Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 08596917f28a797c91f3cb197286ef28
SHA1: 0d03764df20dcb2b097794918d824aec97045526
SHA256: 7d088aa1d649bbbda5c54b40970f03b7d0f9bc27affba6d1ab8a76eaac5bfc28
SSDeep: 24576:SStrUAbM6M/KN9b hGb1u7SYXj2OgOVwluBuNhlD9MPjgL5v3:SStrUAI6Mu9qhGb1uxjFwSu1DomZ3
Size: 1322432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ArcadeFrontier
Created at: 2014-03-04 11:28:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
SPIdentifier.exe:1820
%original file name%.exe:368
nsj80.exe:1936
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process SPIdentifier.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7E.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V9J33IN2\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PU5GX8YM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9MPS5GZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj80.exe (64797 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj80.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp (0 bytes)
The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect (0 bytes)
%Program Files%\SearchProtect\Main (0 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs (0 bytes)
%Program Files%\SearchProtect\Main\rep (0 bytes)
%Program Files%\SearchProtect (0 bytes)
The process nsj80.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp (0 bytes)
Registry activity
The process SPIdentifier.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu7F.tmp\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 B1 C7 49 B0 70 17 31 2E 72 46 DE 28 19 CB 75"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 B0 0C 41 99 E4 35 56 69 C5 7F 5D 7B 52 40 0D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process nsj80.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 77 27 AE B7 EF 52 CF 27 36 84 0F 20 AC 9C 44"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 73554f3944811c0c4b393826943be2ca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SPIdentifier.exe |
| 9fb9d49c2db7edd1084ab765d619f5c6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sp-downloader.exe |
| 3c28060fcffe2b17afa3ec9eabaf5adc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll |
| d96290ac80c0696023d8a2378bd89efa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\SPIdentifierImpl[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
SPIdentifier.exe:1820
%original file name%.exe:368
nsj80.exe:1936 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7E.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V9J33IN2\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PU5GX8YM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9MPS5GZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj80.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: ArcadeFrontier
Product Name: ArcadeFrontier
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename: SetupGUI.exe
Internal Name: SetupGUI.exe
File Version: 1.0.0.1
File Description: ArcadeFrontier Installer
Comments:
Language: English (United Kingdom)
Company Name: ArcadeFrontierProduct Name: ArcadeFrontierProduct Version: 1.0.0.1Legal Copyright: Copyright (C) 2013Legal Trademarks: Original Filename: SetupGUI.exeInternal Name: SetupGUI.exeFile Version: 1.0.0.1File Description: ArcadeFrontier InstallerComments: Language: English (United Kingdom)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 198400 | 198656 | 4.5562 | 5794edb184cc1655228892923cdd0fd4 |
| .rdata | 204800 | 78890 | 79360 | 3.13439 | 6bb12677fb81a67e5d46b153ba943a0e |
| .data | 286720 | 20384 | 9216 | 3.18602 | e853efea4ae2be64530d1c184773b128 |
| .rsrc | 307200 | 1005432 | 1005568 | 5.51625 | ab7de3fc354a034360692874cb479c8b |
| .reloc | 1314816 | 23464 | 23552 | 3.25769 | 9e60931ebc074700654d77d68f1c7831 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 266
f93baf6557e104cc2520e63e51beeed9
d8227b13fcf2e9b7d513261f600e2a6b
dd28686e2ae2b2c6077b634434667c6c
7d4eda03a6846d67fb141c16f42121d5
9cec46391e24f11be34895f3f78e89e2
4c7b64db66baff7a94d397f95bbd0f62
ebb3b412e20c450ce922434b2e26c104
3741c8648c63e5349c1ccd9f43c49ce5
3119cd3d5114e9d380ce7f7e3197baa9
973d9451be5089995a4274cdf2f074a7
5f510b5a060ae7bfa8f5351c9eb4483a
ff5c0abc1f9e460ca68f0dc73ff1f1da
c7c7ebfe8f218b15010adfee098f796d
64ebea4671f933787a6eed266660fae4
