not-a-virus:WebToolbar.NSIS.Agent.g (Kaspersky), Adware.Agent (VIPRE), PUA.ClientConnect (Ikarus), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR, PUPArcadeFrontier.YR (Lavasoft MAS)Behaviour: Trojan, PUP, WebToolbar, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 69947275056425925a4b38d6af1b2676
SHA1: 84ce192587c7e43dc7bf2687ac2d7550944defa5
SHA256: 8f3646e48034580750a640ff1ba58c54ac02426f93af2529142dfa99932ccaf5
SSDeep: 24576:2u4lcVXmBGsTK9b hGb1u7SYXj2OgOVwluBuNhlD9MPjgL5iL:RVXmBGx9qhGb1uxjFwSu1Dom8L
Size: 1364928 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ArcadeFrontier
Created at: 2014-03-04 11:30:47
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsgB5.exe:1884
SPIdentifier.exe:1524
%original file name%.exe:480
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsgB5.exe:1884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs\sp_nsgB5.log (1847 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\SPtool.dll (65457 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB6.tmp (0 bytes)
The process SPIdentifier.exe:1524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB5.exe (72144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\SPIdentifierImpl[1].exe (72144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB3.tmp (2820 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB5.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB4.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB4.tmp (0 bytes)
The process %original file name%.exe:480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect (0 bytes)
%Program Files%\SearchProtect\Main (0 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs (0 bytes)
%Program Files%\SearchProtect\Main\rep (0 bytes)
%Program Files%\SearchProtect (0 bytes)
Registry activity
The process nsgB5.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 2C C8 2D D8 69 26 81 A1 E1 19 1F E7 BD 50 9F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process SPIdentifier.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB4.tmp\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 00 70 C0 3D 16 B7 1B F6 9B 64 06 C0 19 24 48"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB C9 4B 27 81 7A 95 87 F1 AF 27 CB BF 1A E8 39"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Dropped PE files
MD5 | File path |
---|---|
73554f3944811c0c4b393826943be2ca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SPIdentifier.exe |
9fb9d49c2db7edd1084ab765d619f5c6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sp-downloader.exe |
af94cca6a6fc581a7d729ee032865c93 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\SPIdentifierImpl[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsgB5.exe:1884
SPIdentifier.exe:1524
%original file name%.exe:480 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs\sp_nsgB5.log (1847 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB7.tmp\SPtool.dll (65457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB5.exe (72144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\SPIdentifierImpl[1].exe (72144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB3.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: ArcadeFrontier
Product Name: ArcadeFrontier
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename: SetupGUI.exe
Internal Name: SetupGUI.exe
File Version: 1.0.0.1
File Description: ArcadeFrontier Installer
Comments:
Language: Language Neutral
Company Name: ArcadeFrontierProduct Name: ArcadeFrontierProduct Version: 1.0.0.1Legal Copyright: Copyright (C) 2013Legal Trademarks: Original Filename: SetupGUI.exeInternal Name: SetupGUI.exeFile Version: 1.0.0.1File Description: ArcadeFrontier InstallerComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 246208 | 246272 | 4.50934 | 7cf75458c59660d3839fddf64a29d6ea |
