Gen.Variant.Adware.Graftor.153852_6e07c3041d

by malwarelabrobot on September 29th, 2014 in Malware Descriptions.

Gen:Variant.Adware.Graftor.153852 (B) (Emsisoft), Gen:Variant.Adware.Graftor.153852 (AdAware), PUPAirInstaller.YR (Lavasoft MAS)
Behaviour: Installer, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6e07c3041dd88f2818a362703796850c
SHA1: 768e3435276e368d723b8df06e72b8bd9f353844
SHA256: b365e1ac88c19e2f003800aa531a7c1eb8650125029a0f584b3f338e4adf3afe
SSDeep: 24576:OOvwGqD8p bmfe0LBcZEtEl/D9sJePRw4a:tyW 0exlb9sJePW5
Size: 929688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Install Manager
Created at: 2014-08-30 01:54:13
Analyzed on: WindowsXP SP3 32-bit


Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):

%original file name%.exe:1552

The Installer injects its code into the following process(es):

setup.exe:264

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:264 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:1552 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (7345 bytes)

The Installer deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process setup.exe:264 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 14 08 E4 A7 E0 24 36 A9 9F 08 F9 73 4D 1B 18"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1552 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 67 AB BA 04 0C 64 F6 59 05 7C 69 16 91 C1 A0"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Install Manager
Product Name: Download Manager
Product Version: 2.0.66.0
Legal Copyright: (c) Install Manager
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 2.0.66.0
File Description: Download Manager
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1888256 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1892352 864256 862208 5.49421 52d136d6f5c5d3d5445c6b0134d9d33f
.rsrc 2756608 65536 64000 3.60973 1e03c7cc29a7241fa53c2be3e99dfb53

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 226
01687b82e003e54cdcf7e227a62928a1
8e12b9a457b1c73287426c799c5ae0a6
020269fc981552d6d314487df6c1acad
ff83757c9f8b23299c6dc9073e757617
8ac232e8c803cf9994b79d623337aac8
60888bf7bb4c2bb74d2cfc605be97019
dac3061d4ec78ec1d6924fe2a7d3a377
2c0e2cef9fabbf17b96affa61440f478
93dbaa899f4fbf1aaa8a233f6b51a36d
882e6b8a06246f99720fc34f4ec948f3
0d7b202eedba55687de1f31be38a839e
de38de7d2e6b3bf877f6fdbb81a5a6f3
109c7b6805e04284540529b036b8ed89
692935f295561f9c3baa5709a91d3411
041984c562cabea6d2e18de32f49861c
5ee8f3dfa6194bac4eb18bf98e1d83fa
34170675f4bea8cd0ed3e388604f7c05
c2ba2a4ae310845605ae555ab094b226
e5a26e91dde9ce541a7b4d04c99d8c12
cc6e3c92c6a5703b5797bb75095aa756
c4f341d3647db4cdc80687420cc85e90
39ccdb0a8e9fd4531761ad28f22cf525
9bd82d6eda07f9012c2ec0816f0e0c1d
68e141edba56a1957db5d75eab1176dc
f97aaf76bba26082d839d5b86643681d
8dae9a9ca27d52c64e623ac54f306360

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Installer connects to the servers at the folowing location(s):

setup.exe_264:

`.rsrc
G SSh
<H.uJj
SSSSSSh
f;T$.uBf
QSShXc_
tFHt:Ht.Ht"Hu`
j%XtL9E
SSSSh
t'SShl
u$SShe
tWSShW
tl9_ tgSSh
FTCP
u.PhD6]
tAHt.HHt
FtPW
SSh@B
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CCmdTarget
RegDeleteKeyTransactedW
CNotSupportedException
CHttpConnection
CHttpFile
RegDeleteKeyExW
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
TaskDialogIndirect
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
operator
portuguese-brazilian
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
urlmon
RegOpenKeyTransactedW
<a href='#' ><img src='theme/images/btn_decline.png' id='ButtonCancel' border='0' ></a>
<a href='#'><img src='theme/images/btn_accept.png' id='ButtonOK' border='0'></a>
<img src='theme/images/green_shield.png'>
</font></td><td width='12px'>   </td></tr></table><br></td></tr><tr><td bgcolor='#808080' ><table cellpadding='4' width='100%'><tr><td align='center'><a href='#'><img src='theme/images/btn_decline.png' id='ButtonCancel' border='0'></a></td><td><a href='hXXp://VVV.iminent.com/corporate/eula/' target='_blank'><font face='arial' size='2' color='#B5D544'><b>EULA</b></font></a></td><td><a href='hXXp://VVV.iminent.com/corporate/privacy/' target='_blank'><font face='arial' size='2' color='#B5D544'><b>Privacy Policy</b></font></a></td><td align='center'><a href='#'><img src='theme/images/btn_accept.png' id='ButtonOK' border='0'></a></td></tr></table></td></tr></table></body></html>
<html><head></head><body style="margin: 0"><table width='100%' cellpadding=0 cellspacing=0 height='100%' style='overflow: auto; '><tr><td bgcolor='#808080'><font face='arial' size='1'> </font></td></tr><tr><td><table align='center'><tr><td><img src='theme/images/100free.png'></td><td>   </td><td><font face='arial' size='2'><b>Iminent</b> is 100% Free, <br>sponsored by Search <br>so you will never pay for it.</font></td></tr></table><table align='center'><tr><td width='18px'>   </td><td><font face='arial' size='2'>
DNSAPI.dll
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.?AVCCmdUI@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.?AVCCmdTarget@@
.PAVCException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCMemoryException@@
.PAVCResourceException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
GetProcessHeap
PeekNamedPipe
GetCPInfo
GetWindowsDirectoryW
CreatePipe
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
URLDownloadToFileW
IsValidURL
GetKeyboardState
GetKeyboardLayout
MapVirtualKeyW
GetKeyNameTextW
MapVirtualKeyExW
CreateDialogIndirectParamW
GetAsyncKeyState
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExW
InternetOpenUrlW
HttpQueryInfoW
InternetCrackUrlW
InternetCanonicalizeUrlW
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
3&.#;3 &
##0#3131%& 
.QICN,
0000000000000000
00000000000000
0 $$ 0 0 ,4$,0 0,
$4$($ ($
.text
`.rdata
@.data
.rsrc
@.reloc
F1%Xj
//var btnStalled = document.getElementById("NavigateStalled");
//btnStalled.click();
<SOFTWARE_URL_FILE>
</SOFTWARE_URL_FILE>xp%
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
MSIMG32.dll
ole32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
res://%s/%s
res://%s/%d
hXXp://
@WININET.DLL
IHTTP/1.0
