SearchProtectToolbar_pcap_d9733faefd

by malwarelabrobot on December 18th, 2014 in Malware Descriptions.

SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d9733faefd72af02877de4dc3eb8642d
SHA1: 460473831eabd8e986857087e70ff22cd762e54d
SHA256: e0ca9398808f469c2aea96319b644e58171b769810bec5118645be8c29865319
SSDeep: 393216:atIHFMEzHsW 9G989/L NgUxmHl4h/2sSQC6stH5UZT6lGF:aqFDzsW 9GsL Am/e5WZTLF
Size: 18818672 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AOL Inc.
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

dnupdatersetup.exe:2392
WerFault.exe:3408
aol-messaging_trio1C76.exe:2744
aimtbServer.exe:2388
aimtbServer.exe:1676
aimtbServer.exe:3896
aimtbServer.exe:3388
aol-messaging_toolbar_ff.exe:2736
dlupd.exe:2712
RunDll32.exe:3852
%original file name%.exe:3300
%original file name%.exe:2728
aol-messaging_toolbar_ie.exe:3716
regsvr32.exe:3468
dnu.exe:4024
dnu.exe:3420
dnu.exe:2956
dnu.exe:2372

The Malware injects its code into the following process(es):

aim.exe:692
AOL_Search.exe:3728

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process dnupdatersetup.exe:2392 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\nsJSON.dll (15 bytes)
%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe (313 bytes)
%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe (6526 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State (2156387 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\System.dll (23 bytes)

The process WerFault.exe:3408 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_dnupdatersetup.e_50eae638e7cd79cff7e41844acbd428498edc5_0d5c7e53\Report.wer (156854 bytes)

The process aol-messaging_trio1C76.exe:2744 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\vc9rt.msi (39033 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\182NGY1Y\nocontentxml[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\timestamp[1].htm (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (27962 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P3RWXGAD.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spr5.htm (85 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ToolbarDetector.dll (16476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\upgrade.xml (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\timestamp.txt (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ZipDLL.dll (5667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe (14383 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWR9ROHK\nocontentxml[1].htm (34 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ff.exe (48083 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\nocontentxml[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JOM1A130.txt (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\dnupdatersetup.exe (6665 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe (166927 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V8U5K4H\nocontentxml[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\Processes.dll (1461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\UAC.dll (32 bytes)

The process aim.exe:692 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\update\config.xml (223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000005 (394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000004 (87 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000007 (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000006 (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000001 (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000003 (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000002 (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000009 (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000008 (69 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FAP56A8.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\manifest.bin (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies (383 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage-journal (5114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_9QXbgnrIl1bcXkL (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\index (368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies-journal (2799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\fcs4AB5.tmp (703 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_3 (6376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_2 (12792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_1 (32536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_0 (186740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (5416 bytes)

The process aol-messaging_toolbar_ff.exe:2736 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IaimUninstallObserver.xpt (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\pinit.zip (2903 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa7FBB.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll (6762 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\share.zip (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\youtube.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\weather.zip (8430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\aolmail.zip (3355 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\amazon.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\mailcount.dll (1228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\trendingtopics.zip (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\surfometer.zip (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\source.dat (1368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimUninstallObserver.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAddonObserver.js (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\calendar.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\facebook.zip (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAutoSuggest.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IMailUtil.xpt (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome\aimtoolbar.jar (11620 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome.manifest (975 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\sqlite3.exe (11050 bytes)

The process dlupd.exe:2712 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe (1764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\UserInfo.dll (8 bytes)
%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe (6689 bytes)

The process AOL_Search.exe:3728 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\sqlite3.exe (11050 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-search.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\System.dll (23 bytes)

The process %original file name%.exe:3300 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdres.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locales\en-US.pak (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsisext.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\manifest.bin (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdl10n.ini (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\credits.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\icudt.dll (325923 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\NPSWF32.dll (524009 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\Uninstaller.exe (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll (26610 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\register.bat (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\config.xml (321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aolload.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\unregister.bat (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuEA4F.tmp (1220470 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe (33504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aoldiag.dll (13368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\libcef.dll (766772 bytes)
C:\Users\"%CurrentUserName%"\Desktop\AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\tbdiag.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\Uninstall AIM.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\dlupd.exe (5211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\modern-header.bmp (5 bytes)

The process %original file name%.exe:2728 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE946.tmp (28210 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\nsisext.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\modern-header.bmp (5 bytes)