.rdata | 253952 | 71114 | 71168 | 3.20352 | b830963011b5aec0d58065f222f71c24 |
.data | 327680 | 20352 | 9216 | 3.15681 | 6e22e64b6251206a0b23339d0328b9f3 |
.rsrc | 348160 | 1005432 | 1005568 | 5.51624 | a99372bde4e34348aa0c441f00de83e8 |
.reloc | 1355776 | 26534 | 26624 | 3.23001 | 84b397536f337bce65fb2d156faa309c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 115
3c8972ea4cc326c8dc5ea2e448a57edf
fa3eadaa32f50f53286a9326a6dc0c6c
6838134ab9e5c4476208e80ec9838f86
03320b5e38c9030bff2edc160bced1fa
0b176b566b4cfe000d6d622a962d800c
a5dda64b6f6e099c5f1e2bf7d5e8a2ee
942309fd9c879730c244ff064544e1a6
998c2429060446a9e09634bfe1b53650
17aaf0e05c98f51a82231325a4ea7f0b
932257269d52e1eeb169352fb37902b4
1e563e74b93c9dd5456db6728f89abdc
6d7c94fab61aafcfdd89210100150133
85f78adf44704227518555de37406035
2ae702487441537a40514170da0bc7fa
2a6ccf0307407a9d01b533a8d223da49
56796703742646134b8750f1ac59da30
26391e798fa0cb0e2b335317b523a750
79bf012e88275b3b5abe2afcf8da43f6
dffcee438150f0ec70e0c1ea70e5adaa
446488a13d1087c9d95131248559309f
d00801a5b899464ceced8506d1f0324a
9c436d047b1eb40dfdac28cfe8de4cdf
7536f19e2f26f91bd25d2fbaa3c1d939
6da80cc7a93eda9d6fcd998ceafbc21f
6e4394da0c0a2c17047a48896e54c897
Network Activity
URLs
URL | IP |
---|---|
hxxp://fagamesframework.com/af/getExternalGamesInfo/ticket=aHANh6383002sUPQI3BC | 74.120.16.112 |
hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe | |
hxxp://Jazz-1846647836.us-east-1.elb.amazonaws.com/ | |
hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe | 23.9.99.152 |
hxxp://sp-installer.databssint.com/ | 54.243.91.144 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.conduit-services.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Thu, 28 Aug 2014 07:39:04 GMT
Accept-Ranges: bytes
ETag: "fdb1c3e2dc67975ebdc9856b59404daf"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1356392
Cache-Control: private, max-age=900
Expires: Thu, 28 Aug 2014 06:53:05 GMT
Date: Thu, 28 Aug 2014 06:38:05 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@..........................` ......F....@.................................@........@ .P...........(...@....`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...P...............................rsrc...P....@ .....................@..@.reloc.......P .....................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache
{"event_type":"SPidentifier", "environment":"", "machine_ID":"UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted
Date: Thu, 28 Aug 2014 06:38:10 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
GET /af/getExternalGamesInfo/ticket=aHANh6383002sUPQI3BC HTTP/1.1
User-Agent: zz_afi 1.29.147
Host: fagamesframework.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 28 Aug 2014 06:38:03 GMT
Server: Apache
Cache-Control: max-age=18000
Expires: Thu, 28 Aug 2014 11:38:03 GMT
Content-Length: 17
Connection: close
Content-Type: text/html; charset=UTF-8
unknown parametar..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_480:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSSSh(
SSSSh(
PSSSSSSh
PSSSSSSh
QSShD
QSShD
WinHTTP.dll
WinHTTP.dll
%CTID%
%CTID%
hXXp://e1.arcadefrontier.com/aj/bundle/839/?p=YTI4ODk1NTUxNzN43Hc81pthuSBzThYc+TIMZAtAznmCz1JK1KOaaegX50tVASx+C3lynjqX4UR9nFXFvlUAh/e2Jsh+WSh/TSKb
hXXp://e1.arcadefrontier.com/aj/bundle/839/?p=YTI4ODk1NTUxNzN43Hc81pthuSBzThYc+TIMZAtAznmCz1JK1KOaaegX50tVASx+C3lynjqX4UR9nFXFvlUAh/e2Jsh+WSh/TSKb
163|134|162
163|134|162
gdiplus.dll
gdiplus.dll
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
FRegDeleteKeyExW
operator
operator
GetProcessWindowStation
GetProcessWindowStation
WINHTTP.dll
WINHTTP.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpConnect
WinHttpOpen
