Gen.Variant.Application.Bundler.AirInstaller.4_996ce3227c

by malwarelabrobot on August 25th, 2015 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Gen:Variant.Application.Bundler.AirInstaller.4 (AdAware), Trojan.Win32.Swrort.3.FD, PUPAirInstaller.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 996ce3227cf7936d27210e482be556ee
SHA1: 953beb34b965ff5a89e7d94fdf8a1000334c33ce
SHA256: ab0926cb86fc6742878a1b3a92e234bff5e6b124b152e58310bd4a11361f2fbb
SSDeep: 24576:uvoi3q3kzOpJOfedKl3b0MDCBHyRXYVW M9OKbmOKm/9yeQQsH79IJNqerv:uvPqJpJOn0M2BHyRXYxAOAKOsfDH79I1
Size: 1113736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller Inc.
Created at: 2013-04-16 21:06:30
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1756

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CP67GTAF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPEJ8LQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\81IVWL2N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s34ftK367r\intro_page.html (1371 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KXM74HMF\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082420150825]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082420150825]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015082420150825\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082420150825]
"CacheRepair" = "0"

"CachePrefix" = ":2015082420150825:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 8A 1C 61 9D C9 81 5F CE 82 BD 4D 36 B7 AE 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082420150825]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: AirInstaller Inc.
Product Name: Download Manager
Product Version: 2.0.3.87
Legal Copyright: (c) AirInstaller. All rights reserved.
Legal Trademarks:
Original Filename: AirInstaller.exe
Internal Name: AirInstaller.exe
File Version: 2.0.3.87
File Description: Download Manager
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1314816 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1318912 1097728 1094144 5.39033 47107099e5f7e3dd82f8d8ba2eb3e0a0
.rsrc 2416640 12288 11776 3.10401 e935f1032de178ef197a46c70cff643b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 26
34de9b991382ef4c0cd3708b536f0080
3d0525dd014cbcf1cff0030cb17c2632
7a3b4ab12bfbc9b9b59a9185eff66134
c105dfc036e0823fecf99041368e7448
064619c46e63b48d026dc2d6449dd5a2
ea6d66202dbac1363a8eb510ec66a41b
a949e62902336f5bb96a8efeebfe6e48
cea5fd68938f58c20be1d82424b15f9d
6df3cfcddbafca54cafc6e774c93eed3
f81184c64d968825a1ecd49c0675de8d
d3817e7ad78300630b995c5bfe495a8e
670177268f2d24ecb6cf6c4e2fb35e97
c2b94371ca5db789e25650326ddeea85
d91fa818bef526f7fef9b5f76352f5e0
f4f2de3320e1c515cc87a3df84e0c3cb
a4e25a27a94b68b5ac5fd7431ba9b635
2b969d6d7d8c88d55417a083db4c4c15
0f97b06e0b6fd0031d748211eb8ea95c
1d43dbbbe03f2cbed31de9429d616e3b
ba250df43cb9d340c738a165cf033f4f
c7e0533939d37ee06440ad072cb641ba
25d8c19b88931de565ae85cbe090d3a9
d0035673a4e5b98540cda3768dafe346
c4b3637acaefbb95fc10f2ddea887744
04e6d1a0c9e36a5be79e233c7a6d640d

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1756:

`.rsrc
f;T$.uBf
t.hHXY
t'SShl
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
u.PhT
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
<!--%s-->
&#xX;
</%s>
%s='%s'
%s="%s"
<![CDATA[%s]]>
standalone="%s"
encoding="%s"
version="%s"
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
portuguese-brazilian
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
Keys
RegOpenKeyTransactedW
run_cmd
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
session_key
thankyou_url
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
input_post_url
operator
purl
turl
regkeys
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
var btnStalled = document.getElementById("NavigateStalled");
btnStalled.click();
GetCPInfo
GetProcessHeap
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteW
UrlUnescapeW
URLDownloadToFileW
IsValidURL
GetAsyncKeyState
MapVirtualKeyW
GetKeyNameTextW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
InternetOpenUrlW
HttpQueryInfoW
InternetCrackUrlW
InternetCanonicalizeUrlW
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
0;0-3õ0(8_1%f#
3&.#3 &$-
##0#3131%& 
.QICN,=3-?W7P5351;. #;-[3-#M?-36$M->-a053 ##-
6:2.xZ8Y-(8
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
`.rds
'@.relo(n
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
MSIMG32.dll
ole32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
Gcomctl32.dll
Gcomdlg32.dll
Gshell32.dll
res://%s/%s
res://%s/%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
hXXp://
DWININET.DLL
GHTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
windows
KeyboardManager
ShowCmd
O%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
OHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
Rf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
RIH%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
TRICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
D%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
feed.xml
installer.html
.html
block.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
hXXp://trk.airinstaller.com/get/event/?name=user_input
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
\theme\config\cancel_dialog.xml
URLDownloadToFile failed:
\language.map
.lang
\AIRINSTALLER-238EA140-C13E-31F2-E1C5-106067709672
hXXp://trk.airinstaller.com/get/event/?name=allready_running
hXXp://cdn.airdlrstatic.com
2.0.1.6
hXXp://trk.airinstaller.com/get/event/?name=session_version
\debug.log
WebGrab XML Feed
hXXp://trk.airinstaller.com/get/log
/get/file_size/?key=
&url=
installer run cmd process
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
</Reg_Key>
<Reg_Key>
installed.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\Uninstaller.exe
%s%s%s
Offer exe_cmd:
Offer exe_eval:
Offer download_url:
Offer impression_url:
Offer conversion_url:
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
c:\%original file name%.exe
hXXp://airinstaller.com
DEFAULTs<FEED_URL> h hXXp://trk.airinstaller.com 051703a20f2ff4
hXXp://trk.airinstaller.com q<OFFER_ARG> a<PRE_ACCEPTED_OFFERS>
chrome
2.0.3.87
<DOWNLOAD_URL> ADownload Manager <noskip
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
AirInstaller.exe

%original file name%.exe_1756_rwx_00401000_0024B000:

f;T$.uBf
t.hHXY
t'SShl
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
u.PhT
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
<!--%s-->
&#xX;
</%s>
%s='%s'
%s="%s"
<![CDATA[%s]]>
standalone="%s"
encoding="%s"
version="%s"
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
portuguese-brazilian
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
Keys
RegOpenKeyTransactedW
run_cmd
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
session_key
thankyou_url
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
input_post_url
operator
purl
turl
regkeys
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
var btnStalled = document.getElementById("NavigateStalled");
btnStalled.click();
GetCPInfo
GetProcessHeap
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteW
UrlUnescapeW
URLDownloadToFileW
IsValidURL
GetAsyncKeyState
MapVirtualKeyW
GetKeyNameTextW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
InternetOpenUrlW
HttpQueryInfoW
InternetCrackUrlW
InternetCanonicalizeUrlW
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
0;0-3õ0(8_1%f#
3&.#3 &$-
##0#3131%& 
.QICN,=3-?W7P5351;. #;-[3-#M?-36$M->-a053 ##-
6:2.xZ8Y-(8
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
Gcomctl32.dll
Gcomdlg32.dll
Gshell32.dll
res://%s/%s
res://%s/%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
hXXp://
DWININET.DLL
GHTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
ole32.dll
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
windows
KeyboardManager
ShowCmd
O%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
OHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
Rf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
RIH%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
TRICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
D%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
feed.xml
installer.html
.html
block.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
hXXp://trk.airinstaller.com/get/event/?name=user_input
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
\theme\config\cancel_dialog.xml
URLDownloadToFile failed:
\language.map
.lang
\AIRINSTALLER-238EA140-C13E-31F2-E1C5-106067709672
hXXp://trk.airinstaller.com/get/event/?name=allready_running
hXXp://cdn.airdlrstatic.com
2.0.1.6
hXXp://trk.airinstaller.com/get/event/?name=session_version
\debug.log
WebGrab XML Feed
hXXp://trk.airinstaller.com/get/log
/get/file_size/?key=
&url=
installer run cmd process
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
</Reg_Key>
<Reg_Key>
installed.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\Uninstaller.exe
%s%s%s
Offer exe_cmd:
Offer exe_eval:
Offer download_url:
Offer impression_url:
Offer conversion_url:
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
c:\%original file name%.exe
hXXp://airinstaller.com
DEFAULTs<FEED_URL> h hXXp://trk.airinstaller.com 051703a20f2ff4
hXXp://trk.airinstaller.com q<OFFER_ARG> a<PRE_ACCEPTED_OFFERS>
chrome
2.0.3.87
<DOWNLOAD_URL> ADownload Manager <noskip
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CP67GTAF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPEJ8LQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\81IVWL2N\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\s34ftK367r\intro_page.html (1371 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KXM74HMF\desktop.ini (67 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now