The process aol-messaging_toolbar_ie.exe:3716 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\trendingtopics.zip (11 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_0.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addbuddybutton.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_0.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_left.gif (138 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\jquery.js (3436 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevdown.gif (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints_frame.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_bot.gif (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_left.gif (138 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll (8320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buddy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\09.gif (317 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints_frame.htm (4 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\amazon.zip (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\privacy_icon.gif (468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdown.gif (477 bytes)
%Program Files% (x86)\AIM Toolbar\uninstall.exe (8368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_2.gif (914 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\content.html (828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupover.gif (445 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_0.gif (908 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.css (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\06.gif (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttonManager.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_left.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_large.gif (170 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsearch.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\evergreen.html (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addbuddybutton.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_bot.gif (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\bullet.gif (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enabletoolbar.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html (714 bytes)
%Program Files% (x86)\AIM Toolbar\7z.dll (19117 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dropcustombutton.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\buttons\defaultButtons.xml (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\bullet.gif (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtb.cfg (1568 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownover.gif (452 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\weather.zip (8430 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\latest.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\renamecustombutton.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_0.gif (905 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\07.gif (307 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\firsttimepage.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_2.gif (906 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enabletoolbar.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.htm (495 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints_confirm.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\qap.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_large.gif (170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\olderversion.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\04.gif (310 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bottom.gif (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsearch.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply_over.png (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevover.gif (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_top.gif (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_frame.htm (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttonManager.js (6 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_right.gif (108 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_large.gif (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextover.gif (155 bytes)
%Program Files%\AIM Toolbar\7z.dll (31890 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_0.gif (909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.htm (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowright.png (939 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\weather.zip (8430 bytes)
%Program Files%\AIM Toolbar\uninstall.exe (8368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownover.gif (452 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\share.zip (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\UserInfo.dll (8 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdisabled.gif (456 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_2.gif (914 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dots32.gif (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_left.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.css (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_2.gif (900 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabOver.gif (904 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\json2.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowleft.png (938 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enable_bg.jpg (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndown.gif (482 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_1.gif (820 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\pinit.zip (2903 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\calendar.zip (16 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\youtube.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_right_tile.gif (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options_frame.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_0.gif (908 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons_frame.htm (3 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\09.gif (317 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\resettoolbar.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_top.gif (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\surfometer.zip (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_1.gif (820 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_0.gif (909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\jquery.js (3436 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addcustombutton.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\03.gif (314 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_0.gif (911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\share.zip (4 bytes)
%Program Files% (x86)\AIM Toolbar\aimtbServer.exe (6897 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_icon.gif (582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dot.gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\07.gif (307 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_1.gif (820 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_2.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\facebook.zip (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevup.gif (219 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabActive.gif (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\metrics.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\00.gif (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndown.gif (482 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_2.gif (909 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\about.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\branding.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextdown.gif (159 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownup.gif (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_left_tile.gif (54 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\olderversion.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_0.gif (910 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdown.gif (477 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\03.gif (314 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\about.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options_frame.htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabActive.gif (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevdown.gif (157 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popup_icon.gif (240 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextover.gif (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\aolmail.zip (3355 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_right.gif (108 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\surfometer.zip (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_frame.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\02.gif (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\calendar.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextup.gif (222 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupover.gif (445 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_1.gif (821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_bot.gif (72 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\ani_media_icon.gif (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blocker.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_2.gif (911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_2.gif (906 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right.gif (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\02.gif (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_right_tile.gif (54 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_frame.htm (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownup.gif (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\qap.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\privacy_icon.gif (468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsprompt.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addcustombutton.htm (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blocker.js (6 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\amazon.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bg.gif (64 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_tile.gif (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevup.gif (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.html (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\general_icon.gif (470 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.css (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_icon.gif (462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndisabled.gif (455 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dot.gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextup.gif (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabNormal.gif (884 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\content.html (828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply_over.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\upgradeToolbar.exe (3428 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll (8320 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\customize_icon.gif (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints_confirm.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupup.gif (488 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_0.gif (905 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\nsArray.dll (14 bytes)
%Program Files%\AIM Toolbar\aimtbServer.exe (11642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\metrics.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.html (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\08.gif (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_2.gif (907 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\general_icon.gif (470 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\00.gif (313 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtb.cfg (1568 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_2.gif (911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buddy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\firsttimepage.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_1.gif (821 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupup.gif (488 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowleft.png (938 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\resettoolbar.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\latest.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\customize_icon.gif (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bottom.gif (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dropcustombutton.htm (4 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\05.gif (314 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndisabled.gif (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_1.gif (820 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_frame.htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\06.gif (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\pinit.zip (2903 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\01.gif (201 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons_frame.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_1.gif (820 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bg.gif (64 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_0.gif (908 bytes)
%Program Files% (x86)\AIM Toolbar\aimtb.dll (63702 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply.png (1 bytes)
%Program Files%\AIM Toolbar\aimtb.dll (82243 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_0.gif (908 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\ani_media_icon.gif (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\facebook.zip (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\renamecustombutton.htm (4 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsprompt.htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\local\search.html (714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_1.gif (820 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_left_tile.gif (54 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_tile.gif (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons.js (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\branding.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_bot.gif (72 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabNormal.gif (884 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\youtube.zip (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\05.gif (314 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabOver.gif (904 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\04.gif (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\json2.js (18 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\01.gif (201 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\buttons\defaultButtons.xml (9 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\aolmail.zip (3355 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_2.gif (910 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popup_icon.gif (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_icon.gif (582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_2.gif (900 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextdown.gif (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dots32.gif (5 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_2.gif (907 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\evergreen.html (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\stylesheet.css (7 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\trendingtopics.zip (11 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\08.gif (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left.gif (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll (8320 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enable_bg.jpg (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_0.gif (911 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left.gif (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\custombutton.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdisabled.gif (456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_2.gif (910 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_tile.gif (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtbres.dll (8696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\stylesheet.css (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_tile.gif (53 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_0.gif (910 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_icon.gif (462 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_1.gif (821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevover.gif (152 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_large.gif (171 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\custombutton.js (1 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options.js (2 bytes)
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowright.png (939 bytes)