WinHttpOpen
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryOption
WinHttpQueryOption
GdiplusShutdown
GdiplusShutdown
COMCTL32.dll
COMCTL32.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegUnLoadKeyW
RegUnLoadKeyW
RegLoadKeyW
RegLoadKeyW
RegCreateKeyW
RegCreateKeyW
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
mconduitinstaller.exe
mconduitinstaller.exe
Ä\;C
Ä\;C
.Tt$&
.Tt$&
!$.IHBI
!$.IHBI
Vv.Vf
Vv.Vf
3{u.FO
3{u.FO
>%s4s
>%s4s
[:%UU
[:%UU
OCSetupHlp.dll
OCSetupHlp.dll
-U^5N`^f.Xl
-U^5N`^f.Xl
m%x2)
m%x2)
:.RS]L
:.RS]L
.DS2
.DS2
i@&Q%c
i@&Q%c
uzg$}uQ
uzg$}uQ
2{.Wt
2{.Wt
.ZSLI|
.ZSLI|
BfTP>
BfTP>
To%F[Y
To%F[Y
X.IHIb)rP4{
X.IHIb)rP4{
r%sO]
r%sO]
lJ.mG
lJ.mG
vl.qRB
vl.qRB
xT%c%
xT%c%
'R.yV
'R.yV
.Ek#"
.Ek#"
>.YqX
>.YqX
Y U%x
Y U%x
!UÃ
!UÃ
.huZA
.huZA
v.RVa )Eca3
v.RVa )Eca3
#.ta\
#.ta\
M%ud LR
M%ud LR
.Hq9I%
.Hq9I%
0.Bko
0.Bko
-9%X~
-9%X~
_D`.oN
_D`.oN
UF%U(
UF%U(
.uH**r
.uH**r
.aUi%
.aUi%
ST%UIS
ST%UIS
.KV/-IV
.KV/-IV
.QO)O:
.QO)O:
.rP1HP
.rP1HP
.Vkeu=S
.Vkeu=S
OCSetupHlp.dllPK
OCSetupHlp.dllPK
sp-downloader.exe
sp-downloader.exe
(O(%Ãd
(O(%Ãd
sj.IE
sj.IE
Nc1m.Xd}
Nc1m.Xd}
520426026
520426026
ahÃ
ahÃ
SPIdentifier.exe
SPIdentifier.exe
znsqL
znsqL
.Nh/h
.Nh/h
5424224
5424224
f.CR9Cr*
f.CR9Cr*
(.%%Fu
(.%%Fu
M[.ab(O
M[.ab(O
/|.eC
/|.eC
q}\%X;f
q}\%X;f
~B%CU
~B%CU
#h)j.Zpi
#h)j.Zpi
n.SuT
n.SuT
ø^O
ø^O
m.qiD
m.qiD
$%fR
$%fR
C,D.TZ
C,D.TZ
%c&bta6
%c&bta6
-[A$.Glp
-[A$.Glp
w5.zk
w5.zk
%Uw]:
%Uw]:
DEEô
DEEô
%Xf>m|
%Xf>m|
3%Um
3%Um
\rsid13843124\rsid14169892\rsid15628380\rsid15748077}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator malo_nj}
\rsid13843124\rsid14169892\rsid15628380\rsid15748077}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator malo_nj}
{\creatim\yr2013\mo3\dy13\hr10\min41}{\revtim\yr2013\mo4\dy10\hr16\min39}{\version9}{\edmins31}{\nofpages1}{\nofwords83}{\nofchars701}{\nofcharsws783}{\vern32859}}{\*\xmlnstbl {\xmlns1 hXXp://schemas.microsoft.com/office/word/2003/wordml}}
{\creatim\yr2013\mo3\dy13\hr10\min41}{\revtim\yr2013\mo4\dy10\hr16\min39}{\version9}{\edmins31}{\nofpages1}{\nofwords83}{\nofchars701}{\nofcharsws783}{\vern32859}}{\*\xmlnstbl {\xmlns1 hXXp://schemas.microsoft.com/office/word/2003/wordml}}
\par By clicking the "Next" button below, you electronically agree to the ArcadeFrontier }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/ClientEula.af"}{\rtlch\fcs1 \af1\afs18
\par By clicking the "Next" button below, you electronically agree to the ArcadeFrontier }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/ClientEula.af"}{\rtlch\fcs1 \af1\afs18
\par }{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12336207\charrsid222141 and }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/ClientPrivacyPolicy.af"}{\rtlch\fcs1
\par }{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12336207\charrsid222141 and }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/ClientPrivacyPolicy.af"}{\rtlch\fcs1
\par You can uninstall ArcadeFrontier any time via Add/Remove programs or by clicking }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/Deactivate.af"}{\rtlch\fcs1 \af1\afs18
\par You can uninstall ArcadeFrontier any time via Add/Remove programs or by clicking }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/Deactivate.af"}{\rtlch\fcs1 \af1\afs18
\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator Cvija}{\creatim\yr2013\mo3\dy19\hr9\min50}{\revtim\yr2013\mo5\dy29\hr11\min36}{\version5}{\edmins5}{\nofpages4}{\nofwords2298}{\nofchars13103}{\nofcharsws15371}{\vern49275}}{\*\xmlnstbl {\xmlns1 http:/
\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator Cvija}{\creatim\yr2013\mo3\dy19\hr9\min50}{\revtim\yr2013\mo5\dy29\hr11\min36}{\version5}{\edmins5}{\nofpages4}{\nofwords2298}{\nofchars13103}{\nofcharsws15371}{\vern49275}}{\*\xmlnstbl {\xmlns1 http:/
/schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect
/schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect
re ("Desktop Max Software") and Services ("Desktop Max Services") and the advertisement-supported version of the Software ("Desktop Software") and Services ("Desktop Services").
re ("Desktop Max Software") and Services ("Desktop Max Services") and the advertisement-supported version of the Software ("Desktop Software") and Services ("Desktop Services").
y subsequent versions of the Software. You agree to comply with TWCi's Terms and Conditions, as set forth on TWCi's web site, }{\field{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "hXXp://VVV.weather.com/"}{\rtlch\fcs1
y subsequent versions of the Software. You agree to comply with TWCi's Terms and Conditions, as set forth on TWCi's web site, }{\field{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "hXXp://VVV.weather.com/"}{\rtlch\fcs1
\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 VVV.weather.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0
\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 VVV.weather.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0
\par C. You understand that the Software is a voluntary software program, and you may uninstall the Software at any time by using your appropriate operating systems' add/remove or uninstall functionality. However, by uninstalling the Software,
\par C. You understand that the Software is a voluntary software program, and you may uninstall the Software at any time by using your appropriate operating systems' add/remove or uninstall functionality. However, by uninstalling the Software,
HYPERLINK "hXXp://VVV.weather.com/services/desktop/desktopplatinumfaq.html#17"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield
HYPERLINK "hXXp://VVV.weather.com/services/desktop/desktopplatinumfaq.html#17"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield
\cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 VVV.weather.com/services/desktop/desktopplatinumfaq.html#17}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0
\cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 VVV.weather.com/services/desktop/desktopplatinumfaq.html#17}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0
\par C. ANY MATERIAL, DATA OR INFORMATION, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS, DOWNLOADED OR OTHERWISE OBTAINED THROUGH T
\par C. ANY MATERIAL, DATA OR INFORMATION, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS, DOWNLOADED OR OTHERWISE OBTAINED THROUGH T
ACY, USEFULNESS OR AVAILABILITY OF ANY INFORMATION OR DATA TRANSMITTED VIA THE SOFTWARE, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS.
ACY, USEFULNESS OR AVAILABILITY OF ANY INFORMATION OR DATA TRANSMITTED VIA THE SOFTWARE, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS.
CT LIABILITY, FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF TWCi HAS BEEN ADVISED OF THE POSS
CT LIABILITY, FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF TWCi HAS BEEN ADVISED OF THE POSS
OF $5.00 OR THE AMOUNT YOU PAID TO TWCi. B. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF SECTIONS 4 A
OF $5.00 OR THE AMOUNT YOU PAID TO TWCi. B. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF SECTIONS 4 A
h if applicable, the Software from your operating system and immediately discontinue use of the Services. Your obligation to pay accrued charges and fees shall survive any termination of this Agreement.
h if applicable, the Software from your operating system and immediately discontinue use of the Services. Your obligation to pay accrued charges and fees shall survive any termination of this Agreement.
