Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f04a4d5450ed03a629adb229886f932d
SHA1: 584c08321296660c24ddecb8f6bbb291bc8ac2d1
SHA256: 52ea76bf16d372e9e02d5d92b894112d65802291a09bc3eb5b8afa22eafd75e4
SSDeep: 24576:iStrUAbM6M/nN9b hGb1u7SYXj2OgOVwluBuNhlD9MPjgL5vF:iStrUAI6Ml9qhGb1uxjFwSu1DomZF
Size: 1322432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ArcadeFrontier
Created at: 2014-03-04 11:28:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1836
SPIdentifier.exe:448
nsh42.exe:664
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect (0 bytes)
%Program Files%\SearchProtect\Main (0 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs (0 bytes)
%Program Files%\SearchProtect\Main\rep (0 bytes)
%Program Files%\SearchProtect (0 bytes)
The process SPIdentifier.exe:448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh40.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh42.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh42.exe (0 bytes)
The process nsh42.exe:664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 48 E9 D0 20 C5 1C 5C 23 37 67 C0 F2 B5 7E 69"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process SPIdentifier.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw41.tmp\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 2D B9 CD 73 60 70 DB 23 11 EA 6D 2E AA 8E 10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsh42.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 00 8D 22 26 3D AB 23 7B 22 4A FF BB F0 BB 35"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 73554f3944811c0c4b393826943be2ca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SPIdentifier.exe |
| 9fb9d49c2db7edd1084ab765d619f5c6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sp-downloader.exe |
| 3c28060fcffe2b17afa3ec9eabaf5adc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll |
| d96290ac80c0696023d8a2378bd89efa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1836
SPIdentifier.exe:448
nsh42.exe:664 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh40.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh42.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: ArcadeFrontier
Product Name: ArcadeFrontier
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename: SetupGUI.exe
Internal Name: SetupGUI.exe
File Version: 1.0.0.1
File Description: ArcadeFrontier Installer
Comments:
Language: English (United States)
Company Name: ArcadeFrontierProduct Name: ArcadeFrontierProduct Version: 1.0.0.1Legal Copyright: Copyright (C) 2013Legal Trademarks: Original Filename: SetupGUI.exeInternal Name: SetupGUI.exeFile Version: 1.0.0.1File Description: ArcadeFrontier InstallerComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 198400 | 198656 | 4.5562 | 5794edb184cc1655228892923cdd0fd4 |
| .rdata | 204800 | 78890 | 79360 | 3.13254 | 5a9614da702cf4869730ea3e79fd4d56 |
| .data | 286720 | 20384 | 9216 | 3.18602 | e853efea4ae2be64530d1c184773b128 |
| .rsrc | 307200 | 1005432 | 1005568 | 5.51625 | ab7de3fc354a034360692874cb479c8b |
| .reloc | 1314816 | 23464 | 23552 | 3.25769 | 9e60931ebc074700654d77d68f1c7831 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 155
4742ce83904ab79ed83fa4b912d92977
3e6525910ee5573c875f8bf6b13d4430
019871bc01db2d7f1d671506c552c8ca
464852c46811bb361281150fc483273e
b66671376033cbef6109ef0f2eaa462f
3bcab6ffd33ebeb62b51d71cdf636b65
bf3fbd7cb310b7401526ad3e77f490f2
dd43ee7b30ffa653e7b507dee5092b6b
518814017052ec01681c81254ce9540c
c2fdab595bb0ea0de2cab8429eabf59d
1e60b3d86e98aa130207f0fc46198504
f41701136cb3f12359b58a08e7d8ba64
3afae0cbb3dc1c5017a3bb19064f2ed1
400687ff58a089f1ceb75333f397c1b9
b4dce333565b9a4081c0b66a47c9b2b4
b6a91a38c54c3460eb23f2faca508820
3491c9a72489ea0e90223c4df838f08f
2c79823d0bd2007ba3c9c8f598a20959
7ab8445337f4fdb94a99a6f2763e8b36
829e680e307d822c1ba79641144590ae
778a3c0e19074d59f3b6358edbfd50cd
8bb4ed37f190a009cb75cda48ba05c8e
ae824098b8fbe18bc065a9209c7bf43f
21f33f42d43215577ff9afd3560ececf
95060355b1023df8b325f76e195162c8
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://fagamesframework.com/af/getExternalGamesInfo/ticket=anANb5DIBUSTPzsQPkBF | 74.120.16.113 |
| hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe | |
| hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/ | |
| hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe | 23.9.99.152 |
| hxxp://sp-installer.conduit-data.com/ | 54.235.66.89 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.conduit-services.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Thu, 12 Jun 2014 09:33:01 GMT
Accept-Ranges: bytes
ETag: "fdb1c3e2dc67975ebdc9856b59404daf"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1115264
Cache-Control: private, max-age=900
Expires: Thu, 12 Jun 2014 06:48:05 GMT
Date: Thu, 12 Jun 2014 06:33:05 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L....q.N.................h...@...B...4............@.................................h...................................................0...........`... ............................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...0...........................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.2G.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<
<<< skipped >>>
GET /af/getExternalGamesInfo/ticket=anANb5DIBUSTPzsQPkBF HTTP/1.1
User-Agent: zz_afi 1.28.147
Host: fagamesframework.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 12 Jun 2014 06:33:03 GMT
Server: Apache
Cache-Control: max-age=18000
Expires: Thu, 12 Jun 2014 11:33:03 GMT
Content-Length: 17
Connection: close
Content-Type: text/html; charset=UTF-8
unknown parametar..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.conduit-data.com
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache
{"event_type":"SPidentifier", "environment":"", "machine_ID":"WCB0QMMWHQEIXXX5YMYDHFIANR5RJXVRS0KQJIL7Y9JFHQ/PF3DBRALGTADV1CIJ55NRHXCYS5GOEFIZIJWDJA", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted
Date: Thu, 12 Jun 2014 06:32:05 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1836:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
SSSSh4(C
SSSSh4(C
SSSSh\(C
SSSSh\(C
uISSh
uISSh
;NTu^SSh
;NTu^SSh
WinHTTP.dll
WinHTTP.dll
-1.1.3
-1.1.3
1.1.3
1.1.3
163|145|162
163|145|162
http://e1.arcadefrontier.com/aj/bundle/833/?p=YTMzMzc4MjE4MzV43Hc81pthuSBzThYc+TIMdLqMGyQxnSOTvvfZZn2noQMaMhD/18+abK1YxZv/UD1HGvZFJ5MFuCXWSHflvb1R
http://e1.arcadefrontier.com/aj/bundle/833/?p=YTMzMzc4MjE4MzV43Hc81pthuSBzThYc+TIMdLqMGyQxnSOTvvfZZn2noQMaMhD/18+abK1YxZv/UD1HGvZFJ5MFuCXWSHflvb1R
gdiplus.dll
gdiplus.dll
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
FRegDeleteKeyExW
operator
operator
GetProcessWindowStation
GetProcessWindowStation
WINHTTP.dll
WINHTTP.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpOpen
WinHttpOpen
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryOption
WinHttpQueryOption
GdiplusShutdown
GdiplusShutdown
COMCTL32.dll
COMCTL32.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegUnLoadKeyW
RegUnLoadKeyW
RegLoadKeyW
RegLoadKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
GetCPInfo
GetCPInfo
zcÁ
zcÁ
c:\%original file name%.exe
c:\%original file name%.exe
mconduitinstaller.exe
mconduitinstaller.exe
Ä\;C
Ä\;C
.Tt$&
.Tt$&
!$.IHBI
!$.IHBI
Vv.Vf
Vv.Vf
3{u.FO
3{u.FO
>%s4s
>%s4s
[:%UU
[:%UU
OCSetupHlp.dll
OCSetupHlp.dll
-U^5N`^f.Xl
-U^5N`^f.Xl
m%x2)
m%x2)
:.RS]L
:.RS]L
.DS2
.DS2
i@&Q%c
i@&Q%c
uzg$}uQ
uzg$}uQ
2{.Wt
2{.Wt
.ZSLI|
.ZSLI|
BfTP>
BfTP>
To%F[Y
To%F[Y
X.IHIb)rP4{
X.IHIb)rP4{
r%sO]
r%sO]
lJ.mG
lJ.mG
vl.qRB
vl.qRB
xT%c%
xT%c%
'R.yV
'R.yV
.Ek#"
.Ek#"
>.YqX
>.YqX
Y U%x
Y U%x
!UÝ
!UÝ
.huZA
.huZA
v.RVa )Eca3
v.RVa )Eca3
#.ta\
#.ta\
M%ud LR
M%ud LR
.Hq9I%
.Hq9I%
0.Bko
0.Bko
-9%X~
-9%X~
_D`.oN
_D`.oN
UF%U(
UF%U(
.uH**r
.uH**r
.aUi%
.aUi%
ST%UIS
ST%UIS
.KV/-IV
.KV/-IV
.QO)O:
.QO)O:
.rP1HP
.rP1HP
.Vkeu=S
.Vkeu=S
OCSetupHlp.dllPK
OCSetupHlp.dllPK
sp-downloader.exe
sp-downloader.exe
(O(%Íd
(O(%Íd
sj.IE
sj.IE
Nc1m.Xd}
Nc1m.Xd}
520426026
520426026
ahÝ
ahÝ
SPIdentifier.exe
SPIdentifier.exe
znsqL
znsqL
.Nh/h
.Nh/h
5424224
5424224
f.CR9Cr*
f.CR9Cr*
(.%%Fu
(.%%Fu
M[.ab(O
M[.ab(O
/|.eC
/|.eC
q}\%X;f
q}\%X;f
~B%CU
~B%CU
#h)j.Zpi
#h)j.Zpi
n.SuT
n.SuT
ø^O
ø^O
m.qiD
m.qiD
