Gen.Variant.Application.Bundler.AirInstaller.4_accc0897d8

by malwarelabrobot on April 9th, 2018 in Malware Descriptions.

Gen:Variant.Application.Bundler.AirInstaller.4 (BitDefender), not-a-virus:AdWare.Win32.AirAdInstaller.emlr (Kaspersky), AirInstaller (fs) (VIPRE), Adware.Downware.10718 (DrWeb), Gen:Variant.Application.Bundler.AirInstaller.4 (B) (Emsisoft), Artemis!ACCC0897D87D (McAfee), SMG.Heur!gen (Symantec), AdWare.AirAdInstaller (Ikarus), Win32:AirInstaller-A [PUP] (AVG), Win32:AirInstaller-A [PUP] (Avast), TROJ_GEN.R039C0OAQ18 (TrendMicro), Gen:Variant.Application.Bundler.AirInstaller.4 (AdAware), Trojan.Win32.Swrort.3.FD, PUPAirInstaller.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: accc0897d87d5c1d203e861683f6c454
SHA1: 42713e74bbf7cb4b37dd683e298a5f46742a4170
SHA256: 9b2deda3d6d0d541578af9685c9abce48b71b5d6dc0807fd035b0d7ab24052ae
SSDeep: 24576:iIBcraQde6Bzw4v/N0jd25nBKssQOsotijdT5:iIBTeujd25nBuQzotiT
Size: 1116584 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-06-27 19:42:09
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2028

The Trojan injects its code into the following process(es):

setup.exe:2448

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\104[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZCvnsm0kZB\intro_page.html (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018040820180409\index.dat (16 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012 (0 bytes)

The process %original file name%.exe:2028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe (7596 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process setup.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040820180409]
"CacheRepair" = "0"
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040820180409]
"CacheLimit" = "8192"
"CachePrefix" = ":2018040820180409:"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040820180409]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018040820180409"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017101120171012]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: AirInstaller Inc.
Product Name: Java Runtime
Product Version: 2.0.4.7
Legal Copyright: (c) AirInstaller. All rights reserved.
Legal Trademarks:
Original Filename: AirInstaller.exe
Internal Name: AirInstaller.exe
File Version: 2.0.4.7
File Description: Java Runtime
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1323008 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1327104 1101824 1098752 5.38954 499b9b491cd8eba2358bdec3e009a5b5
.rsrc 2428928 12288 11776 3.09735 f5ea00a2c0ba982ed56b1221615f30d3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 309
89eec61780da2eca9db6409a7708c285
fe684c9872a21630655c9224dd4247bb
dcf91fda67df378e3789acad95fb8075
343c3ce16d494ced038bcc4214c28f70
836017228c725349906eec4097732925
039c3f47c159c445d3102d23728ce7e8
2455fd8be702a91d776c1c5c76bd4a93
1a09913bea81fe4f095bd237ebf7aa12
9f5aea1015cb2b2dd063d433b060b382
db0fff53383707f178c09804e30cb989
4e71979f06d2b409a8daeb7957441aac
f6a4f706f8c396247c4f91b1f4d3e7a1
5ae1637bec60e3a347bc16bd28c46c34
39bf785a9553909ecf068e4ee560bf63
a033b60b6d59adbc07b766a10b6049b9
9bfb8c5c7bf238b4031395735af913eb
49839d504ab583b27a79de955f8b256a
f65f3be1924ca7bb4401629ebc3bb0cc
e76e96675ba8f11dc0d2130aba1f6b81
4bbd35387c3da0f5632d7a31dc7a9e01
27686d90d241505cc8d09aa63ea00e4e
0c2a85684e2d8faf0fbe1fc02fe3694c
ca286389448d08036c226de580bcee26
0b39934dd0060aa1edac0a1c27b79859
64e89290066931d0d628236bf8df5402

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

setup.exe_2448:

`.rsrc
f;T$.uBf
t'SShl
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
portuguese-brazilian
operator
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
RegOpenKeyTransactedW
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
var btnStalled = document.getElementById("NavigateStalled");
btnStalled.click();
GetProcessHeap
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
IsValidURL
URLDownloadToFileW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyNameTextW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
GetAsyncKeyState
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
InternetCanonicalizeUrlW
InternetCrackUrlW
HttpQueryInfoW
InternetOpenUrlW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
]<%Xg
3&.#3 &$-
##0#3131%& 
 ###$#-$
.QICN,=3-?W7P53.#51; #;-[3-M?-36M->-a053 ##-
0 $$ 0 0 ,4$,0 0,
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
'@.relo(
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
MSIMG32.dll
ole32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
comctl32.dll
comdlg32.dll
shell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
res://%s/%s
res://%s/%d
hXXp://
WININET.DLL
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
KeyboardManager
ShowCmd
%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
windows
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
RICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
feed.xml
installer.html
.html
block.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
e Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
hXXp://trk.airinstaller.com/get/event/?name=user_input
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
theme\config\cancel_dialog.xml
URLDownloadToFile failed:
language.map
.lang
AirInstallerDistributed.exe
setup.exe
AIRINSTALLER-238EA140-C13E-31F2-E1C5-106067709672
hXXp://trk.airinstaller.com/get/event/?name=already_running&data[running]=1
hXXp://cdn.airdlrstatic.com
2.0.1.6
hXXp://trk.airinstaller.com/get/event/?name=session_version
\debug.log
WebGrab XML Feed
hXXp://trk.airinstaller.com/get/log
/get/file_size/?key=
&url=
installer run cmd process
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_with_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
installed.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\Uninstaller.exe
%s%s%s
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe
hXXp://airinstaller.com
DEFAULTs<FEED_URL> h hXXp://trk.airinstaller.com 051cec1f8b4a22
hXXp://trk.airinstaller.com q<OFFER_ARG> a<PRE_ACCEPTED_OFFERS>
firefox
2.0.4.7
<DOWNLOAD_URL> AJava Runtime <Java-MT
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
AirInstaller.exe

setup.exe_2448_rwx_00E01000_0024F000:

f;T$.uBf
t'SShl
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
portuguese-brazilian
operator
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
RegOpenKeyTransactedW
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
var btnStalled = document.getElementById("NavigateStalled");
btnStalled.click();
GetProcessHeap
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
IsValidURL
URLDownloadToFileW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyNameTextW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
GetAsyncKeyState
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
InternetCanonicalizeUrlW
InternetCrackUrlW
HttpQueryInfoW
InternetOpenUrlW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
]<%Xg
3&.#3 &$-
##0#3131%& 
 ###$#-$
.QICN,=3-?W7P53.#51; #;-[3-M?-36M->-a053 ##-
0 $$ 0 0 ,4$,0 0,
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
comctl32.dll
comdlg32.dll
shell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
res://%s/%s
res://%s/%d
hXXp://
WININET.DLL
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
ole32.dll
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
KeyboardManager
ShowCmd
%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
windows
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
RICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
feed.xml
installer.html
.html
block.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
e Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
hXXp://trk.airinstaller.com/get/event/?name=user_input
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
theme\config\cancel_dialog.xml
URLDownloadToFile failed:
language.map
.lang
AirInstallerDistributed.exe
setup.exe
AIRINSTALLER-238EA140-C13E-31F2-E1C5-106067709672
hXXp://trk.airinstaller.com/get/event/?name=already_running&data[running]=1
hXXp://cdn.airdlrstatic.com
2.0.1.6
hXXp://trk.airinstaller.com/get/event/?name=session_version
\debug.log
WebGrab XML Feed
hXXp://trk.airinstaller.com/get/log
/get/file_size/?key=
&url=
installer run cmd process
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_with_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
installed.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\Uninstaller.exe
%s%s%s
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe
hXXp://airinstaller.com
DEFAULTs<FEED_URL> h hXXp://trk.airinstaller.com 051cec1f8b4a22
hXXp://trk.airinstaller.com q<OFFER_ARG> a<PRE_ACCEPTED_OFFERS>
firefox
2.0.4.7
<DOWNLOAD_URL> AJava Runtime <Java-MT
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2028

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\104[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZCvnsm0kZB\intro_page.html (1376 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018040820180409\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe (7596 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now