\par 8. EXPORT CONTROLS. THE SOFTWARE AND ANY UNDERLYING
\par 8. EXPORT CONTROLS. THE SOFTWARE AND ANY UNDERLYING
TECHNOLOGY MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES IN A MANNER THAT IS PROHIBITED BY APPLICABLE EXPORT LAWS AND REGULATIONS. BY DOWNLOADING OR USING THE SOFTWARE OUTSIDE THE UNITED STATES OF AMERICA, YOU ASSUME RESPONSIBILITY FOR COMPLIANCE WITH THE
TECHNOLOGY MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES IN A MANNER THAT IS PROHIBITED BY APPLICABLE EXPORT LAWS AND REGULATIONS. BY DOWNLOADING OR USING THE SOFTWARE OUTSIDE THE UNITED STATES OF AMERICA, YOU ASSUME RESPONSIBILITY FOR COMPLIANCE WITH THE
\par 9. AMENDMENT. TWCi may, in its sole discretion, change, modify, add or remove portions of this license or the Services at any time. TWCi may notify you of any such changes by posting notice of such changes on the TWCi website }{\field\fldedit{\*\fldinst {
\par 9. AMENDMENT. TWCi may, in its sole discretion, change, modify, add or remove portions of this license or the Services at any time. TWCi may notify you of any such changes by posting notice of such changes on the TWCi website }{\field\fldedit{\*\fldinst {
\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "hXXp://VVV.weather.com/"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield
\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "hXXp://VVV.weather.com/"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield
\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid5594936 VVV.weather.com/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12658121\charrsid7081360
\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid5594936 VVV.weather.com/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12658121\charrsid7081360
by you, or (b) violation of any law or regulation by you. If you are importing the Software from the United States, you shall hold harmless, indemnify and defend TWCi and its affiliated companies and their officers, directors and employees, from and agai
by you, or (b) violation of any law or regulation by you. If you are importing the Software from the United States, you shall hold harmless, indemnify and defend TWCi and its affiliated companies and their officers, directors and employees, from and agai
nst any import and export duties or other claims arising from such importation.
nst any import and export duties or other claims arising from such importation.
confirmation or by certified mail with delivery confirmation; provided that, TWCi may provide notice to you via the Software. All notices to TWCi shall be addressed to The Weather Channel Interactive, Inc. 300 Interstate North Parkway, Atlanta, Georgia 30
confirmation or by certified mail with delivery confirmation; provided that, TWCi may provide notice to you via the Software. All notices to TWCi shall be addressed to The Weather Channel Interactive, Inc. 300 Interstate North Parkway, Atlanta, Georgia 30
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCHFLY TOOLBAR END USER INSTRUCTIONS\par
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCHFLY TOOLBAR END USER INSTRUCTIONS\par
You have elected to download the SearchFly toolbar, an application designed to deliver fresh content directly to your browser, provide you with a choice of useful search engines, allow you to choose from thousands of free apps for your browser, and provide you with hand-picked links to check out from across the web. \par
You have elected to download the SearchFly toolbar, an application designed to deliver fresh content directly to your browser, provide you with a choice of useful search engines, allow you to choose from thousands of free apps for your browser, and provide you with hand-picked links to check out from across the web. \par
Your use of the toolbar is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "hXXp://%CTID%.ourtoolbar.com/eula/" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/privacy/contentpolicy" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par
Your use of the toolbar is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "hXXp://%CTID%.ourtoolbar.com/eula/" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/privacy/contentpolicy" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par
\cf3 The toolbar will be installed in one of the following ways: On your current browser, on your default browser, or on all of your browsers (Windows\'ae Internet Explorer\'ae, Firefox\'ae, and Chrome\'99).\cf0\par
\cf3 The toolbar will be installed in one of the following ways: On your current browser, on your default browser, or on all of your browsers (Windows\'ae Internet Explorer\'ae, Firefox\'ae, and Chrome\'99).\cf0\par
\cf3 Note for Windows 8 Users: When you open Internet Explorer or Firefox from the Start screen (rather than the desktop), the installed toolbar will not be visible or functional.\cf0\par
\cf3 Note for Windows 8 Users: When you open Internet Explorer or Firefox from the Start screen (rather than the desktop), the installed toolbar will not be visible or functional.\cf0\par
\cf3 To uninstall the toolbar, you may use the standard uninstall procedures offered by your device's Operating System or your Internet Browser, as applicable.\cf0\par