$%fR<</pre><pre>C,D.TZ</pre><pre>%c&bta6</pre><pre>-[A$.Glp</pre><pre>w5.zk</pre><pre> %Uw]:</pre><pre>DEEô</pre><pre>%Xf>m|</pre><pre> 3%Um</pre><pre>\rsid13843124\rsid14169892\rsid15628380\rsid15748077}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator malo_nj}</pre><pre>{\creatim\yr2013\mo3\dy13\hr10\min41}{\revtim\yr2013\mo4\dy10\hr16\min39}{\version9}{\edmins31}{\nofpages1}{\nofwords83}{\nofchars701}{\nofcharsws783}{\vern32859}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}</pre><pre>\par By clicking the "Next" button below, you electronically agree to the ArcadeFrontier }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientEula.af"}{\rtlch\fcs1 \af1\afs18</pre><pre>\par }{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12336207\charrsid222141 and }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientPrivacyPolicy.af"}{\rtlch\fcs1</pre><pre>\par You can uninstall ArcadeFrontier any time via Add/Remove programs or by clicking }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/Deactivate.af"}{\rtlch\fcs1 \af1\afs18</pre><pre>\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator Cvija}{\creatim\yr2013\mo3\dy19\hr9\min50}{\revtim\yr2013\mo5\dy29\hr11\min36}{\version5}{\edmins5}{\nofpages4}{\nofwords2298}{\nofchars13103}{\nofcharsws15371}{\vern49275}}{\*\xmlnstbl {\xmlns1 http:/</pre><pre>/schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect</pre><pre>re ("Desktop Max Software") and Services ("Desktop Max Services") and the advertisement-supported version of the Software ("Desktop Software") and Services ("Desktop Services").</pre><pre>y subsequent versions of the Software. You agree to comply with TWCi's Terms and Conditions, as set forth on TWCi's web site, }{\field{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1</pre><pre>\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0</pre><pre>\par C. You understand that the Software is a voluntary software program, and you may uninstall the Software at any time by using your appropriate operating systems' add/remove or uninstall functionality. However, by uninstalling the Software,</pre><pre>HYPERLINK "http://www.weather.com/services/desktop/desktopplatinumfaq.html#17"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield</pre><pre>\cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com/services/desktop/desktopplatinumfaq.html#17}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0</pre><pre>\par C. ANY MATERIAL, DATA OR INFORMATION, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS, DOWNLOADED OR OTHERWISE OBTAINED THROUGH T</pre><pre>ACY, USEFULNESS OR AVAILABILITY OF ANY INFORMATION OR DATA TRANSMITTED VIA THE SOFTWARE, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS.</pre><pre>CT LIABILITY, FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF TWCi HAS BEEN ADVISED OF THE POSS</pre><pre>OF $5.00 OR THE AMOUNT YOU PAID TO TWCi. B. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF SECTIONS 4 A</pre><pre>h if applicable, the Software from your operating system and immediately discontinue use of the Services. Your obligation to pay accrued charges and fees shall survive any termination of this Agreement.</pre><pre>\par 8. EXPORT CONTROLS. THE SOFTWARE AND ANY UNDERLYING</pre><pre>TECHNOLOGY MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES IN A MANNER THAT IS PROHIBITED BY APPLICABLE EXPORT LAWS AND REGULATIONS. BY DOWNLOADING OR USING THE SOFTWARE OUTSIDE THE UNITED STATES OF AMERICA, YOU ASSUME RESPONSIBILITY FOR COMPLIANCE WITH THE</pre><pre>\par 9. AMENDMENT. TWCi may, in its sole discretion, change, modify, add or remove portions of this license or the Services at any time. TWCi may notify you of any such changes by posting notice of such changes on the TWCi website }{\field\fldedit{\*\fldinst {</pre><pre>\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield</pre><pre>\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid5594936 www.weather.com/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12658121\charrsid7081360</pre><pre>by you, or (b) violation of any law or regulation by you. If you are importing the Software from the United States, you shall hold harmless, indemnify and defend TWCi and its affiliated companies and their officers, directors and employees, from and agai</pre><pre>nst any import and export duties or other claims arising from such importation.