The process regsvr32.exe:3468 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll (376 bytes)
%Program Files%\AIM Toolbar\aimtb.dll (291 bytes)

The process dnu.exe:4024 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe (1181785 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\prd1AA1.tmp (1444 bytes)

The process dnu.exe:3420 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\user.js (68 bytes)

The process dnu.exe:2372 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\user.js (68 bytes)

Registry activity

The process dnupdatersetup.exe:2392 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility]
"DisplayIcon" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe, 201"
"UninstallString" = "%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe"
"NoModify" = "1"
"VersionMinor" = "2"
"NoRepair" = "1"
"VersionMajor" = "1"
"InstallLocation" = "%Program Files% (x86)\Common Files\Software Update Utility"
"Publisher" = "AOL Inc."
"DisplayName" = "Download Updater (AOL Inc.)"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility]

The process WerFault.exe:3408 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 92 37 0A 77"

The process aol-messaging_trio1C76.exe:2744 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "76 1E 30 BD 29 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"silent" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "2A 6E 80 C8 29 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "2A 6E 80 C8 29 1A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallMsg"
"Reboot"

The process aimtbServer.exe:2388 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "c:\program files\aim toolbar\aimtbServer.exe"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

The Malware deletes the following registry key(s):

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\Programmable]
[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]

The process aimtbServer.exe:1676 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}]
"(Default)" = "_IAolToolbarHelperEvents"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}]
"(Default)" = "IAolToolbarHelper"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}]
"(Default)" = "IAolToolbarHelper"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtbServer.exe"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\AIM Toolbar"

[HKCR\Wow6432Node\Interface\{13311D17-DD1E-4353-B0F8-D60D1BFCB6E3}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtbServer.exe"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}\TypeLib]
"(Default)" = "{F77DCFA1-409C-4EC6-863A-8133C629A505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Wow6432Node\Interface\{9DCBBA94-F807-4018-96F0-75D5A162A0BE}]
"(Default)" = "_IAolToolbarHelperEvents"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0]
"(Default)" = "AIMToolbarServer 1.0 Type Library"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\FLAGS]
"(Default)" = "0"

The process aimtbServer.exe:3896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtbServer.exe"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\TypeLib\{F77DCFA1-409C-4EC6-863A-8133C629A505}\1.0\0\win64]
"(Default)" = "%Program Files%\AIM Toolbar\aimtbServer.exe"

[HKCR\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

The process aimtbServer.exe:3388 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\AIMTbServer.AolToolbarHelper\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

[HKCR\AppID\{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}]
"(Default)" = "AIMTbServer"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]
"(Default)" = "c:\program files (x86)\aim toolbar\aimtbServer.exe"

[HKCR\AppID\aimtbServer.exe]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper"

[HKCR\AIMTbServer.AolToolbarHelper]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\AIMTbServer.AolToolbarHelper\CurVer]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
"AppID" = "{6ad5caf1-4fd4-4ad3-b6c7-bd6baaede11c}"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
"(Default)" = "{f77dcfa1-409c-4ec6-863a-8133c629a505}"

[HKCR\AIMTbServer.AolToolbarHelper.1]
"(Default)" = "AIM Toolbar Helper Class"

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
"(Default)" = "AIMTbServer.AolToolbarHelper.1"