\cf3 To uninstall the toolbar, you may use the standard uninstall procedures offered by your device's Operating System or your Internet Browser, as applicable.\cf0\par
\cf3 For example: To uninstall the toolbar from Firefox, click the Firefox button (or \ldblquote Tools\rdblquote menu) at the top of the browser, select \ldblquote Add-ons\rdblquote and then select \ldblquote Extensions.\rdblquote Find the software you want to uninstall and click the \ldblquote Disable\rdblquote or \ldblquote Remove\rdblquote button. If you want to change your web search settings, depending on the Internet browser you use, you may be able to do so from the drop-down menu of the search box built into your browser. \cf0\par
\cf3 For example: To uninstall the toolbar from Firefox, click the Firefox button (or \ldblquote Tools\rdblquote menu) at the top of the browser, select \ldblquote Add-ons\rdblquote and then select \ldblquote Extensions.\rdblquote Find the software you want to uninstall and click the \ldblquote Disable\rdblquote or \ldblquote Remove\rdblquote button. If you want to change your web search settings, depending on the Internet browser you use, you may be able to do so from the drop-down menu of the search box built into your browser. \cf0\par
\cf3 Additional information for changing search settings for some browsers is available on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://toolbar.conduit.com/changing-search-settings.aspx" }}{\fldrslt{\cf2\ul search settings page}}}\cf0\ulnone\f0\fs18 .\par
\cf3 Additional information for changing search settings for some browsers is available on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://toolbar.conduit.com/changing-search-settings.aspx" }}{\fldrslt{\cf2\ul search settings page}}}\cf0\ulnone\f0\fs18 .\par
\cf3 Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://support.conduit.com/HelpCenter/Uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par
\cf3 Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://support.conduit.com/HelpCenter/Uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCH PROTECT END USER INSTRUCTIONS\par
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCH PROTECT END USER INSTRUCTIONS\par
Your use of the Search Protect application is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/legal/searchprotectdescription" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/privacy/search-protect-privacy-policy.aspx" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par
Your use of the Search Protect application is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/legal/searchprotectdescription" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/privacy/search-protect-privacy-policy.aspx" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par
\cf3 Search Protect will alert you if a third party attempts to change your browser settings. You can elect to change your browser settings at any time through the Search Protect application, which is accessible from the desktop taskbar, or through your browser\rquote s Settings/Options tab. {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/searchprotect" }}{\fldrslt{\cf2\ul Learn more}}}\cf0\ulnone\f0\fs18 \par
\cf3 Search Protect will alert you if a third party attempts to change your browser settings. You can elect to change your browser settings at any time through the Search Protect application, which is accessible from the desktop taskbar, or through your browser\rquote s Settings/Options tab. {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/searchprotect" }}{\fldrslt{\cf2\ul Learn more}}}\cf0\ulnone\f0\fs18 \par
If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome\'99, Firefox\'ae, and Internet Explorer\'ae. This facilitates your ability to maintain your preferred settings.\par
If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome\'99, Firefox\'ae, and Internet Explorer\'ae. This facilitates your ability to maintain your preferred settings.\par
If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.\par
If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.\par
In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking \ldblquote Restore\rdblquote on the bottom of the page.\par
In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking \ldblquote Restore\rdblquote on the bottom of the page.\par
You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system.\par
You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system.\par
In Microsoft Windows\'ae, go to the Control Panel and click \ldblquote Uninstall a program\rdblquote or \ldblquote Programs and Features.\rdblquote Right-click on Search Protect in the list of programs and select Uninstall/Change.\par
In Microsoft Windows\'ae, go to the Control Panel and click \ldblquote Uninstall a program\rdblquote or \ldblquote Programs and Features.\rdblquote Right-click on Search Protect in the list of programs and select Uninstall/Change.\par
Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/searchprotect/uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par
Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/searchprotect/uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par
9a-U}.Vy @_
9a-U}.Vy @_
Bb'Qu-V} Qx(Mr'Kq'Lt U
Bb'Qu-V} Qx(Mr'Kq'Lt U
: ;&;];~;
: ;&;];~;
>!?>?[?{?
