MD5: 0ab61ef1df700d9d866189e2003924b2
SHA1: b21f098ac8b266130769dd7035265d3bebab0539
SHA256: 911a7ea6d04b289ca69e45f065c4ba92fd54e1d11b9a8f23172385ce2a022cb4
SSDeep: 24576:SW/GqfArqh2n9b hGb1u7SYXj2OgOVwluBuNhlD9MPjgLyc:SW/GqfArqm9qhGb1uxjFwSu1Domb
Size: 1316800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-24 11:22:53
Analyzed on: WindowsXP SP3 32-bit

Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):

SPIdentifier.exe:1756
%original file name%.exe:856
nst4.exe:1656

The Adware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}

File activity

The process SPIdentifier.exe:1756 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.exe (72144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JPZM27Q\spidentifierimpl[1].exe (72144 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst4.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp (0 bytes)

The process %original file name%.exe:856 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect (0 bytes)
%Program Files%\SearchProtect\Main (0 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs (0 bytes)
%Program Files%\SearchProtect\Main\rep (0 bytes)
%Program Files%\SearchProtect (0 bytes)

The process nst4.exe:1656 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\inetc.dll (30 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs\sp_nst4.log (1847 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\SPtool.dll (65457 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp (0 bytes)

Registry activity

The process SPIdentifier.exe:1756 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 1F 22 B9 D8 66 74 B7 14 41 46 97 F9 8E AD D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:856 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 B0 12 E2 11 27 63 99 D4 04 B3 54 FF 9F F9 F5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process nst4.exe:1656 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 27 2A 66 6F 30 5E CD 91 4B D2 A6 82 CC 4B 76"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ArcadeFrontier
Product Name: ArcadeFrontier
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename: SetupGUI.exe
Internal Name: SetupGUI.exe
File Version: 1.0.0.1
File Description: ArcadeFrontier Installer
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 47
7be52ade5ecbfeaebf3b04c9c7ac4f39
7cab092df2a522ad96e23d6380e941e0
0858f431b5833978a642b3b4e11d9dfe
4e6b42750fda556a26d4d6e849d665c2
d54993a59ec055f077c7c25896f9f1e6
ca63c3bf01e03a1295ccee8671ae7464
188f9c32db04b4c643b60701ae24e4d8
79cabc494ec65882b9b0d56cc1c59c7f
6eb54b0ffc26e5f7e29d5e108c7c7683
deb2c5529ff25cc21e9d1d3fb233d0c6
c78370d1a0546ff6ad3295e2aafc454d
b0fe6759910a54f6bb84490f4423b80e
07f554ced62030b8871e2965a7e2e892
7545ec87f4b0c22eb5e09a32efe26893
7f113006a8ad630548d4eee75baa9756
d6b98954b3844379ab0e4191b85480fa
9d949034f3d34fac5d16e53575847b32
3a5446872505d16f0e73ae052356ec8e
cfa99c4ed4e15ee1ad4b12f528ca930c
03cc7ea53b873730a009c27adabaaf95
0a33adc6cdfce10a433f5c09a58f149c
790a73d07f0457307eecc019cdd8aac4
a04a5ac74869eccff2d981ef1842f060
67ebe9e8e098bde2b44929f849f22f16
b4f59f6a52aa138b8b835f2783177118

URLs

URL	IP
hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe
hxxp://e9287.g.akamaiedge.net//spidentifier/spidentifierimpl.exe
hxxp://Jazz-1846647836.us-east-1.elb.amazonaws.com/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

The Adware connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

SSSSh

uISSh0kC

SShxjC

;NTu^SSh

WinHTTP.dll

-1.1.3

1.1.3

163|145|134|162

hXXp://e1.arcadefrontier.com/aj/bundle/833/?p=YTI2OTYxNTgzMDB43Hc81pthuSBzThYc+TIMZ580UZ2SpqES9EUuMYt2KhT21Yw5XEY2GWGp7xiV0Qms/4nXYQif/ocSA/paRUYI

gdiplus.dll

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

FRegDeleteKeyExW

operator

GetProcessWindowStation

WINHTTP.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

WinHttpReadData

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpOpenRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpOpen

WinHttpCrackUrl

WinHttpQueryDataAvailable

WinHttpQueryHeaders

WinHttpQueryOption

GdiplusShutdown

COMCTL32.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExW

RegUnLoadKeyW

RegLoadKeyW

RegCreateKeyW

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHDeleteKeyW

SHLWAPI.dll

MSIMG32.dll

GetCPInfo

zcÁ

c:\%original file name%.exe

mconduitinstaller.exe

Ä\;C

.Tt$&

!$.IHBI

Vv.Vf

3{u.FO

>%s4s

[:%UU

OCSetupHlp.dll

-U^5N`^f.Xl

m%x2)

:.RS]L

.DS2 

i@&Q%c

uzg$}uQ

2{.Wt

.ZSLI|

BfTP>

To%F[Y

X.IHIb)rP4{

r%sO]

lJ.mG

vl.qRB

xT%c%

'R.yV

.Ek#"

>.YqX

Y U%x

!UÝ

.huZA

v.RVa )Eca3

#.ta\

M%ud LR

.Hq9I%

0.Bko

-9%X~

_D`.oN

UF%U(

.uH**r

.aUi%

ST%UIS

.KV/-IV

.QO)O:

.rP1HP

.Vkeu=S

OCSetupHlp.dllPK

sp-downloader.exe

(O(%Íd

sj.IE

Nc1m.Xd}

520426026

ahÝ

SPIdentifier.exe

znsqL

.Nh/h

5424224

f.CR9Cr*

(.%%Fu

M[.ab(O

/|.eC

q}\%X;f

~B%CU

#h)j.Zpi

n.SuT

ø^O

m.qiD

$%fR<

C,D.TZ

%c&bta6

-[A$.Glp

w5.zk

 %Uw]:

DEEô

%Xf>m|

 3%Um

\rsid13843124\rsid14169892\rsid15628380\rsid15748077}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator malo_nj}

{\creatim\yr2013\mo3\dy13\hr10\min41}{\revtim\yr2013\mo4\dy10\hr16\min39}{\version9}{\edmins31}{\nofpages1}{\nofwords83}{\nofchars701}{\nofcharsws783}{\vern32859}}{\*\xmlnstbl {\xmlns1 hXXp://schemas.microsoft.com/office/word/2003/wordml}}

\par By clicking the "Next" button below, you electronically agree to the ArcadeFrontier }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/ClientEula.af"}{\rtlch\fcs1 \af1\afs18

\par }{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12336207\charrsid222141 and }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/ClientPrivacyPolicy.af"}{\rtlch\fcs1

\par You can uninstall ArcadeFrontier any time via Add/Remove programs or by clicking }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "hXXp://arcadefrontier.com/Deactivate.af"}{\rtlch\fcs1 \af1\afs18

\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator Cvija}{\creatim\yr2013\mo3\dy19\hr9\min50}{\revtim\yr2013\mo5\dy29\hr11\min36}{\version5}{\edmins5}{\nofpages4}{\nofwords2298}{\nofchars13103}{\nofcharsws15371}{\vern49275}}{\*\xmlnstbl {\xmlns1 http:/

/schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect

re ("Desktop Max Software") and Services ("Desktop Max Services") and the advertisement-supported version of the Software ("Desktop Software") and Services ("Desktop Services").

y subsequent versions of the Software. You agree to comply with TWCi's Terms and Conditions, as set forth on TWCi's web site, }{\field{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "hXXp://VVV.weather.com/"}{\rtlch\fcs1

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 VVV.weather.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0

\par C. You understand that the Software is a voluntary software program, and you may uninstall the Software at any time by using your appropriate operating systems' add/remove or uninstall functionality. However, by uninstalling the Software,

HYPERLINK "hXXp://VVV.weather.com/services/desktop/desktopplatinumfaq.html#17"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield

\cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 VVV.weather.com/services/desktop/desktopplatinumfaq.html#17}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0

\par C. ANY MATERIAL, DATA OR INFORMATION, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS, DOWNLOADED OR OTHERWISE OBTAINED THROUGH T

ACY, USEFULNESS OR AVAILABILITY OF ANY INFORMATION OR DATA TRANSMITTED VIA THE SOFTWARE, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS.

