKCR\AIMTb.ToolbarInfo.1\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\AIMTb.ToolbarInfo\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallMsg" = ""

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"ToolbarID" = "aol-messaging"

[HKCR\AIMTb.WidgetController\CurVer]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"useLocale" = "en-US"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}]
"(Default)" = "IAOLTBBrowserHelper"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}]
"(Default)" = "IAOLTBBrowserHelper"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}]
"(Default)" = "IDownloader"

[HKCR\AIMTb.CurtainInfo\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKCR\AIMTb.ToolbarInfo\CurVer]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"InstallSource" = "aimright-ie"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"isUpg" = "0"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"Guid" = "{279bd60b-eb31-4c6d-969c-b2e024885899}"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"AppID" = ""

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"(Default)" = "ToolbarParams Class"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"AppID" = ""

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\NumMethods]
"(Default)" = "10"

[HKCR\AIMTb.AOLTBSearch\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"brand" = "AIM"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"InstallDate" = "17-12-2014"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}]
"(Default)" = "IContentObject"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallSource" = "aimright-ie"

[HKCR\Wow6432Node\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"UninstallString" = "%Program Files% (x86)\AIM Toolbar\uninstall.exe"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"(Default)" = "MailUtil Class"

[HKCR\AIMTb.WidgetController\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\AIMTb.WidgetHandler\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}]
"(Default)" = "IToolbarPrefs"

[HKCR\AIMTb.ContentObject.1\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"Policy" = "3"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"VersionMajor" = "5"

[HKCR\AIMTb.ToolbarParams\CurVer]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2A 6E 80 C8 29 1A D0 01"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallMsg" = ""

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}" = "AOL Messaging Toolbar"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}]
"(Default)" = "IMailUtil"

[HKCR\AIMTb.CurtainInfo\CurVer]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"AppID" = ""

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\NumMethods]
"(Default)" = "7"

[HKCR\AIMTb.AOLToolBand\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"VersionNum" = "5"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"VersionMinor" = "96"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\NumMethods]
"(Default)" = "8"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"AppID" = ""

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"distroid" = "aim"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\NumMethods]
"(Default)" = "7"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"AppID" = ""

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}]
"(Default)" = "IWidgetController"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "IWidgetHandler"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"(Default)" = "CurtainInfo Class"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"partner" = ""

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\NumMethods]
"(Default)" = "43"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"FirstUse" = "N"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"AppID" = ""

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}]
"(Default)" = "IWinampUtil"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"isUpg" = "0"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\NumMethods]
"(Default)" = "17"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"ToolbarID" = "aol-messaging"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}]
"(Default)" = "IToolbarInfo"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}]
"(Default)" = "IAOLTBSearch"

[HKCR\AIMTb.MailUtil]
"(Default)" = "MailUtil Class"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}]
"(Default)" = "ICurtainInfo"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "IWidgetHandler"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"partner" = ""

[HKCR\AIMTb.WidgetController.1]
"(Default)" = "WidgetController Class"

[HKCR\AIMTb.ContentObject.1]
"(Default)" = "ContentObject Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"(Default)" = ""

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.ContentObject]
"(Default)" = "ContentObject Class"

[HKCR\AIMTb.ToolbarInfo]
"(Default)" = "ToolbarInfo Class"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\ProgID]
"(Default)" = "AIMTb.WinampUtil.1"

[HKCR\AIMTb.WidgetController]
"(Default)" = "WidgetController Class"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\NumMethods]
"(Default)" = "15"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"AppID" = ""

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"distroid" = "aim"

[HKCR\AIMTb.CurtainInfo.1]
"(Default)" = "CurtainInfo Class"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}]
"(Default)" = "IToolbarInfo"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarParams"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetHandler"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppName" = "aimtbServer.exe"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"FirstUse" = "N"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"AppPath" = "%Program Files% (x86)\AIM Toolbar"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"AppID" = ""

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"defaultsCheck" = "3"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}]
"(Default)" = "IContentObject"

[HKCR\AIMTb.AOLToolBand.1\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\NumMethods]
"(Default)" = "62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\AIM Toolbar"

[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.AOLToolBand.1]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}]
"(Default)" = "IToolbarParams"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.AOLTBSearch\CurVer]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"brand" = "AIM"

[HKCR\AIMTb.ToolbarParams.1]
"(Default)" = "ToolbarParams Class"

[HKCR\AIMTb.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AIMTb.WidgetHandler.1]
"(Default)" = "WidgetHandler Class"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.WinampUtil.1]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.AOLTBSearch.1\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallSource" = "aimright-ie"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"InstallSource" = "aimright-ie"
"InstallDate" = "17-12-2014"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\AIMTb.WinampUtil]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.WidgetHandler.1\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\AIMTb.AOLToolBand]
"(Default)" = "AOL Messaging Toolbar"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"VersionNum" = "5"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLTBSearch"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\ProgID]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\AIMTb.WinampUtil\CurVer]
"(Default)" = "AIMTb.WinampUtil.1"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\AIMTb.ToolbarInfo.1]
"(Default)" = "ToolbarInfo Class"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\NumMethods]
"(Default)" = "12"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\VersionIndependentProgID]
"(Default)" = "AIMTb.Downloader"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppPath" = "c:\program files (x86)\aim toolbar"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"Build" = "5.96.10.10013"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}]
"(Default)" = "IAOLToolBand"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\ProgID]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.Downloader\CurVer]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCU\Software\AIM Toolbar\ieToolbar\settings\_ldefault_\curtain]
"congrats" = "curtainupg"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarInfo"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WidgetController.1\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"AppID" = ""

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"ToolbarID" = "aol-messaging"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\ProgID]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}]
"(Default)" = "IWidgetController"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"InstallLanguage" = "1033"

[HKCR\AIMTb.MailUtil\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallDate" = "17-12-2014"

[HKCR\AIMTb.AOLToolBand\CurVer]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\VersionIndependentProgID]
"(Default)" = "AIMTb.WinampUtil"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\VersionIndependentProgID]
"(Default)" = "AIMTb.MailUtil"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLToolBand"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.WidgetHandler\CurVer]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\AIMTb.CurtainInfo.1\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"Version" = "1.0"

[HKCR\AIMTb.AOLTBSearch]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"brand" = "AIM"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"defaultsCheck" = "3"
"useLocale" = "en-US"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\ProgID]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"DisplayIcon" = "%Program Files% (x86)\AIM Toolbar\uninstall.exe"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\NumMethods]
"(Default)" = "7"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"AppID" = ""

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\ProgID]
"(Default)" = "AIMTb.MailUtil.1"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\ProgID]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"removeButtons" = ";aol_mail;aim_express;aim_newIM;aim_thisPage;aim_goAway;aol_radio_1100;aol_video_1000;share_this;aim_express_7238;aim_new_im_8051;im2sms_7871;set_away_7889;lifestream_8042;aimexpress;aol_mail;newim;send2cell;setaway;lifestream;aolradio;share;aol_mail_32168;send2cell_32191;share_32235;aolradio_32224;facebook_42091;share_this_page_46128;aol_mail_37735_url;ebay_46844"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"Publisher" = "AOL Inc."

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.WinampUtil.1\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"AppPath" = "%Program Files%\AIM Toolbar"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetController"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\ProgID]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\VersionIndependentProgID]
"(Default)" = "AIMTb.ContentObject"

[HKCR\AIMTb.WidgetHandler]
"(Default)" = "WidgetHandler Class"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\Programmable]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Programmable]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Programmable]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"appendButtonId"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"locale"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"locale"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"Department"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"useLocale"
"Department"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"useLocale"

The process regsvr32.exe:3468 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}]
"(Default)" = "IContentObject"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\ProgID]
"(Default)" = "AIMTb.WinampUtil.1"

[HKCR\AIMTb.WinampUtil.1]
"(Default)" = "WinampUtil Class"

[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.ToolbarInfo\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"(Default)" = "WidgetController Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.AOLTBSearch.1\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}]
"(Default)" = "IDownloader"

[HKCR\AIMTb.WidgetController\CurVer]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"AppID" = ""

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCU\Software\AIM Toolbar\ieToolbar]
"Installed" = "0"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}]
"(Default)" = "IAOLTBBrowserHelper"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "IWidgetHandler"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\VersionIndependentProgID]
"(Default)" = "AIMTb.ContentObject"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.ToolbarInfo]
"(Default)" = "ToolbarInfo Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCR\AIMTb.MailUtil\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"AppID" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppName" = "aimtbServer.exe"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"(Default)" = "ToolbarInfo Class"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}]
"(Default)" = "IAOLTBSearch"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\VersionIndependentProgID]
"(Default)" = "AIMTb.WinampUtil"

[HKCR\AIMTb.CurtainInfo\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\ProgID]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\AIMTb.WinampUtil]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.MailUtil]
"(Default)" = "MailUtil Class"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\NumMethods]
"(Default)" = "15"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.ToolbarInfo\CurVer]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\NumMethods]
"(Default)" = "10"

[HKCR\AIMTb.AOLToolBand]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}]
"(Default)" = "IWinampUtil"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\AIMTb.Downloader\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WidgetHandler.1\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"AppID" = ""

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\NumMethods]
"(Default)" = "7"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\NumMethods]
"(Default)" = "12"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\VersionIndependentProgID]
"(Default)" = "AIMTb.CurtainInfo"

[HKCR\AIMTb.MailUtil\CurVer]
"(Default)" = "AIMTb.MailUtil.1"

[HKCR\AIMTb.ContentObject.1]
"(Default)" = "ContentObject Class"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.WidgetController]
"(Default)" = "WidgetController Class"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WinampUtil\CurVer]
"(Default)" = "AIMTb.WinampUtil.1"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"AppID" = ""

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\ProgID]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKCR\AIMTb.ToolbarInfo.1]
"(Default)" = "ToolbarInfo Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}" = "AOL Messaging Toolbar"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.AOLTBSearch\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKCR\AIMTb.ContentObject]
"(Default)" = "ContentObject Class"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}]
"(Default)" = "IAOLToolBand"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"AppID" = ""