[HKCR\AIMTbServer.AolToolbarHelper.1\CLSID]
"(Default)" = "{0ef242c6-6ecd-476e-9859-076503985f8e}"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\ProgID]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\Programmable]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\TypeLib]
[HKCR\Wow6432Node\CLSID\{0ef242c6-6ecd-476e-9859-076503985f8e}\LocalServer32]

The process aim.exe:692 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\America Online\AOL Diagnostics\AOLChromelyAIMUSGMWin328.0.7.1]
"aim.exe" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"

[HKCU\Software\Classes\aim\shell\open\command]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe -appcmd=%1"

[HKCU\Software\Classes\aim\Content Type]
"(Default)" = "application/x-aim"

[HKCU\Software\Classes\aim]
"URL Protocol" = ""

[HKCU\Software\Classes\aim\DefaultIcon]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe,0"

The process dlupd.exe:2712 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility]
"DisplayIcon" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe, 201"
"UninstallString" = "%Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe"
"NoModify" = "1"
"VersionMinor" = "2"
"NoRepair" = "1"
"VersionMajor" = "1"
"InstallLocation" = "%Program Files% (x86)\Common Files\Software Update Utility"
"Publisher" = "AOL Inc."
"DisplayName" = "Download Updater (AOL Inc.)"

The process AOL_Search.exe:3728 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 32 7F C4 47"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"SuggestionsURL_JSON" = "http://autocomplete.search.aol.com/autocomplete/get?q={searchTerms}&count=10&it={source}-en-us&output=json&it=aimright-ie"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"ShowSearchSuggestions" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3921C115C15D0ECA5CCB5BC4F07D21D8050B566A]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 B3 1D A1 8F"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"URL" = "http://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}&s_it=aimright-ie&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014"
"FaviconURL" = "http://search.aol.com/favicon.ico"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
"DisplayName" = "AOL Search"

The Malware deletes the following registry key(s):

[HKCU\Software\Classes\Local Settings\MuiCache\2A]
[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"503006091D97D4F5AE39F7CBE7927D7D652D3431"
"3921C115C15D0ECA5CCB5BC4F07D21D8050B566A"

The process RunDll32.exe:3852 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "DB 35 4E 89 16 19 D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process %original file name%.exe:3300 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{7A02967B-018E-41c9-953E-3DCAB144538B}]
"AppName" = "aim.exe"
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"DisplayName" = "AIM for Windows"
"Publisher" = "AOL Inc."
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{7A02967B-018E-41c9-953E-3DCAB144538B}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"VersionMajor" = "8"
"NoRepair" = "1"
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"
"NoModify" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AIM]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM for Windows" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"

The process %original file name%.exe:2728 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process aol-messaging_toolbar_ie.exe:3716 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"AppID" = ""

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallDate" = "17-12-2014"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}]
"(Default)" = "IDownloader"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}]
"(Default)" = "IMailUtil"

[HKCU\Software\AIM Toolbar\ieToolbar]
"Installed" = "0"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"brand" = "AIM"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"(Default)" = "ToolbarInfo Class"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"partner" = ""

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"PostInst" = "http://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1&upg=0"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"DisplayName" = "AOL Messaging Toolbar"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\AIMTb.Downloader\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"PostInst" = "http://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1&upg=0&upg=0"

[HKCR\AIMTb.MailUtil\CurVer]
"(Default)" = "AIMTb.MailUtil.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"CLSID" = "aimtbServer.exe"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}]
"(Default)" = "IAOLToolBand"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"(Default)" = "ContentObject Class"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"removeButtons" = ";aol_mail;aim_express;aim_newIM;aim_thisPage;aim_goAway;aol_radio_1100;aol_video_1000;share_this;aim_express_7238;aim_new_im_8051;im2sms_7871;set_away_7889;lifestream_8042;aimexpress;aol_mail;newim;send2cell;setaway;lifestream;aolradio;share;aol_mail_32168;send2cell_32191;share_32235;aolradio_32224;facebook_42091;share_this_page_46128;aol_mail_37735_url;ebay_46844"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}]
"(Default)" = "IToolbarPrefs"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}]
"(Default)" = "IAOLTBSearch"

[HKCR\AIMTb.ToolbarParams]
"(Default)" = "ToolbarParams Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}]
"(Default)" = "ICurtainInfo"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"(Default)" = "WidgetController Class"

[HKCR\AIMTb.Downloader.1\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\NumMethods]
"(Default)" = "25"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.AOLTBSearch.1]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.CurtainInfo]
"(Default)" = "CurtainInfo Class"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"(Default)" = "Downloader Class"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"partner" = ""

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"Build" = "5.96.10.10013"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.MailUtil.1]
"(Default)" = "MailUtil Class"