CT LIABILITY, FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF TWCi HAS BEEN ADVISED OF THE POSS

OF $5.00 OR THE AMOUNT YOU PAID TO TWCi. B. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF SECTIONS 4 A

h if applicable, the Software from your operating system and immediately discontinue use of the Services. Your obligation to pay accrued charges and fees shall survive any termination of this Agreement.

\par 8. EXPORT CONTROLS. THE SOFTWARE AND ANY UNDERLYING

TECHNOLOGY MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES IN A MANNER THAT IS PROHIBITED BY APPLICABLE EXPORT LAWS AND REGULATIONS. BY DOWNLOADING OR USING THE SOFTWARE OUTSIDE THE UNITED STATES OF AMERICA, YOU ASSUME RESPONSIBILITY FOR COMPLIANCE WITH THE

\par 9. AMENDMENT. TWCi may, in its sole discretion, change, modify, add or remove portions of this license or the Services at any time. TWCi may notify you of any such changes by posting notice of such changes on the TWCi website }{\field\fldedit{\*\fldinst {

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "hXXp://VVV.weather.com/"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid5594936 VVV.weather.com/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12658121\charrsid7081360

by you, or (b) violation of any law or regulation by you. If you are importing the Software from the United States, you shall hold harmless, indemnify and defend TWCi and its affiliated companies and their officers, directors and employees, from and agai

nst any import and export duties or other claims arising from such importation.

confirmation or by certified mail with delivery confirmation; provided that, TWCi may provide notice to you via the Software. All notices to TWCi shall be addressed to The Weather Channel Interactive, Inc. 300 Interstate North Parkway, Atlanta, Georgia 30

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCHFLY TOOLBAR END USER INSTRUCTIONS\par

You have elected to download the SearchFly toolbar, an application designed to deliver fresh content directly to your browser, provide you with a choice of useful search engines, allow you to choose from thousands of free apps for your browser, and provide you with hand-picked links to check out from across the web. \par

Your use of the toolbar is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "hXXp://%CTID%.ourtoolbar.com/eula/" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/privacy/contentpolicy" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par

\cf3 The toolbar will be installed in one of the following ways: On your current browser, on your default browser, or on all of your browsers (Windows\'ae Internet Explorer\'ae, Firefox\'ae, and Chrome\'99).\cf0\par

\cf3 Note for Windows 8 Users: When you open Internet Explorer or Firefox from the Start screen (rather than the desktop), the installed toolbar will not be visible or functional.\cf0\par

\cf3 To uninstall the toolbar, you may use the standard uninstall procedures offered by your device's Operating System or your Internet Browser, as applicable.\cf0\par

\cf3 For example: To uninstall the toolbar from Firefox, click the Firefox button (or \ldblquote Tools\rdblquote menu) at the top of the browser, select \ldblquote Add-ons\rdblquote and then select \ldblquote Extensions.\rdblquote Find the software you want to uninstall and click the \ldblquote Disable\rdblquote or \ldblquote Remove\rdblquote button. If you want to change your web search settings, depending on the Internet browser you use, you may be able to do so from the drop-down menu of the search box built into your browser. \cf0\par

\cf3 Additional information for changing search settings for some browsers is available on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://toolbar.conduit.com/changing-search-settings.aspx" }}{\fldrslt{\cf2\ul search settings page}}}\cf0\ulnone\f0\fs18 .\par

\cf3 Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://support.conduit.com/HelpCenter/Uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCH PROTECT END USER INSTRUCTIONS\par

Your use of the Search Protect application is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/legal/searchprotectdescription" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/privacy/search-protect-privacy-policy.aspx" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par

\cf3 Search Protect will alert you if a third party attempts to change your browser settings. You can elect to change your browser settings at any time through the Search Protect application, which is accessible from the desktop taskbar, or through your browser\rquote s Settings/Options tab. {\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/searchprotect" }}{\fldrslt{\cf2\ul Learn more}}}\cf0\ulnone\f0\fs18 \par