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.Downloader\CurVer]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\ProgID]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"AppID" = ""

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\VersionIndependentProgID]
"(Default)" = "AIMTb.MailUtil"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"(Default)" = "WinampUtil Class"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\ProgID]
"(Default)" = "AIMTb.MailUtil.1"

[HKCR\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WidgetController\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\VersionIndependentProgID]
"(Default)" = "AIMTb.Downloader"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.WidgetController.1]
"(Default)" = "WidgetController Class"

[HKCR\AIMTb.WidgetHandler\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.ToolbarParams]
"(Default)" = "ToolbarParams Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppPath" = "c:\program files\aim toolbar"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\NumMethods]
"(Default)" = "25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}]
"(Default)" = "IToolbarPrefs"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}]
"(Default)" = "ICurtainInfo"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"(Default)" = "ContentObject Class"

[HKCR\AIMTb.ContentObject.1\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.Downloader.1\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCR\AIMTb.CurtainInfo.1]
"(Default)" = "CurtainInfo Class"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}]
"(Default)" = "IToolbarInfo"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarParams"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"CLSID" = "aimtbServer.exe"

[HKCR\AIMTb.ToolbarParams\CurVer]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\NumMethods]
"(Default)" = "11"

[HKCR\AIMTb.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.CurtainInfo]
"(Default)" = "CurtainInfo Class"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\NumMethods]
"(Default)" = "17"

[HKCR\AIMTb.AOLToolBand\CurVer]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\AIMTb.CurtainInfo\CurVer]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"AppID" = ""

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"AppID" = ""

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\ProgID]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"AppID" = ""

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\ProgID]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLTBSearch"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\NumMethods]
"(Default)" = "7"

[HKCR\AIMTb.AOLToolBand\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKCR\AIMTb.MailUtil.1]
"(Default)" = "MailUtil Class"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\AIMTb.ToolbarParams.1\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.ToolbarParams\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\AIMTb.AOLToolBand.1\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKCR\AIMTb.WinampUtil\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKCR\AIMTb.WidgetHandler\CurVer]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\ProgID]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\AIMTb.CurtainInfo.1\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"Guid" = "{db7de21c-2f87-4bac-a333-1a81923caec0}"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.AOLTBSearch.1]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\AIMTb.AOLTBSearch]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetController"

[HKCR\AIMTb.WidgetController.1\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\AIMTb.AOLToolBand.1]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\AIMTb.AOLTBSearch\CurVer]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"(Default)" = "CurtainInfo Class"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\0\win64]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"(Default)" = "ToolbarParams Class"

[HKCR\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"AppID" = ""

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.ContentObject\CurVer]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\NumMethods]
"(Default)" = "62"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.ToolbarParams.1]
"(Default)" = "ToolbarParams Class"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.Downloader]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetHandler"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.ContentObject\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}]
"(Default)" = "IWidgetController"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"AppID" = ""

[HKCR\AIMTb.WidgetHandler.1]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.WinampUtil.1\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}]
"(Default)" = "IToolbarParams"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLToolBand"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"(Default)" = "MailUtil Class"

[HKCR\AIMTb.MailUtil.1\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\AIMTb.WidgetHandler]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.ToolbarInfo.1\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}]
"(Default)" = "IMailUtil"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarInfo"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following registry key(s):

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Programmable]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\Programmable]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Programmable]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"appendButtonId"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process dnu.exe:4024 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "DB 35 4E 89 16 19 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AOL\SoftwareUpdateUtility]
"Count" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\AOL\SoftwareUpdateUtility]
"LastCheck" = "1418841973"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "76 1E 30 BD 29 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "76 1E 30 BD 29 1A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process dnu.exe:3420 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\AppID\dnu.EXE]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\dnupdate]
"WarnOnOpen" = "0"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser"

[HKCR\dnUpdate]
"(Default)" = "URL: AOL downloadUpdater Protocol"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppPath" = "%CommonProgramFiles%\Software Update Utility"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dnUpdate]
"URL Protocol" = ""

[HKCR\dnUpdater.DownloadUpdController\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUpdController]
"(Default)" = "DownloadUpdController Class"

[HKCR\dnUpdater.DownloadUIBrowser\CurVer]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\ProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\dnUpdater.DownloadUIBrowser\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\ProgID]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKCR\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}]
"(Default)" = "dnu"

[HKCR\dnUpdater.DownloadUIBrowser.1\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUpdController"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUIBrowser]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKCR\dnUpdater.DownloadUIBrowser.1]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0]
"(Default)" = "dnUpdater 1.0 Type Library"

[HKCR\dnUpdater.DownloadUpdController\CurVer]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppName" = "dnu.exe"
"Policy" = "3"

[HKCR\dnUpdater.DownloadUpdController.1\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

[HKCR\dnUpdater.DownloadUpdController.1]
"(Default)" = "DownloadUpdController Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = "DownloadUpdController Class"
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\dnUpdate\shell\open\command]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe %1"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

The process dnu.exe:2956 makes changes in the system registry.


The Malware deletes the following registry key(s):

[HKCU\Software\AOL\SoftwareUpdateUtility]
[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\LocalServer32]
[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\HELPDIR]
[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\Programmable]
[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\TypeLib]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\VersionIndependentProgID]
[HKCR\dnUpdater.DownloadUpdController\CLSID]
[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Implemented Categories]
[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}]
[HKCR\AppID\dnu.EXE]
[HKCR\dnUpdater.DownloadUpdController.1\CLSID]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\ProgID]
[HKCR\dnUpdate]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
[HKCR\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}]
[HKCR\dnUpdater.DownloadUpdController\CurVer]
[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Programmable]
[HKCR\dnUpdater.DownloadUIBrowser\CurVer]
[HKCR\dnUpdater.DownloadUIBrowser.1]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\ProgID]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\TypeLib]
[HKCR\dnUpdater.DownloadUIBrowser.1\CLSID]
[HKCR\dnUpdater.DownloadUpdController.1]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0\win32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\LocalServer32]
[HKCR\dnUpdater.DownloadUpdController]
[HKCR\dnUpdate\shell]
[HKCR\dnUpdater.DownloadUIBrowser]
[HKCR\dnUpdate\shell\open\command]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\FLAGS]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
[HKCR\dnUpdater.DownloadUIBrowser\CLSID]
[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
[HKCR\dnUpdate\shell\open]
[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]

The Malware deletes the following value(s) in system registry:

[HKCR\dnUpdate]
"URL Protocol"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"AppID"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"AppID"

[HKCR\AppID\dnu.EXE]
"AppID"

The process dnu.exe:2372 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\AppID\dnu.EXE]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\dnupdate]
"WarnOnOpen" = "0"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser"

[HKCR\dnUpdate]
"(Default)" = "URL: AOL downloadUpdater Protocol"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppPath" = "%CommonProgramFiles%\Software Update Utility"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dnUpdate]
"URL Protocol" = ""

[HKCR\dnUpdater.DownloadUpdController\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUpdController]
"(Default)" = "DownloadUpdController Class"

[HKCR\dnUpdater.DownloadUIBrowser\CurVer]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\ProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\dnUpdater.DownloadUIBrowser\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\ProgID]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKCR\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}]
"(Default)" = "dnu"

[HKCR\dnUpdater.DownloadUIBrowser.1\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUpdController"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUIBrowser]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKCR\dnUpdater.DownloadUIBrowser.1]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0]
"(Default)" = "dnUpdater 1.0 Type Library"

[HKCR\dnUpdater.DownloadUpdController\CurVer]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppName" = "dnu.exe"
"Policy" = "3"

[HKCR\dnUpdater.DownloadUpdController.1\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

[HKCR\dnUpdater.DownloadUpdController.1]
"(Default)" = "DownloadUpdController Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = "DownloadUpdController Class"
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\dnUpdate\shell\open\command]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe %1"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