>!?>?[?{?
3'323>3&434
3'323>3&434
:#:,:?:~:
:#:,:?:~:
9,989\9|9
9,989\9|9
; ;(;0;
; ;(;0;
6 6$6(6,606
6 6$6(6,606
chrome.exe
chrome.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
hXXp://arcadefrontier.com/aj/thanks.php
hXXp://arcadefrontier.com/aj/thanks.php
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\Ntuser.dat
\Ntuser.dat
zz_afi 1.29.147
zz_afi 1.29.147
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Advapi32.dll
Advapi32.dll
hXXp://pages.arcadefrontier.com/aj/bund.php
hXXp://pages.arcadefrontier.com/aj/bund.php
%x|%s|%s|%s|%s
%x|%s|%s|%s|%s
hXXp://arcadefrontier.com/aj/ireport.php
hXXp://arcadefrontier.com/aj/ireport.php
RichEd20.dll
RichEd20.dll
msftedit.dll
msftedit.dll
mism.exe
mism.exe
[hXXp://%CTID%.ourtoolbar.com/terms|terms, license agreements, and privacy policies]. The Toolbar may contain apps that access, collect, and use your personal data, including your IP address and the address and content of web pages you visit. See also the apps
[hXXp://%CTID%.ourtoolbar.com/terms|terms, license agreements, and privacy policies]. The Toolbar may contain apps that access, collect, and use your personal data, including your IP address and the address and content of web pages you visit. See also the apps
Set my default search and home page to Conduit Search. [hXXp://%CTID%.ourtoolbar.com/LearnMore|Learn more]. Install and enable [hXXp://%CTID%.ourtoolbar.com/terms|Search Protect] to block other software`s attempts to change my browser`s home page and search settings.
Set my default search and home page to Conduit Search. [hXXp://%CTID%.ourtoolbar.com/LearnMore|Learn more]. Install and enable [hXXp://%CTID%.ourtoolbar.com/terms|Search Protect] to block other software`s attempts to change my browser`s home page and search settings.
, Firefox
, Firefox
, and Chrome
, and Chrome
. [hXXp://%CTID%.ourtoolbar.com/LearnMore|Learn more]
. [hXXp://%CTID%.ourtoolbar.com/LearnMore|Learn more]
SOFTWARE\Google\Chrome\Extensions\foefbhafkpenambkepbflhagepfeaffe
SOFTWARE\Google\Chrome\Extensions\foefbhafkpenambkepbflhagepfeaffe
Software\Google\Chrome\Extensions\hbhadleoooflhfkogcbdbcjeeddbegal
Software\Google\Chrome\Extensions\hbhadleoooflhfkogcbdbcjeeddbegal
Software\Google\Chrome\Extensions\oepoobmnpajhgfbmiohochgjadihpkcl
Software\Google\Chrome\Extensions\oepoobmnpajhgfbmiohochgjadihpkcl
Software\Google\Chrome\Extensions\pfakbopcifdmfnpjcdmcalikohahmpkp
Software\Google\Chrome\Extensions\pfakbopcifdmfnpjcdmcalikohahmpkp
Software\Google\Chrome\Extensions\hneiaagbgkkndldhajjnnmpcfhaoamde
Software\Google\Chrome\Extensions\hneiaagbgkkndldhajjnnmpcfhaoamde
Software\Google\Chrome\Extensions\jchggfmbjomomjeheekacpacopnpihjn
Software\Google\Chrome\Extensions\jchggfmbjomomjeheekacpacopnpihjn
Software\Google\Chrome\Extensions\hgiifhjbblnglipdbpdgagphlcbililb
Software\Google\Chrome\Extensions\hgiifhjbblnglipdbpdgagphlcbililb
\LocalLow\Conduit\ChromeExtData
\LocalLow\Conduit\ChromeExtData
\Conduit\Chrome
\Conduit\Chrome
Software\AppDataLow\Software\Conduit\ChromeExtData
Software\AppDataLow\Software\Conduit\ChromeExtData
.UserID
.UserID
Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
"%s" -carrier_type=ctid -carrier_id=%s -defaultsearch=true -startpage=true -install_time_revert=%s
"%s" -carrier_type=ctid -carrier_id=%s -defaultsearch=true -startpage=true -install_time_revert=%s
By clicking "Agree" you confirm that you have read and agreed to the Search Protect`s [hXXp://VVV.conduit.com/legal/searchprotectdescription|Terms] and [hXXp://VVV.conduit.com/privacy/searchprotectprivacypolicy|Privacy Policy], and agree to install Search Protect.