523be9d38cdfd8ffae58908bf230ccba
27a0e4add6a9e0b8b918eded93aa5581
f6bc68e680a24fe5cde28bd02e02efda
7ed5fcb505b1833baad9e47d84054a38
f37f08f1c9438d9c7ec37a0c642b3ee4
a74f03c68e479e4b030cbf58728874bf
a05f98ea1a0e257c2ca92129f2a8fdaa
995f782c3df4594bb5e4119a9e9f6b20
b20db45fbf1125a1a61d2e030e397779
b1e592994fd233d2f906b2e2c42d323e
59483eef58910cff57e188c7b0ff7be0
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://74.120.16.113/af/getExternalGamesInfo/ticket=Z4AOX87692PFSPNRxLBS | |
| hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe | |
| hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/ | |
| hxxp://fagamesframework.com/af/getExternalGamesInfo/ticket=Z4AOX87692PFSPNRxLBS | |
| hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe | 23.209.38.93 |
| hxxp://sp-installer.conduit-data.com/ | 184.72.217.85 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /af/getExternalGamesInfo/ticket=Z4AOX87692PFSPNRxLBS HTTP/1.1
User-Agent: zz_afi 1.28.147
Host: fagamesframework.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 05 Jul 2014 04:27:40 GMT
Server: Apache
Cache-Control: max-age=18000
Expires: Sat, 05 Jul 2014 09:27:40 GMT
Content-Length: 17
Connection: close
Content-Type: text/html; charset=UTF-8
unknown parametar..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.conduit-data.com
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache
{"event_type":"SPidentifier", "environment":"", "machine_ID":"BKSBFPQYQFRAR1S0EIQWDCTS7K/4MCAVMXDDMNTWP9BPDHNBFK99IAK XNLOHLHU2MEXZES9T83SVYVXFQIBHW", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted
Date: Sat, 05 Jul 2014 04:27:21 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.conduit-services.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Sat, 05 Jul 2014 07:27:43 GMT
Accept-Ranges: bytes
ETag: "fdb1c3e2dc67975ebdc9856b59404daf"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1115264
Cache-Control: private, max-age=900
Expires: Sat, 05 Jul 2014 04:42:43 GMT
Date: Sat, 05 Jul 2014 04:27:43 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L....q.N.................h...@...B...4............@.................................h...................................................0...........`... ............................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...0...........................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.2G.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_368:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
SSSSh4(C
SSSSh4(C
SSSSh\(C
SSSSh\(C
uISSh
uISSh
;NTu^SSh
;NTu^SSh
WinHTTP.dll
WinHTTP.dll
-1.1.3
-1.1.3
1.1.3
1.1.3
163|145|134|162
163|145|134|162
http://e1.arcadefrontier.com/aj/bundle/891/?p=YTM3MDMzODE2NTV43Hc81pthuSBzThYc+TIMLSHCSfmzx6R3snINWKJa7ZgOq6SBsGSneWyXTplZq2BL3webKYQhMNPTqpl/aawi
http://e1.arcadefrontier.com/aj/bundle/891/?p=YTM3MDMzODE2NTV43Hc81pthuSBzThYc+TIMLSHCSfmzx6R3snINWKJa7ZgOq6SBsGSneWyXTplZq2BL3webKYQhMNPTqpl/aawi
gdiplus.dll
gdiplus.dll
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
FRegDeleteKeyExW
operator
operator
GetProcessWindowStation
GetProcessWindowStation
WINHTTP.dll
WINHTTP.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpOpen
WinHttpOpen
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryOption
WinHttpQueryOption
GdiplusShutdown
GdiplusShutdown
COMCTL32.dll
COMCTL32.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegUnLoadKeyW
RegUnLoadKeyW
RegLoadKeyW
RegLoadKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
GetCPInfo
GetCPInfo
zcÁ
zcÁ
c:\%original file name%.exe
c:\%original file name%.exe
mconduitinstaller.exe
mconduitinstaller.exe
Ä\;C
Ä\;C
.Tt$&
.Tt$&
!$.IHBI
!$.IHBI
Vv.Vf
Vv.Vf
3{u.FO
3{u.FO
>%s4s
>%s4s
[:%UU
[:%UU
OCSetupHlp.dll
OCSetupHlp.dll
-U^5N`^f.Xl
-U^5N`^f.Xl
m%x2)
m%x2)
:.RS]L
:.RS]L
.DS2
.DS2
i@&Q%c
i@&Q%c
uzg$}uQ
uzg$}uQ
2{.Wt
2{.Wt
.ZSLI|
.ZSLI|
BfTP>
BfTP>
To%F[Y
To%F[Y
X.IHIb)rP4{
X.IHIb)rP4{
r%sO]
r%sO]
lJ.mG
lJ.mG
vl.qRB
vl.qRB
xT%c%
xT%c%
'R.yV
'R.yV
.Ek#"
.Ek#"
>.YqX
>.YqX
Y U%x
Y U%x
!UÝ
!UÝ
.huZA
.huZA
v.RVa )Eca3
v.RVa )Eca3
#.ta\
#.ta\
M%ud LR
M%ud LR
.Hq9I%
.Hq9I%
0.Bko
0.Bko
-9%X~
-9%X~
_D`.oN
_D`.oN
UF%U(
UF%U(
.uH**r
.uH**r
.aUi%
.aUi%
ST%UIS
ST%UIS
.KV/-IV
.KV/-IV
.QO)O:
.QO)O:
.rP1HP
.rP1HP
.Vkeu=S
.Vkeu=S
OCSetupHlp.dllPK
OCSetupHlp.dllPK
sp-downloader.exe
sp-downloader.exe
(O(%Íd
(O(%Íd
sj.IE
sj.IE