Dropped PE files

MD5 File path
04ad4b80880b32c94be8d0886482c774c:\Program Files (x86)\AIM Toolbar\7z.dll
bdde01ebf00e7fad5690779de65a93c7c:\Program Files (x86)\AIM Toolbar\aimtb.dll
48af6994e924487b26d1aab2dcc11ccfc:\Program Files (x86)\AIM Toolbar\aimtbServer.exe
e5c8cececbf8c680abfc9a5fc8d09328c:\Program Files (x86)\AIM Toolbar\uninstall.exe
6f7c8b14d416aa62302a2e500ae83883c:\Program Files (x86)\Common Files\Software Update Utility\dnu.exe
40b5edb6ce379c063e78c71ca87e7559c:\Program Files (x86)\Common Files\Software Update Utility\uninstall.exe
23a37370f275aa63255dfcc703951c37c:\Program Files\AIM Toolbar\7z.dll
2181ab144bc82529bd075187e7415b6cc:\Program Files\AIM Toolbar\aimtb.dll
37dd8ff0700a8d66397c2be9b3b6c028c:\Program Files\AIM Toolbar\aimtbServer.exe
e5c8cececbf8c680abfc9a5fc8d09328c:\Program Files\AIM Toolbar\uninstall.exe
cffa9ee353b9e2f4995488b90e6da41ac:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
77e47dcb08ab9a8ea7141241ac2838fac:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll
cffa9ee353b9e2f4995488b90e6da41ac:\Users\All Users\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
77e47dcb08ab9a8ea7141241ac2838fac:\Users\All Users\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll
cffa9ee353b9e2f4995488b90e6da41ac:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtbres.dll
77e47dcb08ab9a8ea7141241ac2838fac:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll
4bf70b35b943bd73bd6e13eb7c1ba4b3c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\NPSWF32.dll
b9829ee922823f86d556564e6654d4e9c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe
81f0a71e0a851f24128ffc92e5b514ebc:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aoldiag.dll
149fe0d2d2b0811a3749a210c2b29a65c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aolload.exe
5119b80bd9e57b218cae5dbdf8e11fb2c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\icudt.dll
af8dcb44813c1ddcb789aa8eab2ccdc4c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\libcef.dll
dade3f9101d7ddd88ce76afc1a50b32fc:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdres.dll
e01945331345f678afae3ecd5369d61ac:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\tbdiag.dll
f586eed77cf57513bd1a62334cc878cfc:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe
42dd26d5e5d8d46373b3902cfb891a64c:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe
11781d4660ff929b6b2a584d178ee130c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe
cc0bd4f5a79107633084471dbd4af796c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\Processes.dll
4125926391466fdbe8a4730f2374b033c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\System.dll
5f6679c0a7569277f8dc3d031a125821c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ToolbarDetector.dll
acfb66ee6fc1f4266229ec6098fe1740c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\UAC.dll
2dc35ddcabcb2b24919b9afae4ec3091c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ZipDLL.dll
b4a091c552738676fd5e6c6a61ecad92c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ff.exe
7fd4d3c71d72682f10335c1c3dbfd2bac:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe
4ebec384319165af5a1d2c36019677cec:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\dnupdatersetup.exe
9a7d35d1e9e5dfb6a7872d49cf64db83c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\inetc.dll
7377e5f92a5ce8e4645ac56abfff5040c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsArray.dll
acc2b699edfea5bf5aae45aba3a41e96c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsExec.dll
b9cd1b0fd3af89892348e5cc3108dce7c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsJSON.dll
293149eb15c8793dbf1ee5c5298bd5d8c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\sqlite3.exe
09bc9f32af2af2e9aa2f2c6db2255f2dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll
c17103ae9072a06da581dec998343fc1c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\System.dll
7377e5f92a5ce8e4645ac56abfff5040c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\nsArray.dll
73cb3661d56315a8f61691e0e8b0f464c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll
293149eb15c8793dbf1ee5c5298bd5d8c:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\sqlite3.exe
c29407ea98713dbeeb849036eca5b602c:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
e249366ca86974606a715e00be93b7a0c:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\mailcount.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dnupdatersetup.exe:2392
    WerFault.exe:3408
    aol-messaging_trio1C76.exe:2744
    aimtbServer.exe:2388
    aimtbServer.exe:1676
    aimtbServer.exe:3896
    aimtbServer.exe:3388
    aol-messaging_toolbar_ff.exe:2736
    dlupd.exe:2712
    RunDll32.exe:3852
    %original file name%.exe:3300
    %original file name%.exe:2728
    aol-messaging_toolbar_ie.exe:3716
    regsvr32.exe:3468
    dnu.exe:4024
    dnu.exe:3420
    dnu.exe:2956
    dnu.exe:2372

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\nsJSON.dll (15 bytes)
    %Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe (313 bytes)
    %Program Files% (x86)\Common Files\Software Update Utility\dnu.exe (6526 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State (2156387 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_dnupdatersetup.e_50eae638e7cd79cff7e41844acbd428498edc5_0d5c7e53\Report.wer (156854 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\vc9rt.msi (39033 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\182NGY1Y\nocontentxml[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\timestamp[1].htm (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (27962 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P3RWXGAD.txt (112 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spr5.htm (85 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ToolbarDetector.dll (16476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\upgrade.xml (164 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\timestamp.txt (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ZipDLL.dll (5667 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsJSON.dll (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe (14383 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWR9ROHK\nocontentxml[1].htm (34 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ff.exe (48083 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsArray.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\nocontentxml[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JOM1A130.txt (304 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\dnupdatersetup.exe (6665 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe (166927 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V8U5K4H\nocontentxml[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\Processes.dll (1461 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\UAC.dll (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\update\config.xml (223 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000005 (394 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000004 (87 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000007 (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000006 (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000001 (77 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000003 (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000002 (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000009 (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000008 (69 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FAP56A8.tmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\manifest.bin (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies (383 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage-journal (5114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_9QXbgnrIl1bcXkL (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\index (368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies-journal (2799 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\fcs4AB5.tmp (703 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_3 (6376 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_2 (12792 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_1 (32536 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_0 (186740 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (5416 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IaimUninstallObserver.xpt (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\pinit.zip (2903 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa7FBB.tmp\nsArray.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll (6762 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\share.zip (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\youtube.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\weather.zip (8430 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\aolmail.zip (3355 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\amazon.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\mailcount.dll (1228 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\trendingtopics.zip (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\surfometer.zip (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\source.dat (1368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimUninstallObserver.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAddonObserver.js (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\calendar.zip (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\facebook.zip (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAutoSuggest.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IMailUtil.xpt (194 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome\aimtoolbar.jar (11620 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome.manifest (975 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\sqlite3.exe (11050 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\nsArray.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\sqlite3.exe (11050 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-search.xml (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdres.dll (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locales\en-US.pak (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsisext.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\manifest.bin (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdl10n.ini (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\credits.txt (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\icudt.dll (325923 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\NPSWF32.dll (524009 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe (6584 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\Uninstaller.exe (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll (26610 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\register.bat (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\config.xml (321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aolload.exe (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\unregister.bat (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuEA4F.tmp (1220470 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe (33504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aoldiag.dll (13368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\libcef.dll (766772 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\tbdiag.dll (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\Uninstall AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\dlupd.exe (5211 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\modern-header.bmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE946.tmp (28210 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\nsisext.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\modern-header.bmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\trendingtopics.zip (11 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_0.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addbuddybutton.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_0.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_left.gif (138 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\jquery.js (3436 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevdown.gif (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints_frame.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_bot.gif (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_left.gif (138 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll (8320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buddy.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\09.gif (317 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints_frame.htm (4 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\amazon.zip (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\privacy_icon.gif (468 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdown.gif (477 bytes)
    %Program Files% (x86)\AIM Toolbar\uninstall.exe (8368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_2.gif (914 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\content.html (828 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupover.gif (445 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_0.gif (908 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.css (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\06.gif (318 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttonManager.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_left.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_large.gif (170 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsearch.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\evergreen.html (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addbuddybutton.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_bot.gif (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\bullet.gif (70 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enabletoolbar.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html (714 bytes)
    %Program Files% (x86)\AIM Toolbar\7z.dll (19117 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dropcustombutton.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\buttons\defaultButtons.xml (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\bullet.gif (70 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtb.cfg (1568 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownover.gif (452 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\weather.zip (8430 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\latest.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\renamecustombutton.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_0.gif (905 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\07.gif (307 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\firsttimepage.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_2.gif (906 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enabletoolbar.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.htm (495 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints_confirm.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\qap.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_large.gif (170 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\olderversion.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\04.gif (310 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bottom.gif (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsearch.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply_over.png (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevover.gif (152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_top.gif (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_frame.htm (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttonManager.js (6 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_right.gif (108 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_large.gif (171 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextover.gif (155 bytes)
    %Program Files%\AIM Toolbar\7z.dll (31890 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_0.gif (909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.htm (495 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowright.png (939 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\weather.zip (8430 bytes)
    %Program Files%\AIM Toolbar\uninstall.exe (8368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownover.gif (452 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\share.zip (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\UserInfo.dll (8 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdisabled.gif (456 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_2.gif (914 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dots32.gif (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_left.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.css (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_2.gif (900 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabOver.gif (904 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\json2.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowleft.png (938 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enable_bg.jpg (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndown.gif (482 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_1.gif (820 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\pinit.zip (2903 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\calendar.zip (16 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\youtube.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_right_tile.gif (54 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options_frame.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_0.gif (908 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons_frame.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\09.gif (317 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\resettoolbar.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_top.gif (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\surfometer.zip (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_1.gif (820 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_0.gif (909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\jquery.js (3436 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addcustombutton.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\03.gif (314 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_0.gif (911 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\share.zip (4 bytes)
    %Program Files% (x86)\AIM Toolbar\aimtbServer.exe (6897 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_icon.gif (582 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dot.gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\07.gif (307 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_1.gif (820 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_2.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\facebook.zip (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevup.gif (219 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabActive.gif (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\metrics.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\00.gif (313 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndown.gif (482 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_2.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\about.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\branding.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextdown.gif (159 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownup.gif (490 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_left_tile.gif (54 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\olderversion.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_0.gif (910 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdown.gif (477 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\03.gif (314 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\about.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options_frame.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabActive.gif (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevdown.gif (157 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popup_icon.gif (240 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextover.gif (155 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\aolmail.zip (3355 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_right.gif (108 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\surfometer.zip (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_frame.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\02.gif (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\calendar.zip (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextup.gif (222 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupover.gif (445 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_1.gif (821 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_bot.gif (72 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\ani_media_icon.gif (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blocker.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_2.gif (911 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_2.gif (906 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\02.gif (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_right_tile.gif (54 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_frame.htm (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownup.gif (490 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\qap.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\privacy_icon.gif (468 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsprompt.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addcustombutton.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blocker.js (6 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\amazon.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bg.gif (64 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_tile.gif (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevup.gif (219 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.html (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\general_icon.gif (470 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.css (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_icon.gif (462 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndisabled.gif (455 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dot.gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextup.gif (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabNormal.gif (884 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\content.html (828 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply_over.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\upgradeToolbar.exe (3428 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll (8320 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\customize_icon.gif (480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints_confirm.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupup.gif (488 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_0.gif (905 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\nsArray.dll (14 bytes)
    %Program Files%\AIM Toolbar\aimtbServer.exe (11642 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\metrics.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.html (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\08.gif (316 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_2.gif (907 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\general_icon.gif (470 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\00.gif (313 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtb.cfg (1568 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_2.gif (911 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buddy.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\firsttimepage.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupup.gif (488 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowleft.png (938 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\resettoolbar.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\latest.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\customize_icon.gif (480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bottom.gif (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dropcustombutton.htm (4 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\05.gif (314 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndisabled.gif (455 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_1.gif (820 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_frame.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\06.gif (318 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\pinit.zip (2903 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\01.gif (201 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons_frame.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_1.gif (820 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bg.gif (64 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_0.gif (908 bytes)
    %Program Files% (x86)\AIM Toolbar\aimtb.dll (63702 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply.png (1 bytes)
    %Program Files%\AIM Toolbar\aimtb.dll (82243 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_0.gif (908 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\ani_media_icon.gif (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\facebook.zip (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\renamecustombutton.htm (4 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsprompt.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\local\search.html (714 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_1.gif (820 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_left_tile.gif (54 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_tile.gif (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\branding.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_bot.gif (72 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabNormal.gif (884 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\youtube.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\05.gif (314 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabOver.gif (904 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\04.gif (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\json2.js (18 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\01.gif (201 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\buttons\defaultButtons.xml (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\aolmail.zip (3355 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_2.gif (910 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popup_icon.gif (240 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_icon.gif (582 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_2.gif (900 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextdown.gif (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dots32.gif (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_2.gif (907 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\evergreen.html (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\stylesheet.css (7 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\trendingtopics.zip (11 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\08.gif (316 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left.gif (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll (8320 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enable_bg.jpg (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_0.gif (911 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left.gif (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\custombutton.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdisabled.gif (456 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_2.gif (910 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_tile.gif (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtbres.dll (8696 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\stylesheet.css (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_tile.gif (53 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_0.gif (910 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_icon.gif (462 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_1.gif (821 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevover.gif (152 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_large.gif (171 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\custombutton.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowright.png (939 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe (1181785 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\prd1AA1.tmp (1444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\user.js (68 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "AIM for Windows" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: AOL Inc.
Product Name: AIM for Windows
Product Version: 8.0.7.1
Legal Copyright: Copyright 2013 AOL Inc.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 8.0.7.1
File Description: AIM Installer
Comments: Installs the software required for running AIM on your desktop.
Language: Language Neutral