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
kernel32.dll
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
dwmapi.dll
UxTheme.dll
eShell32.dll
yDWrite.dll
D2D1.dll
%s:%x:%x:%x:%x
SHELL32.DLL
lXXxXXXXXXXX
mfcm100u.dll
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
USER32.DLL
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
COMCTL32.DLL
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
MFCLink_UrlPrefix
MFCLink_Url
%sPane-%d%x
%sPane-%d
%sBasePane-%d%x
%sBasePane-%d
ShowCmd
X%c%d%c%s
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
RHex={X,X,X}
K%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
windows
Wf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
KEYS_MENU
KEYS
WRICHED20.DLL
RGB(%d, %d, %d)
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
Download Url:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineGuid
CAirInstallerDlg::LoadUserInterfaceStalled navigate stalled, request page again. Time: %d
theme w: %d h: %d window w: %d h: %d
intro_page.html
session.xml
index.html
LoadVisorTheme: %s
installer.html
.exe/
DelayLoadThread() waiting for theme to finish building. %d
CAirInstallerDlg::DelayLoadThread request window display. Time: %d Delay: %d Limit: %d
.html
block.html
uninstaller.html
download_page.html
Link url not given:
cancel_page.html
CANCEL_URL>
&url=
DONE_URL>
offer_0.html
_USER_PASSWORD_
e.zip"
.msi"
msiexec.exe -i
msiexec.exe
.exe"
Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
CAirInstallerDlg::OnThemeReady theme is ready to display. Time: %d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
Rules (exe) evaluate done
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
rule.value:
rule.location:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
_theme\config\cancel_dialog.xml
URLDownloadToFile failed:
_dialog.html
.infocache.airinstaller.com
_language.map
.lang
InstallerDistributed.exe
setup.exe
CLauncherDlg::OnInitDialog() UAC.launch() failed. Shut down now.
INSTALLER-238EA140-C13E-31F2-E1C5-106067709672
<DOWNLOAD_URL>
/status.html
Installer launch time: %d
\debug.log
WebGrab XML Feed
/get/file_size/?key=
installer run cmd process
\Uninstall Helper.lnk
\Remove Uninstall Helper.lnk
\Uninstaller.exe
API_URL>
irinstaller.com
hXXp://trk.a
comctl32.dll
shell32.dll
comdlg32.dll
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
SystemInspector::EnumerateSubKeys()
SystemInspector::EnumerateSubKeys() Error RegOpenKeyEx()
SystemInspector::EnumerateSubKeys() Error RegQueryInfoKey()
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\acceptpage.html
\html\uninstaller.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\software.html
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
%s %s
%d %s
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s%s%s
G/bundle.xml
bundle.xml
build.js
page-*.js
\settings.xml
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\setup.exe
DEFAULTs<FEED_URL>
hXXp://files.getsoftfree.com 02abb6bca-31bd-11e4-ac93-040106e9a401
<DONE_URL> q<OFFER_ARG> a<PRE_ACCEPTED_OFFERS>
2.0.66.0
<CANCEL_URL>
<DOWNLOAD_URL> ADownload Manager b
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
%#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]