Nc1m.Xd}
Nc1m.Xd}
520426026
520426026
ahÝ
ahÝ
SPIdentifier.exe
SPIdentifier.exe
znsqL
znsqL
.Nh/h
.Nh/h
5424224
5424224
f.CR9Cr*
f.CR9Cr*
(.%%Fu
(.%%Fu
M[.ab(O
M[.ab(O
/|.eC
/|.eC
q}\%X;f
q}\%X;f
~B%CU
~B%CU
#h)j.Zpi
#h)j.Zpi
n.SuT
n.SuT
ø^O
ø^O
m.qiD
m.qiD
$%fR<</pre><pre>C,D.TZ</pre><pre>%c&bta6</pre><pre>-[A$.Glp</pre><pre>w5.zk</pre><pre> %Uw]:</pre><pre>DEEô</pre><pre>%Xf>m|</pre><pre> 3%Um</pre><pre>\rsid13843124\rsid14169892\rsid15628380\rsid15748077}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator malo_nj}</pre><pre>{\creatim\yr2013\mo3\dy13\hr10\min41}{\revtim\yr2013\mo4\dy10\hr16\min39}{\version9}{\edmins31}{\nofpages1}{\nofwords83}{\nofchars701}{\nofcharsws783}{\vern32859}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}</pre><pre>\par By clicking the "Next" button below, you electronically agree to the ArcadeFrontier }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientEula.af"}{\rtlch\fcs1 \af1\afs18</pre><pre>\par }{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12336207\charrsid222141 and }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientPrivacyPolicy.af"}{\rtlch\fcs1</pre><pre>\par You can uninstall ArcadeFrontier any time via Add/Remove programs or by clicking }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/Deactivate.af"}{\rtlch\fcs1 \af1\afs18</pre><pre>\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator Cvija}{\creatim\yr2013\mo3\dy19\hr9\min50}{\revtim\yr2013\mo5\dy29\hr11\min36}{\version5}{\edmins5}{\nofpages4}{\nofwords2298}{\nofchars13103}{\nofcharsws15371}{\vern49275}}{\*\xmlnstbl {\xmlns1 http:/</pre><pre>/schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect</pre><pre>re ("Desktop Max Software") and Services ("Desktop Max Services") and the advertisement-supported version of the Software ("Desktop Software") and Services ("Desktop Services").</pre><pre>y subsequent versions of the Software. You agree to comply with TWCi's Terms and Conditions, as set forth on TWCi's web site, }{\field{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1</pre><pre>\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0</pre><pre>\par C. You understand that the Software is a voluntary software program, and you may uninstall the Software at any time by using your appropriate operating systems' add/remove or uninstall functionality. However, by uninstalling the Software,</pre><pre>HYPERLINK "http://www.weather.com/services/desktop/desktopplatinumfaq.html#17"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield</pre><pre>\cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com/services/desktop/desktopplatinumfaq.html#17}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0</pre><pre>\par C. ANY MATERIAL, DATA OR INFORMATION, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS, DOWNLOADED OR OTHERWISE OBTAINED THROUGH T</pre><pre>ACY, USEFULNESS OR AVAILABILITY OF ANY INFORMATION OR DATA TRANSMITTED VIA THE SOFTWARE, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS.</pre><pre>CT LIABILITY, FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF TWCi HAS BEEN ADVISED OF THE POSS</pre><pre>OF $5.00 OR THE AMOUNT YOU PAID TO TWCi. B. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF SECTIONS 4 A</pre><pre>h if applicable, the Software from your operating system and immediately discontinue use of the Services. Your obligation to pay accrued charges and fees shall survive any termination of this Agreement.</pre><pre>\par 8. EXPORT CONTROLS. THE SOFTWARE AND ANY UNDERLYING</pre><pre>TECHNOLOGY MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES IN A MANNER THAT IS PROHIBITED BY APPLICABLE EXPORT LAWS AND REGULATIONS. BY DOWNLOADING OR USING THE SOFTWARE OUTSIDE THE UNITED STATES OF AMERICA, YOU ASSUME RESPONSIBILITY FOR COMPLIANCE WITH THE</pre><pre>\par 9. AMENDMENT. TWCi may, in its sole discretion, change, modify, add or remove portions of this license or the Services at any time. TWCi may notify you of any such changes by posting notice of such changes on the TWCi website }{\field\fldedit{\*\fldinst {</pre><pre>\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield</pre><pre>\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid5594936 www.weather.com/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12658121\charrsid7081360</pre><pre>by you, or (b) violation of any law or regulation by you. If you are importing the Software from the United States, you shall hold harmless, indemnify and defend TWCi and its affiliated companies and their officers, directors and employees, from and agai</pre><pre>nst any import and export duties or other claims arising from such importation.