Company Name: AOL Inc.Product Name: AIM for WindowsProduct Version: 8.0.7.1Legal Copyright: Copyright 2013 AOL Inc.Legal Trademarks: Original Filename: Internal Name: File Version: 8.0.7.1File Description: AIM InstallerComments: Installs the software required for running AIM on your desktop.Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623130235524.448410bc2ffd32265a08d72b795b18265828d
.rdata28672449646083.59163f179218a059068529bdb4637ef5fa28e
.data3686411048810243.26405975304d6dd6c4a4f076b15511e2bbbc0
.ndata1474567782400d41d8cd98f00b204e9800998ecf8427e
.rsrc22528042880430084.45152b9170ccf81cb7aefd12fd98edae10127

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
488f69dd4715e72123c7554267d323bb

Network Activity

URLs

URL IP
hxxp://api.opencandy.com/?bn=3&bv=10.00.9200.16521&clientv=38&cltzone=120&language=en,en&method=get_offers&mstime=0.202&os=WIN6.1SP1-64&product_key=a4465b72941e93bd290f2a57e7175c61&v=1.0&signature=84fe6077d04595477439da3d7e3569ee
hxxp://a1621.dscg.akamai.net/downloadupdater/products.xml
hxxp://arena10304.egslb.aol.com/toolbarfiles/Prod/downloads/aim/current/aol-messaging_trio.exe
hxxp://api.opencandy.com/?clientv=38&method=track_product_installed&mstime=24.102&product_key=a4465b72941e93bd290f2a57e7175c61&session_key=21c7eaf8d0b66cbb74e37c09137bc464&v=1.0&signature=2b6b94de24edbaa3f1a74d1c4a849d5d
hxxp://www.aim.com.websys.akadns.net/.client
hxxp://www.aim.com.websys.akadns.net/static/2.42.0.1/css/aim.client.css
hxxp://www.aim.com.websys.akadns.net/static/2.42.0.1/js/aim.client.js
hxxp://a1621.dscg.akamai.net/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?e2e6e6ee353044e2
hxxp://www.aim.com.websys.akadns.net/static/2.42.0.1/desktop/images/systray_offline.ico
hxxp://arena10304.egslb.aol.com/toolbarfiles/Prod/Content/time/timestamp.php
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ff_en_us_aim_inst_silent_png_previous_googlecom.Google.._-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://search.aol.com.aol.akadns.net/aol/nocontentxml.jsp
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_previous_-.Bing.-.-_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ch_en_us_aim_inst_silent_png_previous_-.1._-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ff_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://ftp-newaol.egslb.aol.com/aim/win/appcast.xml
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://a1621.dscg.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d1597abc4c85a00a
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMk=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs=

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

aim.exe_692:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

8%u:j

8%u:j

u(

u(

8^%uv

8^%uv

FTPjo

FTPjo

:>t.FOCB

:>t.FOCB

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

Load - Frame start for URL:

Load - Frame start for URL:

.\chromely\main\ClientHandler.cc

.\chromely\main\ClientHandler.cc

ClientHandler::SetAppDomain url:

ClientHandler::SetAppDomain url:

SystemObject::SetHotKeyWindow

SystemObject::SetHotKeyWindow

c:\cm\build\public\chromely_win_2014_01\src\apiar\chromely/api/SystemObject.h

c:\cm\build\public\chromely_win_2014_01\src\apiar\chromely/api/SystemObject.h

Load - Frame end for URL:

Load - Frame end for URL:

OnKeyEvent code:

OnKeyEvent code:

ClientHandler::CheckForAppDomain url:

ClientHandler::CheckForAppDomain url:

Load Failed

Load Failed

Load of URL

Load Failed

Load Failed

Load of URL

NAVTYPE_OTHER - mainUrl is

NAVTYPE_OTHER - mainUrl is

app://notification/test.js

app://notification/test.js

app://notification/style.css

app://notification/style.css

app://notification/content.html

app://notification/content.html

app://notification/code.js

app://notification/code.js

app://notification/close.png

app://notification/close.png

app://nonet/test.js

app://nonet/test.js

app://nonet/style.css

app://nonet/style.css

app://nonet/logo.png

app://nonet/logo.png

app://nonet/content.html

app://nonet/content.html

app://nonet/code.js

app://nonet/code.js

app://nonet/clouds.png

app://nonet/clouds.png

app://nonet/background.png

app://nonet/background.png

FRegDeleteKeyExW

FRegDeleteKeyExW

.\chromely\main\main_win.cc

.\chromely\main\main_win.cc

https

https

manifest.bin

manifest.bin

%d sec.

%d sec.

%d msec.

%d msec.

[%s - %s]

[%s - %s]

vsdiff.exe

vsdiff.exe

OnCmdExit hwnd=

OnCmdExit hwnd=

.\chromely\main\BrowserFrame_win.cc

.\chromely\main\BrowserFrame_win.cc

OnChromelyResizeContent - w:

OnChromelyResizeContent - w:

BrowserFrameImpl::OnChromelyHasNavbar

BrowserFrameImpl::OnChromelyHasNavbar

BrowserFrameImpl::OnChromelyGetWindowObject

BrowserFrameImpl::OnChromelyGetWindowObject

OnCmdAppRangeHandler wNotifyCode=

OnCmdAppRangeHandler wNotifyCode=

OnHotKey

OnHotKey

appcmd

appcmd

AOL_CHROMELY_TRACE_KEYS

AOL_CHROMELY_TRACE_KEYS

.\chromely\main\ChromelySwitches.cc

.\chromely\main\ChromelySwitches.cc

.\chromely\core\TrackInfo_win.cc

.\chromely\core\TrackInfo_win.cc

.\chromely\core\string_util.cc

.\chromely\core\string_util.cc

.\chromely\core\BITSDownloadManager_win.cc

.\chromely\core\BITSDownloadManager_win.cc

.\chromely\core\NetworkServices_win.cc

.\chromely\core\NetworkServices_win.cc

system.settings

system.settings

system.displays

system.displays

system.idle

system.idle

Cmdline:

Cmdline:

.\chromely\core\SystemEventsWindow_win.cc

.\chromely\core\SystemEventsWindow_win.cc

system.fastUserSwitch

system.fastUserSwitch

system.locked

system.locked

CHROMELY

CHROMELY

hXXp://aol.com/xml-namespaces/sparkle

hXXp://aol.com/xml-namespaces/sparkle

hXXp://VVV.andymatuschak.org/xml-namespaces/sparkle

hXXp://VVV.andymatuschak.org/xml-namespaces/sparkle

.\chromely\core\ToasterController.cc

.\chromely\core\ToasterController.cc

sig_sha256=%s

sig_sha256=%s

%s?%s

%s?%s

%s&%s&%s

%s&%s&%s

UrlSigner::Add

UrlSigner::Add

.\chromely\core\UrlSigner.cc

.\chromely\core\UrlSigner.cc

%s=%s

%s=%s

Kernel32.dll

Kernel32.dll

.\chromely\core\SystemEvents_win.cc

.\chromely\core\SystemEvents_win.cc

.\chromely\core\XmlParser.cc

.\chromely\core\XmlParser.cc

8.0.7.1

8.0.7.1

.\chromely\core\AIMXMigrator.cc

.\chromely\core\AIMXMigrator.cc

1.2.5

1.2.5

Operation '

Operation '

.\chromely\core\SimpleTimeLogger.cc

.\chromely\core\SimpleTimeLogger.cc

.\chromely\core\SoftwareUpdateManager_win.cc

.\chromely\core\SoftwareUpdateManager_win.cc

info.update

info.update

Chromely new version:

Chromely new version:

Removing URL:

Removing URL:

.\chromely\core\NavigationPolicyController.cc

.\chromely\core\NavigationPolicyController.cc

Checking Url:

Checking Url:

Adding URL:

Adding URL:

chrome-devtools:

chrome-devtools:

WM_0xX

WM_0xX

WM_CTLCOLORMSGBOX

WM_CTLCOLORMSGBOX

WM_SYSKEYUP

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYUP

WM_KEYDOWN

WM_KEYDOWN

WM_GETHOTKEY

WM_GETHOTKEY

WM_SETHOTKEY

WM_SETHOTKEY

WM_VKEYTOITEM

WM_VKEYTOITEM

.\chromely\core\ToasterView_win.cc

.\chromely\core\ToasterView_win.cc

.\chromely\core\ToasterModel.cc

.\chromely\core\ToasterModel.cc

.\chromely\core\AppConfig.cc

.\chromely\core\AppConfig.cc

"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

%s

%s

%s

%s

%s %s

%s %s

%s %s

%s %s

%s, %s %d, %d

%s, %s %d, %d

%s

%s

%s

%s (%s):%s

%s

%s (%s):%s

.html

.html

SystemObject::IsHotKeyTag tag=

SystemObject::IsHotKeyTag tag=

.\chromely\api\SystemObject.cc

.\chromely\api\SystemObject.cc

SystemObject::RegisterHotKey did register

SystemObject::RegisterHotKey did register

SystemObject::UnregisterHotKey did unregister tag=

SystemObject::UnregisterHotKey did unregister tag=

registerHotKey

registerHotKey

unregisterHotKey

unregisterHotKey

.\chromely\api\EventObject.cc

.\chromely\api\EventObject.cc

.\chromely\api\AppObject.cc

.\chromely\api\AppObject.cc

Check failed: frame.get().