[HKCR\AIMTb.ToolbarParams.1\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.ToolbarParams\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\AIMTb.WinampUtil\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"ToolbarID" = "aol-messaging"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\VersionIndependentProgID]
"(Default)" = "AIMTb.CurtainInfo"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

[HKCR\AIMTb.ContentObject\CurVer]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"Version" = "1.0"

[HKCR\AIMTb.ContentObject\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}]
"(Default)" = "IWinampUtil"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}]
"(Default)" = "IToolbarParams"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCR\AIMTb.MailUtil.1\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0]
"(Default)" = "AOL Messaging Toolbar 1.0 Type Library"

[HKCR\AIMTb.ToolbarInfo.1\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\AIMTb.ToolbarInfo\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallMsg" = ""

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"ToolbarID" = "aol-messaging"

[HKCR\AIMTb.WidgetController\CurVer]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"useLocale" = "en-US"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}]
"(Default)" = "IAOLTBBrowserHelper"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}]
"(Default)" = "IAOLTBBrowserHelper"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}]
"(Default)" = "IDownloader"

[HKCR\AIMTb.CurtainInfo\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKCR\AIMTb.ToolbarInfo\CurVer]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"InstallSource" = "aimright-ie"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"isUpg" = "0"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"Guid" = "{279bd60b-eb31-4c6d-969c-b2e024885899}"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"AppID" = ""

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"(Default)" = "ToolbarParams Class"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"AppID" = ""

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\NumMethods]
"(Default)" = "10"

[HKCR\AIMTb.AOLTBSearch\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"brand" = "AIM"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"InstallDate" = "17-12-2014"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}]
"(Default)" = "IContentObject"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallSource" = "aimright-ie"

[HKCR\Wow6432Node\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"UninstallString" = "%Program Files% (x86)\AIM Toolbar\uninstall.exe"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"(Default)" = "MailUtil Class"

[HKCR\AIMTb.WidgetController\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\AIMTb.WidgetHandler\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}]
"(Default)" = "IToolbarPrefs"

[HKCR\AIMTb.ContentObject.1\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"Policy" = "3"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"VersionMajor" = "5"

[HKCR\AIMTb.ToolbarParams\CurVer]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2A 6E 80 C8 29 1A D0 01"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallMsg" = ""

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}" = "AOL Messaging Toolbar"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}]
"(Default)" = "IMailUtil"

[HKCR\AIMTb.CurtainInfo\CurVer]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"AppID" = ""

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\NumMethods]
"(Default)" = "7"

[HKCR\AIMTb.AOLToolBand\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"VersionNum" = "5"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"VersionMinor" = "96"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\NumMethods]
"(Default)" = "8"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"AppID" = ""

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"distroid" = "aim"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\NumMethods]
"(Default)" = "7"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"AppID" = ""

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}]
"(Default)" = "IWidgetController"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "IWidgetHandler"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"(Default)" = "CurtainInfo Class"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"partner" = ""

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\NumMethods]
"(Default)" = "43"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"FirstUse" = "N"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"AppID" = ""

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}]
"(Default)" = "IWinampUtil"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"isUpg" = "0"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\NumMethods]
"(Default)" = "17"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"ToolbarID" = "aol-messaging"

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}]
"(Default)" = "IToolbarInfo"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}]
"(Default)" = "IAOLTBSearch"

[HKCR\AIMTb.MailUtil]
"(Default)" = "MailUtil Class"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}]
"(Default)" = "ICurtainInfo"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "IWidgetHandler"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"partner" = ""

[HKCR\AIMTb.WidgetController.1]
"(Default)" = "WidgetController Class"

[HKCR\AIMTb.ContentObject.1]
"(Default)" = "ContentObject Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"(Default)" = ""

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.ContentObject]
"(Default)" = "ContentObject Class"

[HKCR\AIMTb.ToolbarInfo]
"(Default)" = "ToolbarInfo Class"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\ProgID]
"(Default)" = "AIMTb.WinampUtil.1"

[HKCR\AIMTb.WidgetController]
"(Default)" = "WidgetController Class"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\NumMethods]
"(Default)" = "15"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"AppID" = ""

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"distroid" = "aim"

[HKCR\AIMTb.CurtainInfo.1]
"(Default)" = "CurtainInfo Class"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}]
"(Default)" = "IToolbarInfo"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarParams"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetHandler"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppName" = "aimtbServer.exe"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"FirstUse" = "N"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"AppPath" = "%Program Files% (x86)\AIM Toolbar"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"AppID" = ""

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"installId" = "2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"defaultsCheck" = "3"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}]
"(Default)" = "IContentObject"

[HKCR\AIMTb.AOLToolBand.1\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\NumMethods]
"(Default)" = "62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\AIM Toolbar"