setup.exe_264_rwx_00401000_0029F000:

G SSh
<H.uJj
SSSSSSh
f;T$.uBf
QSShXc_
tFHt:Ht.Ht"Hu`
j%XtL9E
SSSSh
t'SShl
u$SShe
tWSShW
tl9_ tgSSh
FTCP
u.PhD6]
tAHt.HHt
FtPW
SSh@B
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CCmdTarget
RegDeleteKeyTransactedW
CNotSupportedException
CHttpConnection
CHttpFile
RegDeleteKeyExW
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
TaskDialogIndirect
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
operator
portuguese-brazilian
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
urlmon
RegOpenKeyTransactedW
<a href='#' ><img src='theme/images/btn_decline.png' id='ButtonCancel' border='0' ></a>
<a href='#'><img src='theme/images/btn_accept.png' id='ButtonOK' border='0'></a>
<img src='theme/images/green_shield.png'>
</font></td><td width='12px'>   </td></tr></table><br></td></tr><tr><td bgcolor='#808080' ><table cellpadding='4' width='100%'><tr><td align='center'><a href='#'><img src='theme/images/btn_decline.png' id='ButtonCancel' border='0'></a></td><td><a href='hXXp://VVV.iminent.com/corporate/eula/' target='_blank'><font face='arial' size='2' color='#B5D544'><b>EULA</b></font></a></td><td><a href='hXXp://VVV.iminent.com/corporate/privacy/' target='_blank'><font face='arial' size='2' color='#B5D544'><b>Privacy Policy</b></font></a></td><td align='center'><a href='#'><img src='theme/images/btn_accept.png' id='ButtonOK' border='0'></a></td></tr></table></td></tr></table></body></html>
<html><head></head><body style="margin: 0"><table width='100%' cellpadding=0 cellspacing=0 height='100%' style='overflow: auto; '><tr><td bgcolor='#808080'><font face='arial' size='1'> </font></td></tr><tr><td><table align='center'><tr><td><img src='theme/images/100free.png'></td><td>   </td><td><font face='arial' size='2'><b>Iminent</b> is 100% Free, <br>sponsored by Search <br>so you will never pay for it.</font></td></tr></table><table align='center'><tr><td width='18px'>   </td><td><font face='arial' size='2'>
DNSAPI.dll
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.?AVCCmdUI@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.?AVCCmdTarget@@
.PAVCException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCMemoryException@@
.PAVCResourceException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
GetProcessHeap
PeekNamedPipe
GetCPInfo
GetWindowsDirectoryW
CreatePipe
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
URLDownloadToFileW
IsValidURL
GetKeyboardState
GetKeyboardLayout
MapVirtualKeyW
GetKeyNameTextW
MapVirtualKeyExW
CreateDialogIndirectParamW
GetAsyncKeyState
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExW
InternetOpenUrlW
HttpQueryInfoW
InternetCrackUrlW
InternetCanonicalizeUrlW
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
3&.#;3 &
##0#3131%& 
.QICN,
0000000000000000
00000000000000
0 $$ 0 0 ,4$,0 0,
$4$($ ($
.text
`.rdata
@.data
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
res://%s/%s
res://%s/%d
hXXp://
@WININET.DLL
IHTTP/1.0
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
kernel32.dll
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
dwmapi.dll
UxTheme.dll
eShell32.dll
yDWrite.dll
D2D1.dll
%s:%x:%x:%x:%x
SHELL32.DLL
lXXxXXXXXXXX
mfcm100u.dll
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
USER32.DLL
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
COMCTL32.DLL
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
ole32.dll
MFCLink_UrlPrefix
MFCLink_Url
%sPane-%d%x
%sPane-%d
%sBasePane-%d%x
%sBasePane-%d
ShowCmd
X%c%d%c%s
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
RHex={X,X,X}
K%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
windows
Wf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
KEYS_MENU
KEYS
WRICHED20.DLL
RGB(%d, %d, %d)
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
Download Url:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineGuid
CAirInstallerDlg::LoadUserInterfaceStalled navigate stalled, request page again. Time: %d
theme w: %d h: %d window w: %d h: %d
intro_page.html
session.xml
index.html
LoadVisorTheme: %s
installer.html
.exe/
DelayLoadThread() waiting for theme to finish building. %d
CAirInstallerDlg::DelayLoadThread request window display. Time: %d Delay: %d Limit: %d
.html
block.html
uninstaller.html
download_page.html
Link url not given:
cancel_page.html
CANCEL_URL>
&url=
DONE_URL>
offer_0.html
_USER_PASSWORD_
e.zip"
.msi"
msiexec.exe -i
msiexec.exe
.exe"
Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
CAirInstallerDlg::OnThemeReady theme is ready to display. Time: %d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
Rules (exe) evaluate done
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
rule.value:
rule.location:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
_theme\config\cancel_dialog.xml
URLDownloadToFile failed:
_dialog.html
.infocache.airinstaller.com
_language.map
.lang
InstallerDistributed.exe
setup.exe
CLauncherDlg::OnInitDialog() UAC.launch() failed. Shut down now.
INSTALLER-238EA140-C13E-31F2-E1C5-106067709672
<DOWNLOAD_URL>
/status.html
Installer launch time: %d
\debug.log
WebGrab XML Feed
/get/file_size/?key=
installer run cmd process
\Uninstall Helper.lnk
\Remove Uninstall Helper.lnk
\Uninstaller.exe
API_URL>
irinstaller.com
hXXp://trk.a
comctl32.dll
shell32.dll
comdlg32.dll
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
SystemInspector::EnumerateSubKeys()
SystemInspector::EnumerateSubKeys() Error RegOpenKeyEx()
SystemInspector::EnumerateSubKeys() Error RegQueryInfoKey()
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\acceptpage.html
\html\uninstaller.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\software.html
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
%s %s
%d %s
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s%s%s
G/bundle.xml
bundle.xml
build.js
page-*.js
\settings.xml
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\setup.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1552

  2. Delete the original Installer file.
  3. Delete or disinfect the following files created/modified by the Installer:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (7345 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now