Check failed: frame.get().

app.terminate

app.terminate

AppObject:TheV8Handler::Execute

AppObject:TheV8Handler::Execute

Setting BlankWindowUrl to:

Setting BlankWindowUrl to:

addInternalUrl

addInternalUrl

appWindows

appWindows

blankWindowUrl

blankWindowUrl

mainUrl

mainUrl

removeInternalUrl

removeInternalUrl

AppObject: CloseAllWindows()

AppObject: CloseAllWindows()

.\chromely\api\AppObject_win.cc

.\chromely\api\AppObject_win.cc

SystemObject::RegisterHotKeyImpl

SystemObject::RegisterHotKeyImpl

.\chromely\api\SystemObject_win.cc

.\chromely\api\SystemObject_win.cc

SystemObject::UnregisterHotKeyImpl

SystemObject::UnregisterHotKeyImpl

.\chromely\api\AppContextMenu.cc

.\chromely\api\AppContextMenu.cc

Unrecognized keyword '

Unrecognized keyword '

Unknown URL signing method.

Unknown URL signing method.

Get URL

Get URL

AuthObject::SignUrl

AuthObject::SignUrl

POST URL

POST URL

.\chromely\api\AuthObject.cc

.\chromely\api\AuthObject.cc

application/x-www-form-urlencoded

application/x-www-form-urlencoded

clientLogin

clientLogin

migratorLogin

migratorLogin

signUrl

signUrl

.\chromely\api\WindowObject.cc

.\chromely\api\WindowObject.cc

WindowObject:TheV8Handler::Execute

WindowObject:TheV8Handler::Execute

Chromely

Chromely

.\chromely\api\InfoObject.cc

.\chromely\api\InfoObject.cc

UpdateObject:TheV8Handler::Execute

UpdateObject:TheV8Handler::Execute

.\chromely\api\WindowObject_win.cc

.\chromely\api\WindowObject_win.cc

.\chromely\api\AppContextMenu_win.cc

.\chromely\api\AppContextMenu_win.cc

FCCreateKey

FCCreateKey

FCSetKeyOptions

FCSetKeyOptions

FCCreatePersistentKey

FCCreatePersistentKey

FCFlushNonSharedPersistentKeys

FCFlushNonSharedPersistentKeys

FCAddDataToKey

FCAddDataToKey

FCDeleteDataFromKey

FCDeleteDataFromKey

FCAddIntToKey

FCAddIntToKey

FCDeleteIntFromKey

FCDeleteIntFromKey

FCAddStringToKey

FCAddStringToKey

FCDeleteStringFromKey

FCDeleteStringFromKey

FCAddDateToKey

FCAddDateToKey

FCDeleteDateFromKey

FCDeleteDateFromKey

FCCreateSupportIncidentInternal

FCCreateSupportIncidentInternal

FCClearKeys

FCClearKeys

FCClearKey

FCClearKey

FCDeleteKey

FCDeleteKey

SHELL32.dll

SHELL32.dll

inflate 1.2.5 Copyright 1995-2010 Mark Adler

inflate 1.2.5 Copyright 1995-2010 Mark Adler

.\time_win.cc

.\time_win.cc

user.js

user.js

.\file_path.cc

.\file_path.cc

.\file_util_win.cc

.\file_util_win.cc

Check failed: histogram_pointer->histogram_name() == "MemoryMappedFile.MapViewOfFile".

Check failed: histogram_pointer->histogram_name() == "MemoryMappedFile.MapViewOfFile".

MemoryMappedFile.MapViewOfFile

MemoryMappedFile.MapViewOfFile

Check failed: histogram_pointer->histogram_name() == "MemoryMappedFile.CreateFileMapping".

Check failed: histogram_pointer->histogram_name() == "MemoryMappedFile.CreateFileMapping".

MemoryMappedFile.CreateFileMapping

MemoryMappedFile.CreateFileMapping

c:\cm\build\public\chromely_win_2014_01\src\base/win/scoped_handle.h

c:\cm\build\public\chromely_win_2014_01\src\base/win/scoped_handle.h

Performing shell operation

Performing shell operation

ERROR_REPORT

ERROR_REPORT

.\logging.cc

.\logging.cc

.\command_line.cc

.\command_line.cc

.\utf_string_conversions.cc

.\utf_string_conversions.cc

.\at_exit.cc

.\at_exit.cc

.\json\json_writer.cc

.\json\json_writer.cc

.\values.cc

.\values.cc

Check failed: IsStringUTF8(key).

Check failed: IsStringUTF8(key).

ins_res.first->second != in_value

ins_res.first->second != in_value

Dictionary keys must be quoted.

Dictionary keys must be quoted.

Unsupported encoding. JSON must be UTF-8.

Unsupported encoding. JSON must be UTF-8.

Check failed: it != outbuf.begin().

Check failed: it != outbuf.begin().

.\string_number_conversions.cc

.\string_number_conversions.cc

@: Bad boy, the buffer passed to placement new is not aligned!

@: Bad boy, the buffer passed to placement new is not aligned!

c:\cm\build\public\chromely_win_2014_01\src\base/lazy_instance.h

c:\cm\build\public\chromely_win_2014_01\src\base/lazy_instance.h

Check failed: path.empty().

Check failed: path.empty().

key >= base::DIR_CURRENT

key >= base::DIR_CURRENT

.\path_service.cc

.\path_service.cc

Y@.\string_util.cc

Y@.\string_util.cc

.\pickle.cc

.\pickle.cc

(%d = %3.1f%%)

(%d = %3.1f%%)

R@.\metrics\histogram.cc

R@.\metrics\histogram.cc

Check failed: histogram.bucket_ranges()->HasValidChecksum().

Check failed: histogram.bucket_ranges()->HasValidChecksum().

(flags = 0x%x)

(flags = 0x%x)

samples.sum() == 0

samples.sum() == 0

Histogram: %s recorded %d samples

Histogram: %s recorded %d samples

Check failed: histogram_pointer->histogram_name() == "Histogram.InconsistentCountLow".

Check failed: histogram_pointer->histogram_name() == "Histogram.InconsistentCountLow".

Histogram.InconsistentCountLow

Histogram.InconsistentCountLow

Check failed: histogram_pointer->histogram_name() == "Histogram.InconsistentCountHigh".

Check failed: histogram_pointer->histogram_name() == "Histogram.InconsistentCountHigh".

Histogram.InconsistentCountHigh

Histogram.InconsistentCountHigh

.\win\scoped_handle.cc

.\win\scoped_handle.cc

.\platform_file_win.cc

.\platform_file_win.cc

.\win\windows_version.cc

.\win\windows_version.cc

version_number_.minor == 2

version_number_.minor == 2

.\vlog.cc

.\vlog.cc

.\string_split.cc

.\string_split.cc

value.size()

value.size()

.\callback_internal.cc

.\callback_internal.cc

\uX

\uX

.\json\json_parser.cc

.\json\json_parser.cc

0123456789

0123456789

.\third_party\dmg_fp\dtoa_wrapper.cc

.\third_party\dmg_fp\dtoa_wrapper.cc

c:\cm\build\public\chromely_win_2014_01\src\base/win/scoped_co_mem.h

c:\cm\build\public\chromely_win_2014_01\src\base/win/scoped_co_mem.h

.\threading\thread_local_win.cc

.\threading\thread_local_win.cc

.\metrics\statistics_recorder.cc

.\metrics\statistics_recorder.cc

Check failed: bucket_index >= 0 && bucket_index

Check failed: bucket_index >= 0 && bucket_index

.\metrics\sample_vector.cc

.\metrics\sample_vector.cc

.\metrics\bucket_ranges.cc

.\metrics\bucket_ranges.cc

i

i

CHROME_PROFILER_TIME

CHROME_PROFILER_TIME

.\threading\thread_local_storage_win.cc

.\threading\thread_local_storage_win.cc

.\metrics\histogram_samples.cc

.\metrics\histogram_samples.cc

requested feature requires XML_DTD support in Expat

requested feature requires XML_DTD support in Expat

unexpected parser state - please send a bug report

unexpected parser state - please send a bug report

xml=hXXp://VVV.w3.org/XML/1998/namespace

xml=hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

hXXp://VVV.w3.org/2000/xmlns/

kernel32.dll

kernel32.dll

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

operator

operator

gdiplus.dll

gdiplus.dll

full-memory-crash-report

full-memory-crash-report

c:\cm\build\public\chromely_win_2014_01\src\apiar\Release\AIM.pdb

c:\cm\build\public\chromely_win_2014_01\src\apiar\Release\AIM.pdb

ShellExecuteW

ShellExecuteW

GdiplusShutdown

GdiplusShutdown

SHFileOperationW

SHFileOperationW

WININET.dll

WININET.dll

VERSION.dll

VERSION.dll

MSIMG32.dll

MSIMG32.dll

WS2_32.dll

WS2_32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

RPCRT4.dll

RPCRT4.dll

COMCTL32.dll

COMCTL32.dll

KERNEL32.dll

KERNEL32.dll

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

GetKeyState

GetKeyState

EnumThreadWindows

EnumThreadWindows

RegisterHotKey

RegisterHotKey

UnregisterHotKey

UnregisterHotKey

GetKeyNameTextW

GetKeyNameTextW

MapVirtualKeyExW

MapVirtualKeyExW

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

COMDLG32.dll

COMDLG32.dll

RegDeleteKeyW

RegDeleteKeyW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

libcef.dll

libcef.dll

CRYPT32.dll

CRYPT32.dll

SensApi.dll

SensApi.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

WTSAPI32.dll

WTSAPI32.dll

WINMM.dll

WINMM.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

cef_parse_url

cef_parse_url

cef_web_urlrequest_create

cef_web_urlrequest_create

cef_string_map_key

cef_string_map_key

cef_string_multimap_key

cef_string_multimap_key

system.trackInfo

system.trackInfo

system.sleep

system.sleep

app.oncommand

app.oncommand

network.available

network.available

network.ipaddrchange

network.ipaddrchange

zcÁ

zcÁ

g%u%w

g%u%w

eYb)ý

eYb)ý

5-x}&

5-x}&

.no&Gmh

.no&Gmh

x%d{

x%d{

V%xk&

V%xk&

.ml)5

.ml)5

var state = this.readyState;