[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.AOLToolBand.1]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}]
"(Default)" = "IToolbarParams"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.AOLTBSearch\CurVer]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"brand" = "AIM"

[HKCR\AIMTb.ToolbarParams.1]
"(Default)" = "ToolbarParams Class"

[HKCR\AIMTb.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AIMTb.WidgetHandler.1]
"(Default)" = "WidgetHandler Class"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.WinampUtil.1]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.AOLTBSearch.1\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallSource" = "aimright-ie"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"InstallSource" = "aimright-ie"
"InstallDate" = "17-12-2014"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\AIMTb.WinampUtil]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.WidgetHandler.1\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\AIMTb.AOLToolBand]
"(Default)" = "AOL Messaging Toolbar"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"VersionNum" = "5"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLTBSearch"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\ProgID]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\AIMTb.WinampUtil\CurVer]
"(Default)" = "AIMTb.WinampUtil.1"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"mtmhp" = "hyplogusaolp00000013"

[HKCR\AIMTb.ToolbarInfo.1]
"(Default)" = "ToolbarInfo Class"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\NumMethods]
"(Default)" = "12"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\VersionIndependentProgID]
"(Default)" = "AIMTb.Downloader"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppPath" = "c:\program files (x86)\aim toolbar"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"Build" = "5.96.10.10013"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}]
"(Default)" = "IAOLToolBand"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\ProgID]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\AIMTb.Downloader\CurVer]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCU\Software\AIM Toolbar\ieToolbar\settings\_ldefault_\curtain]
"congrats" = "curtainupg"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarInfo"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"(Default)" = "%Program Files% (x86)\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WidgetController.1\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"AppID" = ""

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"ToolbarID" = "aol-messaging"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\ProgID]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"HomePage" = "http://www.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}]
"(Default)" = "IWidgetController"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"InstallLanguage" = "1033"

[HKCR\AIMTb.MailUtil\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"InstallDate" = "17-12-2014"

[HKCR\AIMTb.AOLToolBand\CurVer]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKCR\Wow6432Node\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\VersionIndependentProgID]
"(Default)" = "AIMTb.WinampUtil"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\VersionIndependentProgID]
"(Default)" = "AIMTb.MailUtil"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLToolBand"

[HKCR\Wow6432Node\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.WidgetHandler\CurVer]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\AIMTb.CurtainInfo.1\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"Version" = "1.0"

[HKCR\AIMTb.AOLTBSearch]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"brand" = "AIM"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"(Default)" = "{F8EC99B3-C2CA-4A5F-9505-C049766DC883}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"defaultsCheck" = "3"
"useLocale" = "en-US"

[HKCR\Wow6432Node\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\ProgID]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"DisplayIcon" = "%Program Files% (x86)\AIM Toolbar\uninstall.exe"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\NumMethods]
"(Default)" = "7"

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"AppID" = ""

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\ProgID]
"(Default)" = "AIMTb.MailUtil.1"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\ProgID]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"removeButtons" = ";aol_mail;aim_express;aim_newIM;aim_thisPage;aim_goAway;aol_radio_1100;aol_video_1000;share_this;aim_express_7238;aim_new_im_8051;im2sms_7871;set_away_7889;lifestream_8042;aimexpress;aol_mail;newim;send2cell;setaway;lifestream;aolradio;share;aol_mail_32168;send2cell_32191;share_32235;aolradio_32224;facebook_42091;share_this_page_46128;aol_mail_37735_url;ebay_46844"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AIM Toolbar]
"Publisher" = "AOL Inc."

[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.WinampUtil.1\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"AppPath" = "%Program Files%\AIM Toolbar"

[HKCR\Wow6432Node\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetController"

[HKCR\Wow6432Node\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\ProgID]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKCR\Wow6432Node\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\VersionIndependentProgID]
"(Default)" = "AIMTb.ContentObject"

[HKCR\AIMTb.WidgetHandler]
"(Default)" = "WidgetHandler Class"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\Programmable]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Programmable]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
[HKCR\Wow6432Node\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
[HKCR\Wow6432Node\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Programmable]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"appendButtonId"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"locale"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\OriginalVersion]
"Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"locale"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"Department"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\AIM Toolbar\ieToolbar\CurrentVersion]
"useLocale"
"Department"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"useLocale"

The process regsvr32.exe:3468 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}]
"(Default)" = "IContentObject"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\ProgID]
"(Default)" = "AIMTb.WinampUtil.1"

[HKCR\AIMTb.WinampUtil.1]
"(Default)" = "WinampUtil Class"

[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.ToolbarInfo\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"(Default)" = "WidgetController Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.AOLTBSearch.1\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}]
"(Default)" = "IDownloader"

[HKCR\AIMTb.WidgetController\CurVer]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\Wow6432Node\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"AppID" = ""