</pre><pre>confirmation or by certified mail with delivery confirmation; provided that, TWCi may provide notice to you via the Software. All notices to TWCi shall be addressed to The Weather Channel Interactive, Inc. 300 Interstate North Parkway, Atlanta, Georgia 30</pre><pre>{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCHFLY TOOLBAR END USER INSTRUCTIONS\par</pre><pre>You have elected to download the SearchFly toolbar, an application designed to deliver fresh content directly to your browser, provide you with a choice of useful search engines, allow you to choose from thousands of free apps for your browser, and provide you with hand-picked links to check out from across the web. \par</pre><pre>Your use of the toolbar is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://%CTID%.ourtoolbar.com/eula/" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/contentpolicy" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par</pre><pre>\cf3 The toolbar will be installed in one of the following ways: On your current browser, on your default browser, or on all of your browsers (Windows\'ae Internet Explorer\'ae, Firefox\'ae, and Chrome\'99).\cf0\par</pre><pre>\cf3 Note for Windows 8 Users: When you open Internet Explorer or Firefox from the Start screen (rather than the desktop), the installed toolbar will not be visible or functional.\cf0\par</pre><pre>\cf3 To uninstall the toolbar, you may use the standard uninstall procedures offered by your device's Operating System or your Internet Browser, as applicable.\cf0\par</pre><pre>\cf3 For example: To uninstall the toolbar from Firefox, click the Firefox button (or \ldblquote Tools\rdblquote menu) at the top of the browser, select \ldblquote Add-ons\rdblquote and then select \ldblquote Extensions.\rdblquote Find the software you want to uninstall and click the \ldblquote Disable\rdblquote or \ldblquote Remove\rdblquote button. If you want to change your web search settings, depending on the Internet browser you use, you may be able to do so from the drop-down menu of the search box built into your browser. \cf0\par</pre><pre>\cf3 Additional information for changing search settings for some browsers is available on our \cf0{\field{\*\fldinst{HYPERLINK "http://toolbar.conduit.com/changing-search-settings.aspx" }}{\fldrslt{\cf2\ul search settings page}}}\cf0\ulnone\f0\fs18 .\par</pre><pre>\cf3 Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://support.conduit.com/HelpCenter/Uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par</pre><pre>{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCH PROTECT END USER INSTRUCTIONS\par</pre><pre>Your use of the Search Protect application is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/legal/searchprotectdescription" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/search-protect-privacy-policy.aspx" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par</pre><pre>\cf3 Search Protect will alert you if a third party attempts to change your browser settings. You can elect to change your browser settings at any time through the Search Protect application, which is accessible from the desktop taskbar, or through your browser\rquote s Settings/Options tab. {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect" }}{\fldrslt{\cf2\ul Learn more}}}\cf0\ulnone\f0\fs18 \par</pre><pre>If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome\'99, Firefox\'ae, and Internet Explorer\'ae. This facilitates your ability to maintain your preferred settings.\par</pre><pre>If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.\par</pre><pre>In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking \ldblquote Restore\rdblquote on the bottom of the page.\par</pre><pre>You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system.\par</pre><pre>In Microsoft Windows\'ae, go to the Control Panel and click \ldblquote Uninstall a program\rdblquote or \ldblquote Programs and Features.\rdblquote Right-click on Search Protect in the list of programs and select Uninstall/Change.