var state = this.readyState;

if (state == this.DONE) {

if (state == this.DONE) {

if (this.status == 200) {

if (this.status == 200) {

redirected = this.responseText.toUpperCase().indexOf(app.validityId)

redirected = this.responseText.toUpperCase().indexOf(app.validityId)

console.log("XMLHttpRequest response " (redirected ? "redirected" : "valid"));

console.log("XMLHttpRequest response " (redirected ? "redirected" : "valid"));

console.log("XMLHttpRequest status: " this.status);

console.log("XMLHttpRequest status: " this.status);

if (app.network.available) {

if (app.network.available) {

if (app.validityId) {

if (app.validityId) {

console.log("Starting XMLHttpRequest for " app.mainUrl);

console.log("Starting XMLHttpRequest for " app.mainUrl);

var req = new XMLHttpRequest();

var req = new XMLHttpRequest();

req.onreadystatechange = onReadyStateChange;

req.onreadystatechange = onReadyStateChange;

req.open("GET", app.mainUrl);

req.open("GET", app.mainUrl);

req.send();

req.send();

console.log("Reloading page (no validity id) " app.mainUrl);

console.log("Reloading page (no validity id) " app.mainUrl);

appWindow.resizeTo(kWidth, kHeight, false);

appWindow.resizeTo(kWidth, kHeight, false);

appWindow.setMinContentSize(kWidth, kHeight);

appWindow.setMinContentSize(kWidth, kHeight);

appWindow.center();

appWindow.center();

app.events.register("network.available", check);

app.events.register("network.available", check);

app.events.unregister("network.available", check);

app.events.unregister("network.available", check);

timerid = setTimeout(check, app.validityId ? 250 : 5000);

timerid = setTimeout(check, app.validityId ? 250 : 5000);

var tryagain = document.getElementById('tryagain');

var tryagain = document.getElementById('tryagain');

tryagain.addEventListener("click", onReady, false);

tryagain.addEventListener("click", onReady, false);

appWindow.oncontextmenu = onContextMenu;

appWindow.oncontextmenu = onContextMenu;

appWindow.oncontextmenu = null;

appWindow.oncontextmenu = null;

menu.deleteItemByTag( [9, 10, 40005, 40006] );

menu.deleteItemByTag( [9, 10, 40005, 40006] );

document.location = app.mainUrl;

document.location = app.mainUrl;

app.system.openExternal("hXXp://VVV.aim.com");

app.system.openExternal("hXXp://VVV.aim.com");

background-image:url(background.png);

background-image:url(background.png);

.center {

.center {

background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#ffffff), color-stop(25%, #ffffff), to(#e6e6e6));

background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#ffffff), color-stop(25%, #ffffff), to(#e6e6e6));

background-image: -webkit-linear-gradient(#ffffff, #ffffff 25%, #e6e6e6);

background-image: -webkit-linear-gradient(#ffffff, #ffffff 25%, #e6e6e6);

-webkit-transition: 0.1s linear all;

-webkit-transition: 0.1s linear all;

button.good {

button.good {

background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #62c462), color-stop(100%, #04a500));

background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #62c462), color-stop(100%, #04a500));

background-image: -webkit-linear-gradient(top, #62c462, #04a500);

background-image: -webkit-linear-gradient(top, #62c462, #04a500);

background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #F26C24), color-stop(100%, #E6490C));

background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #F26C24), color-stop(100%, #E6490C));

background-image: -webkit-linear-gradient(top, #F26C24, #E6490C);

background-image: -webkit-linear-gradient(top, #F26C24, #E6490C);

-webkit-box-shadow: inset 0 2px 4px rgba(0, 0, 0, 0.25), 0 1px 2px rgba(0, 0, 0, 0.05);

-webkit-box-shadow: inset 0 2px 4px rgba(0, 0, 0, 0.25), 0 1px 2px rgba(0, 0, 0, 0.05);

.logo {

.logo {

background-image: url('logo.png');

background-image: url('logo.png');

.clouds {

.clouds {

background-image: url('clouds.png');

background-image: url('clouds.png');

fiTXtXML:com.adobe.xmp

fiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

config = appNotification.getConfig();

config = appNotification.getConfig();

window.addEventListener("load", function() {

window.addEventListener("load", function() {

document.body.style.width = config.width "px";

document.body.style.width = config.width "px";

window.addEventListener("unload", function() {

window.addEventListener("unload", function() {

appNotification.closed(false);

appNotification.closed(false);

window.addEventListener("message", function(e) {

window.addEventListener("message", function(e) {

var cmd = e.data[0];

var cmd = e.data[0];

console.log('onmessage', e.data);

console.log('onmessage', e.data);

if (cmd == 'hi') {

if (cmd == 'hi') {

var child = document.body.firstChild;

var child = document.body.firstChild;

if (child.nodeName == "DIV") {

if (child.nodeName == "DIV") {

child.firstChild.contentWindow.postMessage(["id", parseInt(child.id)], "*");

child.firstChild.contentWindow.postMessage(["id", parseInt(child.id)], "*");

child = child.nextSibling;

child = child.nextSibling;

} else if (cmd == 'size') {

} else if (cmd == 'size') {

} else if (cmd == 'keep') {

} else if (cmd == 'keep') {

HandleKeepOpen(e.data[1]);

HandleKeepOpen(e.data[1]);

} else if (cmd == 'close') {

} else if (cmd == 'close') {

HandleClose(e.data[1], e.data[2]);

HandleClose(e.data[1], e.data[2]);

} else if (cmd == 'click') {

} else if (cmd == 'click') {

appNotification.clicked(e.data[1]);

appNotification.clicked(e.data[1]);

appWindow.setExtraPixels(0, config.height);

appWindow.setExtraPixels(0, config.height);

console.debug("HandleResize()");

console.debug("HandleResize()");

var heightDelta = document.body.clientHeight - lastHeight;

var heightDelta = document.body.clientHeight - lastHeight;

var widthDelta = document.body.clientWidth - lastWidth;

var widthDelta = document.body.clientWidth - lastWidth;

lastHeight = document.body.clientHeight;

lastHeight = document.body.clientHeight;

lastWidth = document.body.clientWidth;

lastWidth = document.body.clientWidth;

appWindow.resizeTo(lastWidth, lastHeight, true);

appWindow.resizeTo(lastWidth, lastHeight, true);

element = document.getElementById(id);

element = document.getElementById(id);

appNotification.closed(id, userClosed);

appNotification.closed(id, userClosed);

element.parentNode.removeChild(element);

element.parentNode.removeChild(element);

var e = document.getElementById(id);

var e = document.getElementById(id);

e.onmouseout = null;

e.onmouseout = null;

e.onmouseover = null;

e.onmouseover = null;

if (data.timerId) {

if (data.timerId) {

clearTimeout(data.timerId);

clearTimeout(data.timerId);

data.timerId = 0;

data.timerId = 0;

var ticks = timers[id].endAt - ( new Date());

var ticks = timers[id].endAt - ( new Date());

if (ticks

if (ticks

ticks = config.mouseOutWaitMS;

ticks = config.mouseOutWaitMS;

timers[id].timerId = setTimeout( function() {

timers[id].timerId = setTimeout( function() {

timers[id].timerId = 0;

timers[id].timerId = 0;

var element = document.createElement(tag);

var element = document.createElement(tag);

function CreateMsgElemForId(id) {

function CreateMsgElemForId(id) {

"className": "msg",

"className": "msg",

appNotification.clicked(id);

appNotification.clicked(id);

e.stopPropagation();

e.stopPropagation();

function ShowNotification(id, url) {

function ShowNotification(id, url) {

console.debug("frame src: " url);

console.debug("frame src: " url);

var div = CreateMsgElemForId(id);

var div = CreateMsgElemForId(id);

"src": url

"src": url

if (config.width && config.height) {

if (config.width && config.height) {

frame.style.width = (config.width - 6) "px";

frame.style.width = (config.width - 6) "px";

frame.style.height = config.height "px";

frame.style.height = config.height "px";

div.appendChild(frame);

div.appendChild(frame);

div.appendChild(img);

div.appendChild(img);

document.body.appendChild(div);

document.body.appendChild(div);

HandleInsertTimeout(id, config.displayMS);

HandleInsertTimeout(id, config.displayMS);

appNotification.displayed(id);

appNotification.displayed(id);

.msg {

.msg {

.close {

.close {

background: url("close.png") repeat scroll 0 0 transparent;

background: url("close.png") repeat scroll 0 0 transparent;

.msg:hover .close {

.msg:hover .close {

4A4U4t4y4~4

4A4U4t4y4~4

:%: :1:6:<:>

:%: :1:6:<:>

:":3:8:=:

:":3:8:=:

7-7A7U7i7}7

7-7A7U7i7}7

2%3x3

2%3x3

7%8x8

7%8x8

0"012:2@2

0"012:2@2

= =$=(=,=0=4=

= =$=(=,=0=4=

= =$=(=,=0=

= =$=(=,=0=

> >$>(>,>0>

> >$>(>,>0>

5!5,5?5}5

5!5,5?5}5

;$; ;1;8;