By clicking "Agree" you confirm that you have read and agreed to the Search Protect`s [hXXp://VVV.conduit.com/legal/searchprotectdescription|Terms] and [hXXp://VVV.conduit.com/privacy/searchprotectprivacypolicy|Privacy Policy], and agree to install Search Protect.
s home page and search settings. [hXXp://VVV.conduit.com/searchprotect|Learn more]
s home page and search settings. [hXXp://VVV.conduit.com/searchprotect|Learn more]
Please read the following important information and terms before continuing.
Please read the following important information and terms before continuing.
\Main\rep\SystemRepository.dat
\Main\rep\SystemRepository.dat
{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}
{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}
You need to install Windows XP SP2 or higher.
You need to install Windows XP SP2 or higher.
You need to install Windows XP SP1 or higher.
You need to install Windows XP SP1 or higher.
1.29.147
1.29.147
_tpd.exe
_tpd.exe
00000000
00000000
hXXp://VVV.arcadefrontier.com/BrowserOptimization.af
hXXp://VVV.arcadefrontier.com/BrowserOptimization.af
ArcadeFrontier will be enabled in certain browsers.
ArcadeFrontier will be enabled in certain browsers.
Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Software\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup
Software\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup
Check below to accept the [hXXp://VVV.mypcbackup.com/terms|terms] and to install the free MyPCBackup, then click Next.
Check below to accept the [hXXp://VVV.mypcbackup.com/terms|terms] and to install the free MyPCBackup, then click Next.
For Windows, Mac and Linux
For Windows, Mac and Linux
hXXp://aff-software.s3-website-us-east-1.amazonaws.com/93a97d2c2908021448dd1fc20349ec62/Cloud_Backup_Setup.exe
hXXp://aff-software.s3-website-us-east-1.amazonaws.com/93a97d2c2908021448dd1fc20349ec62/Cloud_Backup_Setup.exe
DhXXp://VVV.opencandy.com/eulas/b/sneula.html
DhXXp://VVV.opencandy.com/eulas/b/sneula.html
{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}
{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
gameurl
gameurl
hXXp://fagamesframework.com/af/getExternalGamesInfo/ticket=
hXXp://fagamesframework.com/af/getExternalGamesInfo/ticket=
hXXp://VVV.arcadefrontier.com/offers/wd/twcsetup.exe
hXXp://VVV.arcadefrontier.com/offers/wd/twcsetup.exe
hXXp://static.af.facdn.com/offers/wd/twcsetup.exe
hXXp://static.af.facdn.com/offers/wd/twcsetup.exe
\The Weather Channel\The Weather Channel App\installsettings.xml
\The Weather Channel\The Weather Channel App\installsettings.xml
\The Weather Channel\Desktop\apps.ini
\The Weather Channel\Desktop\apps.ini
Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2468871
Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2468871
ekernel32.dll
ekernel32.dll
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
1.0.0.1
1.0.0.1
SetupGUI.exe
SetupGUI.exe