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCU\Software\AIM Toolbar\ieToolbar]
"Installed" = "0"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}]
"(Default)" = "IAOLTBBrowserHelper"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "IWidgetHandler"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\VersionIndependentProgID]
"(Default)" = "AIMTb.ContentObject"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.ToolbarInfo]
"(Default)" = "ToolbarInfo Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCR\AIMTb.MailUtil\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"AppID" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppName" = "aimtbServer.exe"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"(Default)" = "ToolbarInfo Class"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}]
"(Default)" = "IAOLTBSearch"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\VersionIndependentProgID]
"(Default)" = "AIMTb.WinampUtil"

[HKCR\AIMTb.CurtainInfo\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\ProgID]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\AIMTb.WinampUtil]
"(Default)" = "WinampUtil Class"

[HKCR\AIMTb.MailUtil]
"(Default)" = "MailUtil Class"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\NumMethods]
"(Default)" = "15"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.ToolbarInfo\CurVer]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\NumMethods]
"(Default)" = "10"

[HKCR\AIMTb.AOLToolBand]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}]
"(Default)" = "IWinampUtil"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\AIMTb.Downloader\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WidgetHandler.1\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}]
"AppID" = ""

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\NumMethods]
"(Default)" = "7"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\NumMethods]
"(Default)" = "12"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\VersionIndependentProgID]
"(Default)" = "AIMTb.CurtainInfo"

[HKCR\AIMTb.MailUtil\CurVer]
"(Default)" = "AIMTb.MailUtil.1"

[HKCR\AIMTb.ContentObject.1]
"(Default)" = "ContentObject Class"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.WidgetController]
"(Default)" = "WidgetController Class"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WinampUtil\CurVer]
"(Default)" = "AIMTb.WinampUtil.1"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"AppID" = ""

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\ProgID]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKCR\AIMTb.ToolbarInfo.1]
"(Default)" = "ToolbarInfo Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}" = "AOL Messaging Toolbar"

[HKCR\Wow6432Node\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.AOLTBSearch\CLSID]
"(Default)" = "{03402f96-3dc7-4285-bc50-9e81fefafe43}"

[HKCR\AIMTb.ContentObject]
"(Default)" = "ContentObject Class"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}]
"(Default)" = "IAOLToolBand"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"AppID" = ""

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.Downloader\CurVer]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\ProgID]
"(Default)" = "AIMTb.Downloader.1"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"AppID" = ""

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\VersionIndependentProgID]
"(Default)" = "AIMTb.MailUtil"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}]
"(Default)" = "WinampUtil Class"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\ProgID]
"(Default)" = "AIMTb.MailUtil.1"

[HKCR\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.WidgetController\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\VersionIndependentProgID]
"(Default)" = "AIMTb.Downloader"

[HKCR\Wow6432Node\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.WidgetController.1]
"(Default)" = "WidgetController Class"

[HKCR\AIMTb.WidgetHandler\CLSID]
"(Default)" = "{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.ToolbarParams]
"(Default)" = "ToolbarParams Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"AppPath" = "c:\program files\aim toolbar"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\NumMethods]
"(Default)" = "25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}]
"(Default)" = "IToolbarPrefs"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}]
"(Default)" = "ICurtainInfo"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"(Default)" = "ContentObject Class"

[HKCR\AIMTb.ContentObject.1\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKCR\Wow6432Node\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.Downloader.1\CLSID]
"(Default)" = "{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}"

[HKCR\AIMTb.CurtainInfo.1]
"(Default)" = "CurtainInfo Class"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}]
"(Default)" = "IToolbarInfo"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarParams"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Wow6432Node\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22e2c583-ec3b-4efc-a274-b134782289fd}]
"CLSID" = "aimtbServer.exe"

[HKCR\AIMTb.ToolbarParams\CurVer]
"(Default)" = "AIMTb.ToolbarParams.1"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\NumMethods]
"(Default)" = "11"

[HKCR\AIMTb.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.CurtainInfo]
"(Default)" = "CurtainInfo Class"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}\NumMethods]
"(Default)" = "17"

[HKCR\AIMTb.AOLToolBand\CurVer]
"(Default)" = "AIMTb.AOLToolBand.1"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\AIMTb.CurtainInfo\CurVer]
"(Default)" = "AIMTb.CurtainInfo.1"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"AppID" = ""

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}]
"AppID" = ""

[HKCR\Wow6432Node\Interface\{BC84124A-823B-459A-91F3-41BB6584D048}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\ProgID]
"(Default)" = "AIMTb.ToolbarInfo.1"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"AppID" = ""

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\ProgID]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLTBSearch"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\NumMethods]
"(Default)" = "7"