;$; ;1;8;

6!6(6/666=6

6!6(6/666=6

3 3$3(3,3

3 3$3(3,3

: :$:(:,:0:4:8:<:>

: :$:(:,:0:4:8:<:>

5'5,50545]5

5'5,50545]5

0014181

0014181

3 3$3(3,303

3 3$3(3,303

0

0

0 0

0 0

10181

10181

devtools_resources.pak

devtools_resources.pak

console.log

console.log

Chrome_MessagePumpWindow

Chrome_MessagePumpWindow

WAdvapi32.dll

WAdvapi32.dll

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

npswf32.dll

npswf32.dll

json_data_1.txt

json_data_1.txt

"%s" "%s" "%s"

"%s" "%s" "%s"

json_data_2.txt

json_data_2.txt

comctl32.dll

comctl32.dll

ChromelyFrameWindow

ChromelyFrameWindow

{97E27FAA-C0B3-4b8e-A693-ED7881E99FC1}

{97E27FAA-C0B3-4b8e-A693-ED7881E99FC1}

- MediaMonkey

- MediaMonkey

DShell32.dll

DShell32.dll

Software\Classes\%s\shell\open\command

Software\Classes\%s\shell\open\command

"%s,0"

"%s,0"

URL Protocol

URL Protocol

Software\Classes\%s

Software\Classes\%s

https=

https=

http=

http=

AOL Chromely Update

AOL Chromely Update

eChromelySystemEventsWindow

eChromelySystemEventsWindow

chromely:show

chromely:show

https:

https:

http:

http:

%s,%d

%s,%d

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

aimx.bin

aimx.bin

aimx.migrated

aimx.migrated

config.xml

config.xml

install.exe

install.exe

NPSWF32.dll

NPSWF32.dll

*.tmp

*.tmp

"%s" /S /RELAUNCH=%s

"%s" /S /RELAUNCH=%s

"%s" /RELAUNCH=%s

"%s" /RELAUNCH=%s

ChromelyNotificationWindow

ChromelyNotificationWindow

hXXp://VVV.aim.com

hXXp://VVV.aim.com

%s-%d-d-d--d-d-d.png

%s-%d-d-d--d-d-d.png

styles.css

styles.css

sndvol32.exe

sndvol32.exe

sndvol.exe

sndvol.exe

%s%c%s

%s%c%s

ChromelyCloakWindow

ChromelyCloakWindow

aolload.exe

aolload.exe

tbdiag.dll

tbdiag.dll

debug_message.exe

debug_message.exe

debug.log

debug.log

.\debug.log

.\debug.log

psapi.dll

psapi.dll

$kernel32.dll

$kernel32.dll

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL

C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe

C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe

AIM for Windows

AIM for Windows

AIM for Windows Version 8.0.7.1

AIM for Windows Version 8.0.7.1

%s Sounds

%s Sounds

aim.exe

aim.exe

aol-messaging_trio1C76.exe_2744:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe"

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe"

ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014

ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014

\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");

\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp

inetc.dll

inetc.dll

4-db756a951760}\

4-db756a951760}\

refs.js

refs.js

\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp

\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp

tbconfig.ini

tbconfig.ini

AOL_Search.exe

AOL_Search.exe

pData\Local\Temp\nsf64BC.tmp\inetc.dll

pData\Local\Temp\nsf64BC.tmp\inetc.dll

Thawte Certification1

Thawte Certification1

hXXp://ocsp.thawte.com0

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

-America Online Root Certification Authority 10

-America Online Root Certification Authority 10

'hXXps://pki-info.aol.com/AOL/index.html05

'hXXps://pki-info.aol.com/AOL/index.html05

$hXXp://crl.aol.com/AOL/MasterCRL.crl0

$hXXp://crl.aol.com/AOL/MasterCRL.crl0

hXXp://ocsp.web.aol.com:80/ocsp0

hXXp://ocsp.web.aol.com:80/ocsp0

hXXp://crl.aol.com/AOLMSPKI/aolCodeSign.crl0

hXXp://crl.aol.com/AOLMSPKI/aolCodeSign.crl0

hXXp://pki-info.aol.com/AOLMSPKI/index.html0

hXXp://pki-info.aol.com/AOLMSPKI/index.html0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

VVV.aol.com 0

VVV.aol.com 0

E.BUK

E.BUK

%%9UU

%%9UU

R.mT5

R.mT5

SSSSSShUf1G=ttttt xxxxxx:::httt

SSSSSShUf1G=ttttt xxxxxx:::httt

Nullsoft Install System v2.46

Nullsoft Install System v2.46

(D;.Ey

(D;.Ey

\.lR%

\.lR%

%ulDK

%ulDK

*fz%F

*fz%F

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe\"

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe\"

{c2f863cd-0429-48c7-bb54-db756a951760}

{c2f863cd-0429-48c7-bb54-db756a951760}

-12-2014

-12-2014

\AppData\Local\Temp\nsf64BC.tmp

\AppData\Local\Temp\nsf64BC.tmp

ers\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome\aimtoolbar.jar

ers\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome\aimtoolbar.jar

1.1.0.1.ieff

1.1.0.1.ieff

pData\Local\AIM Toolbar\ieToolbar\en-US\default_aim.xml

pData\Local\AIM Toolbar\ieToolbar\en-US\default_aim.xml

content\aoltoolbar.xul

content\aoltoolbar.xul

ref("toolkit.telemetry.previousBuildID", "20140506152807");

ref("toolkit.telemetry.previousBuildID", "20140506152807");

"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\browser\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");

"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\browser\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");

ttp://web.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}

ttp://web.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}

ttp://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}

ttp://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}

//toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE

//toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE

er\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");

er\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");

IEXPLORE.EXE

IEXPLORE.EXE

{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

bble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE

bble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe" /t_target=ieff /s_target=ieffch /h_target=ieffch /closeprompt=0 /S

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe" /t_target=ieff /s_target=ieffch /h_target=ieffch /closeprompt=0 /S

%Program Files% (x86)\AIM Toolbar

%Program Files% (x86)\AIM Toolbar

29-48c7-bb54-db756a951760}

29-48c7-bb54-db756a951760}

C:\Users\"%CurrentUserName%"\AppData\Local\Temp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp

aol-messaging_trio1C76.exe

aol-messaging_trio1C76.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsk648C.tmp

ers\"%CurrentUserName%"\AppData\Local\Temp\nsk648C.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe

iexplore.exe

iexplore.exe

C:\ProgramData\AIM Toolbar\ieToolbar\resources

C:\ProgramData\AIM Toolbar\ieToolbar\resources

\Program Files (x86)\Google\Chrome\Application

\Program Files (x86)\Google\Chrome\Application

hXXp://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ff&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1

hXXp://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ff&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1

hXXp://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1

hXXp://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default

.google.com

.google.com

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

9.10.9200.16521

9.10.9200.16521

10.9200.16521

10.9200.16521

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid={uid}

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid={uid}

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid={uid}

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid={uid}

tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-

tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-

17-12-2014

17-12-2014

5.96.10.10013

5.96.10.10013

hXXp://search.aol.com/aol/log?event=tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014

hXXp://search.aol.com/aol/log?event=tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014

e.com

e.com

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default

444444444

444444444

2888888

2888888

Nullsoft Install System v2.46

Nullsoft Install System v2.46

5.96.174.1

5.96.174.1

aol-messaging_toolbar_ie.exe

aol-messaging_toolbar_ie.exe

ogle\Chrome\Application

ogle\Chrome\Application

${_DUALEXENAME_}

${_DUALEXENAME_}

AOL_Search.exe_3728:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

Local\Temp\nsf99C0.tmp\AOL.dll

Local\Temp\nsf99C0.tmp\AOL.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll

43789B7-F39C-4b5c-9287-DA72D38F4FE6}

43789B7-F39C-4b5c-9287-DA72D38F4FE6}

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp

@.reloc

@.reloc

c:\cm\build\public\setiesearch_05022013_9\toolbar\addons\nsis\homepagesearch\setiesearch\Release\AOL.pdb

c:\cm\build\public\setiesearch_05022013_9\toolbar\addons\nsis\homepagesearch\setiesearch\Release\AOL.pdb

MSVCR90.dll

MSVCR90.dll

_malloc_crt

_malloc_crt

_amsg_exit

_amsg_exit

_crt_debugger_hook

_crt_debugger_hook

UrlEscapeW

UrlEscapeW

SHLWAPI.dll

SHLWAPI.dll

MSVCP90.dll

MSVCP90.dll

AOL.dll

AOL.dll

Thawte Certification1

Thawte Certification1

hXXp://ocsp.thawte.com0

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

-America Online Root Certification Authority 10

-America Online Root Certification Authority 10

'hXXps://pki-info.aol.com/AOL/index.html05

'hXXps://pki-info.aol.com/AOL/index.html05

$hXXp://crl.aol.com/AOL/MasterCRL.crl0

$hXXp://crl.aol.com/AOL/MasterCRL.crl0

hXXp://ocsp.web.aol.com:80/ocsp0

hXXp://ocsp.web.aol.com:80/ocsp0

hXXp://crl.aol.com/AOLMSPKI/aolCodeSign.crl0

hXXp://crl.aol.com/AOLMSPKI/aolCodeSign.crl0

hXXp://pki-info.aol.com/AOLMSPKI/index.html0

hXXp://pki-info.aol.com/AOLMSPKI/index.html0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

VVV.aol.com 0

VVV.aol.com 0

SELECT %s WHERE rowid=?

SELECT %s WHERE rowid=?