If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome\'99, Firefox\'ae, and Internet Explorer\'ae. This facilitates your ability to maintain your preferred settings.\par

If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.\par

In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking \ldblquote Restore\rdblquote on the bottom of the page.\par

You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system.\par

In Microsoft Windows\'ae, go to the Control Panel and click \ldblquote Uninstall a program\rdblquote or \ldblquote Programs and Features.\rdblquote Right-click on Search Protect in the list of programs and select Uninstall/Change.\par

Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "hXXp://VVV.conduit.com/searchprotect/uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par

9a-U}.Vy @_

Bb'Qu-V} Qx(Mr'Kq'Lt U

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity processorArchitecture="*" version="1.0.0.0" type="win32" name="ArcadeFrontierSetup"></assemblyIdentity><description></description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></application></compatibility></assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

8"8)8?8}8

2#2-2~2}3

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

hXXp://arcadefrontier.com/aj/thanks.php

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

\Ntuser.dat

lzz_afi 1.26.100

zz_afi 1.26.100

ESOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Advapi32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

hXXp://pages.arcadefrontier.com/aj/bund.php

%x|%s|%s|%s|%s

IEXPLORE.EXE

iexplore.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

hXXp://arcadefrontier.com/aj/ireport.php

msftedit.dll

RichEd20.dll

mism.exe

, Firefox

, and Chrome

. [hXXp://%CTID%.ourtoolbar.com/LearnMore|Learn more]

%CTID%

s customized web search and web search page, and install [hXXp://%CTID%.ourtoolbar.com/terms|Search Protect]. Send me info from the Toolbar (can be disabled later).

[hXXp://

.ourtoolbar.com/terms|Search Protect].

[hXXp://%CTID%.ourtoolbar.com/terms|terms, license agreements, and privacy policies]. The Toolbar may contain apps that access, collect, and use your personal data, including your IP address and the address and content of web pages you visit. See also the apps

Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect

"%s" -carrier_type=ctid -carrier_id=%s -defaultsearch=true -startpage=true -install_time_revert=%s

\Main\rep\SystemRepository.dat

Please read the following important information and terms before continuing.

s home page and search settings. [hXXp://VVV.conduit.com/searchprotect|Learn more]

By clicking "Agree" you confirm that you have read and agreed to the Search Protect`s [hXXp://VVV.conduit.com/legal/searchprotectdescription|Terms] and [hXXp://VVV.conduit.com/privacy/searchprotectprivacypolicy|Privacy Policy], and agree to install Search Protect.

{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}

1.26.100

You need to install Windows XP SP1 or higher.

You need to install Windows XP SP2 or higher.

_tpd.exe

00000000

ArcadeFrontier will be enabled in certain browsers.

hXXp://VVV.arcadefrontier.com/BrowserOptimization.af

Software\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup

Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup

hXXp://aff-software.s3-website-us-east-1.amazonaws.com/f7fcdd99a2e75d6ad7c29954e075a8b6/Cloud_Backup_Setup.exe

For Windows, Mac and Linux

Check below to accept the [hXXp://VVV.mypcbackup.com/terms|terms] and to install the free MyPCBackup, then click Next.

AOCSetupHlp.dll

hXXp://VVV.opencandy.com/eulas/b/sneula.html

{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}

hXXp://fagamesframework.com/af/getExternalGamesInfo/ticket=

gameurl

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

\The Weather Channel\Desktop\apps.ini

\The Weather Channel\The Weather Channel App\installsettings.xml

hXXp://static.af.facdn.com/offers/wd/wdf5.exe

hXXp://VVV.arcadefrontier.com/offers/wd/wdf5.exe

ekernel32.dll

KERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

1.0.0.1

SetupGUI.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   SPIdentifier.exe:1756
   %original file name%.exe:856
   nst4.exe:1656

2. Delete the original Adware file.
   
3. Delete or disinfect the following files created/modified by the Adware:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\inetc.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nst4.exe (72144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (2820 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JPZM27Q\spidentifierimpl[1].exe (72144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\inetc.dll (30 bytes)
   %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs\sp_nst4.log (1847 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp\SPtool.dll (65457 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.