Gen.Variant.Application.Bundler.AirInstaller.4_ad90282585

by malwarelabrobot on July 16th, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.AirAdInstaller.emlr (Kaspersky), Gen:Variant.Application.Bundler.AirInstaller.4 (AdAware), Trojan.Win32.Swrort.3.FD, PUPAirInstaller.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ad9028258507fa101bd6ee61648079b8
SHA1: 19f8e9626d7d05674c3ea68bf461c38381e7f248
SHA256: 89159ee3700e800c22254a7d86188f5a6d7a162bc974cd2fd93b20b9109cae45
SSDeep: 24576:Jvq1g6y9SD2WZmDSbF2ZNaFegKbOq/F0rTLX/Blr:JkQ9jWZmDSbKQFecq/FkL
Size: 833960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-16 19:58:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

dwwin.exe:1528

The Trojan injects its code into the following process(es):

%original file name%.exe:452

Mutexes

The following mutexes were created/opened:

RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
INSTALLER-238EA140-C13E-31F2-E1C5-106067709672
AirInstaller-Admin
ShimCacheMutex
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
oleacc-msaa-loaded

File activity

The process dwwin.exe:1528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2507CC.dmp (137335 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\50a_appcompat.txt (6214 bytes)

Registry activity

The process dwwin.exe:1528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 63 C5 B4 78 31 27 9F 22 BA 42 1F 92 5A C0 2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 F6 8F DB B9 F8 70 1C FE 8D 1B B3 DF F8 3C 65"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: AirInstaller
Product Name: Google Chrome
Product Version: 2.0.4.53
Legal Copyright: (c) AirInstaller
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 2.0.4.53
File Description: Google Chrome
Comments:
Language: English

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1679360 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1683456 794624 794112 5.49488 f1d9aa3682ca0a29f3728d02f8e9f9d8
.rsrc 2478080 36864 33792 2.85771 fd1facab73b786f3c8a3086e638cbc63

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 81
c5e7a47edd51d6af06974d7a989e7db5
ab7a4ad347f7900a83971e52ee1cfeec
9ba67b7405de866d27299424b66b11cc
47e948180d0f9baeafd0d3d169c6a446
157faf62f396598be6444fcfbf46c94f
73fb7bf3a15ff1537bc7eb190b37a029
6307000f5a77b6543024548069771936
c44307110ce740a165cf049866f90512
8b3615fd6fc5a1ecdc32996a112b19b3
ddea1a6adeeda02211049bc681a8bed6
96a53ab311ef027863f0a264aad451c6
ca8c15edfe777ee06d0e1a8c4d11ad8b
088fcebe2e569dcf7966efa364c5273d
cd3c401b5912ede4534bf307c8c75ba9
76e40346a3e8774f9b908d2673d261fe
b2447cefe8dcae2640ff5278300c203b
cc389acebf16263fe5aa96888193c531
82174c16751f5557db6d71eb6ae24d89
86a49b3f6d4f9f9ec2c5cc6051a55f52
2747cb378d86ce8327e87d5a4af9fa2f
f4a8fa52398dced5d9c6e455b870e0bd
4b60bc21df40e1c1357be4253c84d5a8
006cf4967db4f5cf8edd51cafb11f1b3
95bb9b9e2e172ed6a75e468181c012be
a520eef7f5b9f3e145687f6d17208570

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_452:

`.rsrc
<H.uJj
f;T$.uBf
t.hd2Z
t.ht?Z
t'SShl
QSShh_\
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
portuguese-brazilian
operator
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
RegOpenKeyTransactedW
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
@(69@(69@(69@(69@(69
GetProcessHeap
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
IsValidURL
URLDownloadToFileW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyNameTextW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
GetAsyncKeyState
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
InternetCanonicalizeUrlW
InternetCrackUrlW
HttpQueryInfoW
InternetOpenUrlW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
]<%Xg
3&.#3 $-
##0#3131%& 
 ###$#-$
.QICN,=3-?W7P53.51; #;-[3-M?-36#M-a>-053 ##-- 
0 $$ 0 0 ,4$,0 0,
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
var btnStalled = document.getElementById("NavigateStalled");
btnStalled.click();
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
MSIMG32.dll
ole32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
Gcomctl32.dll
Gcomdlg32.dll
Gshell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
res://%s/%s
res://%s/%d
hXXp://
@WININET.DLL
HHTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
windows
KeyboardManager
ShowCmd
I%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
OHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
Sf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
L%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
TRICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
@%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
session.xml
index.html
installer.html
.html
block.html
uninstaller.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
e Executed Offer Ok
.msi"
Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
rule.value:
rule.location:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
\theme\config\cancel_dialog.xml
URLDownloadToFile failed:
\language.map
.lang
InstallerDistributed.exe
CLauncherDlg::OnInitDialog() UAC.launch() failed. Shut down now.
INSTALLER-238EA140-C13E-31F2-E1C5-106067709672
2.0.1.6
\debug.log
WebGrab XML Feed
/get/file_size/?key=
&url=
installer run cmd process
\Uninstall Helper.lnk
\Remove Uninstall Helper.lnk
\Uninstaller.exe
API_URL>
irinstaller.com
hXXp://trk.a
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\uninstaller.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s%s%s
FhXXp://testcdn.com
/bundle.xml
hXXp://testcdn.com/bundle/
bundle.xml
build.js
page-*.js
\settings.xml
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
c:\%original file name%.exe
DEFAULTs<FEED_URL>
hXXp://trk.airinstaller.com 0525f07344a7b2
chrome
2.0.4.12
kGoogle Chrome
<DOWNLOAD_URL> AGoogle Chrome <42269141388
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
!#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
Google Chrome
2.0.4.53
setup.exe
Google Chrome

%original file name%.exe_452_rwx_00401000_0025B000:

<H.uJj
f;T$.uBf
t.hd2Z
t.ht?Z
t'SShl
QSShh_\
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
portuguese-brazilian
operator
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
RegOpenKeyTransactedW
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page'   currentPage).style.visibility = 'hidden';
document.getElementById('page'   currentPage).style.display = 'none';
document.getElementById('page'   currentPage).style.visibility = 'visible';
document.getElementById('page'   currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i  ) {
var formName = formsCollection[i].name;
//alert('formName: '   formName   ' '   document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e  ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e  ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length;   i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e  ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e  ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
      Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
@(69@(69@(69@(69@(69
GetProcessHeap
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
IsValidURL
URLDownloadToFileW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyNameTextW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
GetAsyncKeyState
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
InternetCanonicalizeUrlW
InternetCrackUrlW
HttpQueryInfoW
InternetOpenUrlW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
]<%Xg
3&.#3 $-
##0#3131%& 
 ###$#-$
.QICN,=3-?W7P53.51; #;-[3-M?-36#M-a>-053 ##-- 
0 $$ 0 0 ,4$,0 0,
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
Gcomctl32.dll
Gcomdlg32.dll
Gshell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
res://%s/%s
res://%s/%d
hXXp://
@WININET.DLL
HHTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
ole32.dll
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
windows
KeyboardManager
ShowCmd
I%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
OHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
Sf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
L%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
TRICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
@%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
session.xml
index.html
installer.html
.html
block.html
uninstaller.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
e Executed Offer Ok
.msi"
Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
rule.value:
rule.location:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
\theme\config\cancel_dialog.xml
URLDownloadToFile failed:
\language.map
.lang
InstallerDistributed.exe
CLauncherDlg::OnInitDialog() UAC.launch() failed. Shut down now.
INSTALLER-238EA140-C13E-31F2-E1C5-106067709672
2.0.1.6
\debug.log
WebGrab XML Feed
/get/file_size/?key=
&url=
installer run cmd process
\Uninstall Helper.lnk
\Remove Uninstall Helper.lnk
\Uninstaller.exe
API_URL>
irinstaller.com
hXXp://trk.a
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\uninstaller.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s%s%s
FhXXp://testcdn.com
/bundle.xml
hXXp://testcdn.com/bundle/
bundle.xml
build.js
page-*.js
\settings.xml
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
c:\%original file name%.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:1528

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\2507CC.dmp (137335 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\50a_appcompat.txt (6214 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now