INSERT INTO %Q.'%q_content' VALUES(%s)

INSERT INTO %Q.'%q_content' VALUES(%s)

SQL logic error or missing database

SQL logic error or missing database

unknown operation

unknown operation

large file support is disabled

large file support is disabled

sqlite_version

sqlite_version

sqlite_source_id

sqlite_source_id

sqlite_log

sqlite_log

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_compileoption_get

sqlite_compileoption_get

sqlite_rename_table

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_parent

sqlite_rename_parent

CREATE TEMP TABLE sqlite_temp_master(

CREATE TEMP TABLE sqlite_temp_master(

sql text

sql text

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

SQLite format 3

SQLite format 3

foreign_keys

foreign_keys

sqlite_attach

sqlite_attach

sqlite_detach

sqlite_detach

RowKey

RowKey

(%d) %s

(%d) %s

/****** %s ******/

/****** %s ******/

%s ORDER BY rowid DESC

%s ORDER BY rowid DESC

/****** ERROR: %s ******/

/****** ERROR: %s ******/

/**** ERROR: (%d) %s *****/

/**** ERROR: (%d) %s *****/

DELETE FROM sqlite_sequence;

DELETE FROM sqlite_sequence;

sqlite_sequence

sqlite_sequence

sqlite_stat1

sqlite_stat1

ANALYZE sqlite_master;

ANALYZE sqlite_master;

sqlite_

sqlite_

INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');

INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');

Kernel32.dll

Kernel32.dll

Error: unable to open database "%s": %s

Error: unable to open database "%s": %s

%*s = %s

%*s = %s

%-*.*s%s

%-*.*s%s

INSERT INTO %s VALUES(

INSERT INTO %s VALUES(

%sNULL

%sNULL

Memory Used: %d (max %d) bytes

Memory Used: %d (max %d) bytes

Number of Outstanding Allocations: %d (max %d)

Number of Outstanding Allocations: %d (max %d)

Number of Pcache Overflow Bytes: %d (max %d) bytes

Number of Pcache Overflow Bytes: %d (max %d) bytes

Number of Scratch Overflow Bytes: %d (max %d) bytes

Number of Scratch Overflow Bytes: %d (max %d) bytes

Largest Allocation: %d bytes

Largest Allocation: %d bytes

|O%D$V

|O%D$V

'%s("B!

'%s("B!

.nnnI

.nnnI

Largest Pcache Allocation: %d bytes

Largest Pcache Allocation: %d bytes

Largest Scratch Allocation: %d bytes

Largest Scratch Allocation: %d bytes

Lookaside Slots Used: %d (max %d)

Lookaside Slots Used: %d (max %d)

Successful lookaside attempts: %d

Successful lookaside attempts: %d

Lookaside failures due to size: %d

Lookaside failures due to size: %d

Lookaside failures due to OOM: %d

Lookaside failures due to OOM: %d

Pager Heap Usage: %d bytes

Pager Heap Usage: %d bytes

Page cache hits: %d

Page cache hits: %d

Page cache misses: %d

Page cache misses: %d

Schema Heap Usage: %d bytes

Schema Heap Usage: %d bytes

Statement Heap/Lookaside Usage: %d bytes

Statement Heap/Lookaside Usage: %d bytes

Fullscan Steps: %d

Fullscan Steps: %d

Sort Operations: %d

Sort Operations: %d

Autoindex Inserts: %d

Autoindex Inserts: %d

CPU Time: user %f sys %f

CPU Time: user %f sys %f

Error: near line %d:

Error: near line %d:

%s %s

%s %s

Error: incomplete SQL: %s

Error: incomplete SQL: %s

Error: cannot open "%s"

Error: cannot open "%s"

Error: %s

Error: %s

PRAGMA foreign_keys=OFF;

PRAGMA foreign_keys=OFF;

SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')

SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL

SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()

import

import

Error: non-null separator required for import

Error: non-null separator required for import

SELECT * FROM %s

SELECT * FROM %s

INSERT INTO %s VALUES(?

INSERT INTO %s VALUES(?

Error: %s line %d: expected %d columns of data but found %d

Error: %s line %d: expected %d columns of data but found %d

SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1

Error: querying sqlite_master and sqlite_temp_master

Error: querying sqlite_master and sqlite_temp_master

Error: invalid arguments: "%s". Enter ".help" for help

Error: invalid arguments: "%s". Enter ".help" for help

Error: cannot write to "%s"

Error: cannot write to "%s"

sqlite_master

sqlite_master

CREATE TABLE sqlite_master (

CREATE TABLE sqlite_master (

sqlite_temp_master

sqlite_temp_master

CREATE TEMP TABLE sqlite_temp_master (

CREATE TEMP TABLE sqlite_temp_master (

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), name

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), name

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), name

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), name

%9.9s: %s

%9.9s: %s

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') ORDER BY 1

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') ORDER BY 1

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') AND name LIKE shellstatic() ORDER BY 1

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') AND name LIKE shellstatic() ORDER BY 1

%s%-*s

%s%-*s

ambiguous option name: "%s"

ambiguous option name: "%s"

Error: invalid testctrl option: %s

Error: invalid testctrl option: %s

%d (0xx)

%d (0xx)

Error: testctrl %s takes a single int option

Error: testctrl %s takes a single int option

Error: testctrl %s takes no options

Error: testctrl %s takes no options

Error: testctrl %s takes a single unsigned int option

Error: testctrl %s takes a single unsigned int option

Error: CLI support for testctrl %s not implemented

Error: CLI support for testctrl %s not implemented

SQLite %s %s

SQLite %s %s

Error: unknown command or invalid arguments: "%s". Enter ".help" for help

Error: unknown command or invalid arguments: "%s". Enter ".help" for help

SQLite header and source version mismatch

SQLite header and source version mismatch

sqlite>

sqlite>

no such VFS: "%s"

no such VFS: "%s"

%s: Error: too many options: "%s"

%s: Error: too many options: "%s"

%s: Error: cannot locate your home directory

%s: Error: cannot locate your home directory

%s: Error: out of memory

%s: Error: out of memory

%s/.sqliterc

%s/.sqliterc

-- Loading resources from %s

-- Loading resources from %s

%s: Error: missing argument for option: %s

%s: Error: missing argument for option: %s

Usage: %s [OPTIONS] FILENAME [SQL]

Usage: %s [OPTIONS] FILENAME [SQL]

FILENAME is the name of an SQLite database. A new database is created

FILENAME is the name of an SQLite database. A new database is created

Error: unable to process SQL "%s"

Error: unable to process SQL "%s"

%s: Error: unknown option: %s

%s: Error: unknown option: %s

SQLite version %s %.19s

SQLite version %s %.19s

Enter ".help" for instructions

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

Enter SQL statements terminated with a ";"

%s/.sqlite_history

%s/.sqlite_history

-cmd command run "command" before reading stdin

-cmd command run "command" before reading stdin

-echo print commands before execution

-echo print commands before execution

-version show SQLite version

-version show SQLite version

iskeyword

iskeyword

Kmingwm10.dll

Kmingwm10.dll

__mingwthr_remove_key_dtor

__mingwthr_remove_key_dtor

__mingwthr_key_dtor

__mingwthr_key_dtor

VirtualQuery failed for %d bytes at address %p

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

Unknown pseudo relocation bit size %d.

msvcrt.dll

msvcrt.dll

unable to open database: %s

unable to open database: %s

unrecognized parameter: %s

unrecognized parameter: %s

unrecognized matchinfo: %s

unrecognized matchinfo: %s

unrecognized order: %s

unrecognized order: %s

error parsing prefix parameter: %s

error parsing prefix parameter: %s

missing %s parameter in fts4 constructor

missing %s parameter in fts4 constructor

,%s(x.'c%d%q')

,%s(x.'c%d%q')

FROM '%q'.'%q%s' AS x

FROM '%q'.'%q%s' AS x

,%s(?)

,%s(?)

docid INTEGER PRIMARY KEY

docid INTEGER PRIMARY KEY

%z, 'c%d%q'

%z, 'c%d%q'

CREATE TABLE %Q.'%q_content'(%s)

CREATE TABLE %Q.'%q_content'(%s)

CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));

CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));

CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);

CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);

CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);

CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);

CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)

CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)

cannot open value of type %s

cannot open value of type %s

foreign key

foreign key

indexed

indexed

cannot open virtual table: %s

cannot open virtual table: %s

cannot open view: %s

cannot open view: %s

no such column: "%s"

no such column: "%s"

cannot open %s column for writing

cannot open %s column for writing

%s_segments

%s_segments

malformed MATCH expression: [%s]

malformed MATCH expression: [%s]

SELECT %s ORDER BY rowid %s

SELECT %s ORDER BY rowid %s

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot release savepoint - SQL statements in progress

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

Page %d is never used

Page %d is never used

Pointer map page %d is referenced

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

Outstanding page count goes from %d to %d during this analysis

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

cannot VACUUM - SQL statements in progress

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

database table is locked: %s

database table is locked: %s

zeroblob(%d)

zeroblob(%d)

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

E.BUK

E.BUK

%%9UU

%%9UU

nsf99C0.tmp

nsf99C0.tmp

{443789B7-F39C-4b5c-9287-DA72D38F4FE6}

{443789B7-F39C-4b5c-9287-DA72D38F4FE6}

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini

Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini

Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini

0633EE93-D776-472f-A0FF-E1416B8B2E3A}

0633EE93-D776-472f-A0FF-E1416B8B2E3A}

ewtaburl

ewtaburl

turl

turl

ttp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

ttp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe"

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe"

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp

AOL_Search.exe

AOL_Search.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsp99AF.tmp

ers\"%CurrentUserName%"\AppData\Local\Temp\nsp99AF.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe

9.10.9200.16521

9.10.9200.16521

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

hXXp://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}&s_it=aimright-ie&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014

hXXp://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}&s_it=aimright-ie&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014

hXXp://autocomplete.search.aol.com/autocomplete/get?q={searchTerms}&count=10&it={source}-en-us&output=json&it=aimright-ie

hXXp://autocomplete.search.aol.com/autocomplete/get?q={searchTerms}&count=10&it={source}-en-us&output=json&it=aimright-ie

17-12-2014

17-12-2014

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE

Nullsoft Install System v2.46

Nullsoft Install System v2.46

888816666554443

888816666554443

6666554443

6666554443

!6666554443

!6666554443

1.3.11.1

1.3.11.1

AOL_Search.exe_3728_rwx_10004000_00001000:

callback%d

callback%d