</pre><pre>confirmation or by certified mail with delivery confirmation; provided that, TWCi may provide notice to you via the Software. All notices to TWCi shall be addressed to The Weather Channel Interactive, Inc. 300 Interstate North Parkway, Atlanta, Georgia 30</pre><pre>{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCHFLY TOOLBAR END USER INSTRUCTIONS\par</pre><pre>You have elected to download the SearchFly toolbar, an application designed to deliver fresh content directly to your browser, provide you with a choice of useful search engines, allow you to choose from thousands of free apps for your browser, and provide you with hand-picked links to check out from across the web. \par</pre><pre>Your use of the toolbar is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://%CTID%.ourtoolbar.com/eula/" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/contentpolicy" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par</pre><pre>\cf3 The toolbar will be installed in one of the following ways: On your current browser, on your default browser, or on all of your browsers (Windows\'ae Internet Explorer\'ae, Firefox\'ae, and Chrome\'99).\cf0\par</pre><pre>\cf3 Note for Windows 8 Users: When you open Internet Explorer or Firefox from the Start screen (rather than the desktop), the installed toolbar will not be visible or functional.\cf0\par</pre><pre>\cf3 To uninstall the toolbar, you may use the standard uninstall procedures offered by your device's Operating System or your Internet Browser, as applicable.\cf0\par</pre><pre>\cf3 For example: To uninstall the toolbar from Firefox, click the Firefox button (or \ldblquote Tools\rdblquote menu) at the top of the browser, select \ldblquote Add-ons\rdblquote and then select \ldblquote Extensions.\rdblquote Find the software you want to uninstall and click the \ldblquote Disable\rdblquote or \ldblquote Remove\rdblquote button. If you want to change your web search settings, depending on the Internet browser you use, you may be able to do so from the drop-down menu of the search box built into your browser. \cf0\par</pre><pre>\cf3 Additional information for changing search settings for some browsers is available on our \cf0{\field{\*\fldinst{HYPERLINK "http://toolbar.conduit.com/changing-search-settings.aspx" }}{\fldrslt{\cf2\ul search settings page}}}\cf0\ulnone\f0\fs18 .\par</pre><pre>\cf3 Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://support.conduit.com/HelpCenter/Uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par</pre><pre>{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCH PROTECT END USER INSTRUCTIONS\par</pre><pre>Your use of the Search Protect application is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/legal/searchprotectdescription" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/search-protect-privacy-policy.aspx" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par</pre><pre>\cf3 Search Protect will alert you if a third party attempts to change your browser settings. You can elect to change your browser settings at any time through the Search Protect application, which is accessible from the desktop taskbar, or through your browser\rquote s Settings/Options tab. {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect" }}{\fldrslt{\cf2\ul Learn more}}}\cf0\ulnone\f0\fs18 \par</pre><pre>If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome\'99, Firefox\'ae, and Internet Explorer\'ae. This facilitates your ability to maintain your preferred settings.\par</pre><pre>If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.\par</pre><pre>In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking \ldblquote Restore\rdblquote on the bottom of the page.\par</pre><pre>You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system.\par</pre><pre>In Microsoft Windows\'ae, go to the Control Panel and click \ldblquote Uninstall a program\rdblquote or \ldblquote Programs and Features.