\par</pre><pre>Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect/uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par</pre><pre>9a-U}.Vy @_</pre><pre>Bb'Qu-V} Qx(Mr'Kq'Lt U</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity processorArchitecture="*" version="1.0.0.0" type="win32" name="ArcadeFrontierSetup"></assemblyIdentity><description></description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"></compatibility></assembly></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS></pre><pre><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></pre><pre><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></pre><pre>;)</<5<`<</pre><pre>> >$>(>,>0></pre><pre>1,141<1\1|1</pre><pre>?@?\?`?|?</pre><pre>3 3$3(3,3034383</pre><pre>Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>chrome.exe</pre><pre>http://arcadefrontier.com/aj/thanks.php</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</pre><pre>\Ntuser.dat</pre><pre>lzz_afi 1.28.147</pre><pre>zz_afi 1.28.147</pre><pre>ESOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</pre><pre>Advapi32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>http://pages.arcadefrontier.com/aj/bund.php</pre><pre>%x|%s|%s|%s|%s</pre><pre>IEXPLORE.EXE</pre><pre>iexplore.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE</pre><pre>http://arcadefrontier.com/aj/ireport.php</pre><pre>msftedit.dll</pre><pre>RichEd20.dll</pre><pre>mism.exe</pre><pre>, Firefox</pre><pre>, and Chrome</pre><pre>. [http://%CTID%.ourtoolbar.com/LearnMore|Learn more]</pre><pre>%CTID%</pre><pre>s customized web search and web search page, and install [http://%CTID%.ourtoolbar.com/terms|Search Protect]. Send me info from the Toolbar (can be disabled later).</pre><pre>[http://</pre><pre>.ourtoolbar.com/terms|Search Protect].</pre><pre>[http://%CTID%.ourtoolbar.com/terms|terms, license agreements, and privacy policies]. The Toolbar may contain apps that access, collect, and use your personal data, including your IP address and the address and content of web pages you visit. See also the apps</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect</pre><pre>"%s" -carrier_type=ctid -carrier_id=%s -defaultsearch=true -startpage=true -install_time_revert=%s</pre><pre>\Main\rep\SystemRepository.dat</pre><pre>Please read the following important information and terms before continuing.</pre><pre>s home page and search settings. [http://www.conduit.com/searchprotect|Learn more]</pre><pre>By clicking "Agree" you confirm that you have read and agreed to the Search Protect`s [http://www.conduit.com/legal/searchprotectdescription|Terms] and [http://www.conduit.com/privacy/searchprotectprivacypolicy|Privacy Policy], and agree to install Search Protect.</pre><pre>{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}</pre><pre>1.28.147</pre><pre>You need to install Windows XP SP1 or higher.</pre><pre>You need to install Windows XP SP2 or higher.</pre><pre>_tpd.exe</pre><pre>00000000</pre><pre>ArcadeFrontier will be enabled in certain browsers.</pre><pre>http://www.arcadefrontier.com/BrowserOptimization.af</pre><pre>Software\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup</pre><pre>http://aff-software.s3-website-us-east-1.amazonaws.com/f7fcdd99a2e75d6ad7c29954e075a8b6/Cloud_Backup_Setup.exe</pre><pre>For Windows, Mac and Linux</pre><pre>Check below to accept the [http://www.mypcbackup.com/terms|terms] and to install the free MyPCBackup, then click Next.</pre><pre>AOCSetupHlp.dll</pre><pre>http://www.opencandy.com/eulas/b/sneula.html</pre><pre>{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}</pre><pre>http://fagamesframework.com/af/getExternalGamesInfo/ticket=</pre><pre>gameurl</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>\The Weather Channel\Desktop\apps.ini</pre><pre>\The Weather Channel\The Weather Channel App\installsettings.xml</pre><pre>Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2468871</pre><pre>http://static.af.facdn.com/offers/wd/twcsetup.exe</pre><pre>http://www.arcadefrontier.com/offers/wd/twcsetup.exe</pre><pre>ekernel32.dll</pre><pre>KERNEL32.DLL</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>WUSER32.DLL</pre><pre>1.0.0.1</pre><pre>SetupGUI.exe</pre></pre>