\rdblquote Right-click on Search Protect in the list of programs and select Uninstall/Change.\par</pre><pre>Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect/uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par</pre><pre>9a-U}.Vy @_</pre><pre>Bb'Qu-V} Qx(Mr'Kq'Lt U</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity processorArchitecture="*" version="1.0.0.0" type="win32" name="ArcadeFrontierSetup"></assemblyIdentity><description></description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"></compatibility></assembly></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS></pre><pre><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></pre><pre><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></pre><pre>;)</<5<`<</pre><pre>> >$>(>,>0></pre><pre>1,141<1\1|1</pre><pre>?@?\?`?|?</pre><pre>3 3$3(3,3034383</pre><pre>Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>chrome.exe</pre><pre>http://arcadefrontier.com/aj/thanks.php</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</pre><pre>\Ntuser.dat</pre><pre>lzz_afi 1.28.147</pre><pre>zz_afi 1.28.147</pre><pre>ESOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</pre><pre>Advapi32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>http://pages.arcadefrontier.com/aj/bund.php</pre><pre>%x|%s|%s|%s|%s</pre><pre>IEXPLORE.EXE</pre><pre>iexplore.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE</pre><pre>http://arcadefrontier.com/aj/ireport.php</pre><pre>msftedit.dll</pre><pre>RichEd20.dll</pre><pre>mism.exe</pre><pre>, Firefox</pre><pre>, and Chrome</pre><pre>. [http://%CTID%.ourtoolbar.com/LearnMore|Learn more]</pre><pre>%CTID%</pre><pre>s customized web search and web search page, and install [http://%CTID%.ourtoolbar.com/terms|Search Protect]. Send me info from the Toolbar (can be disabled later).</pre><pre>[http://</pre><pre>.ourtoolbar.com/terms|Search Protect].</pre><pre>[http://%CTID%.ourtoolbar.com/terms|terms, license agreements, and privacy policies]. The Toolbar may contain apps that access, collect, and use your personal data, including your IP address and the address and content of web pages you visit. See also the apps</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect</pre><pre>"%s" -carrier_type=ctid -carrier_id=%s -defaultsearch=true -startpage=true -install_time_revert=%s</pre><pre>\Main\rep\SystemRepository.dat</pre><pre>Please read the following important information and terms before continuing.</pre><pre>s home page and search settings. [http://www.conduit.com/searchprotect|Learn more]</pre><pre>By clicking "Agree" you confirm that you have read and agreed to the Search Protect`s [http://www.conduit.com/legal/searchprotectdescription|Terms] and [http://www.conduit.com/privacy/searchprotectprivacypolicy|Privacy Policy], and agree to install Search Protect.</pre><pre>{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}</pre><pre>1.28.147</pre><pre>You need to install Windows XP SP1 or higher.</pre><pre>You need to install Windows XP SP2 or higher.</pre><pre>_tpd.exe</pre><pre>00000000</pre><pre>ArcadeFrontier will be enabled in certain browsers.</pre><pre>http://www.arcadefrontier.com/BrowserOptimization.af</pre><pre>Software\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup</pre><pre>http://aff-software.s3-website-us-east-1.amazonaws.com/f7fcdd99a2e75d6ad7c29954e075a8b6/Cloud_Backup_Setup.exe</pre><pre>For Windows, Mac and Linux</pre><pre>Check below to accept the [http://www.mypcbackup.com/terms|terms] and to install the free MyPCBackup, then click Next.</pre><pre>AOCSetupHlp.dll</pre><pre>http://www.opencandy.com/eulas/b/sneula.html</pre><pre>{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}</pre><pre>http://fagamesframework.com/af/getExternalGamesInfo/ticket=</pre><pre>gameurl</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>\The Weather Channel\Desktop\apps.ini</pre><pre>\The Weather Channel\The Weather Channel App\installsettings.xml</pre><pre>Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2468871</pre><pre>http://static.af.facdn.com/offers/wd/twcsetup.exe</pre><pre>http://www.arcadefrontier.com/offers/wd/twcsetup.exe</pre><pre>ekernel32.dll</pre><pre>KERNEL32.DLL</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>WUSER32.DLL</pre><pre>1.0.0.1</pre><pre>SetupGUI.exe</pre></pre>