[HKCR\AIMTb.AOLToolBand\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKCR\AIMTb.MailUtil.1]
"(Default)" = "MailUtil Class"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\Interface\{85562CCC-2A82-4361-8100-60CA8B5C7A16}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\AIMTb.ToolbarParams.1\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.ToolbarParams\CLSID]
"(Default)" = "{5f0383d1-2408-42dd-9e25-1e375a314825}"

[HKCR\AIMTb.AOLToolBand.1\CLSID]
"(Default)" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"

[HKCR\AIMTb.WinampUtil\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKCR\AIMTb.WidgetHandler\CurVer]
"(Default)" = "AIMTb.WidgetHandler.1"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\ProgID]
"(Default)" = "AIMTb.WidgetController.1"

[HKCR\AIMTb.CurtainInfo.1\CLSID]
"(Default)" = "{090e7543-393f-48ac-8038-1f6cd509c206}"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\OriginalVersion]
"Guid" = "{db7de21c-2f87-4bac-a333-1a81923caec0}"

[HKCR\CLSID\{be10f7a0-3f5b-4dcc-91c0-7295caf72dc0}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AIMTb.AOLTBSearch.1]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCR\AIMTb.AOLTBSearch]
"(Default)" = "AOL Messaging Toolbar Search Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetController"

[HKCR\AIMTb.WidgetController.1\CLSID]
"(Default)" = "{d775aeac-8d70-4a84-b248-8f817e27d177}"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\TypeLib]
"(Default)" = "{f8ec99b3-c2ca-4a5f-9505-c049766dc883}"

[HKCR\AIMTb.AOLToolBand.1]
"(Default)" = "AOL Messaging Toolbar"

[HKCR\Wow6432Node\Interface\{F8D0E533-42A5-4452-8246-5C1FAD103151}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\Wow6432Node\Interface\{59F35913-545D-4DEA-832E-DB35A0178413}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EB198820-CE8A-4424-901C-32C517045A74}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\CLSID\{135a3816-fbc1-4fc3-a7db-00b54c81cf39}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\AIMTb.AOLTBSearch\CurVer]
"(Default)" = "AIMTb.AOLTBSearch.1"

[HKCR\CLSID\{090e7543-393f-48ac-8038-1f6cd509c206}]
"(Default)" = "CurtainInfo Class"

[HKCR\TypeLib\{F8EC99B3-C2CA-4A5F-9505-C049766DC883}\1.0\0\win64]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
"(Default)" = "ToolbarParams Class"

[HKCR\CLSID\{59F35913-545D-4DEA-832E-DB35A0178413}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}]
"AppID" = ""

[HKCR\Wow6432Node\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.ContentObject\CurVer]
"(Default)" = "AIMTb.ContentObject.1"

[HKCR\Interface\{ED45AFEB-B75C-4B23-BB59-1EDCD4982CAA}\NumMethods]
"(Default)" = "62"

[HKCR\Wow6432Node\Interface\{19A73A5A-FFBE-4301-97F3-8A0893CF4438}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AIMTb.ToolbarParams.1]
"(Default)" = "ToolbarParams Class"

[HKCR\Interface\{BE560B61-235C-4138-B0B0-B138960C7F13}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\Interface\{D346A953-5571-488C-B2AA-D9469CA8AABA}\ProxyStubClsid32]
"(Default)" = "{59F35913-545D-4DEA-832E-DB35A0178413}"

[HKCR\AIMTb.Downloader]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{76ef8120-dfad-43c1-bd64-cc72a54c9dbf}\VersionIndependentProgID]
"(Default)" = "AIMTb.WidgetHandler"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
"(Default)" = "%Program Files%\AIM Toolbar\aimtb.dll"

[HKCR\AIMTb.ContentObject\CLSID]
"(Default)" = "{135a3816-fbc1-4fc3-a7db-00b54c81cf39}"

[HKCR\CLSID\{8e037791-0349-4715-b872-673c5c20b720}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{82CC1B58-ACDE-4476-9C36-B65BEA6CDEEE}]
"(Default)" = "IWidgetController"

[HKCR\CLSID\{d775aeac-8d70-4a84-b248-8f817e27d177}]
"AppID" = ""

[HKCR\AIMTb.WidgetHandler.1]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.WinampUtil.1\CLSID]
"(Default)" = "{8e037791-0349-4715-b872-673c5c20b720}"

[HKCR\Interface\{0F4876BB-86FE-4FC5-A1F3-3BC76E5D1E58}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{227E01AA-E5E2-4DA7-BE30-9E055D51300C}]
"(Default)" = "IToolbarParams"

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
"(Default)" = "AIMTb.AOLToolBand"

[HKCR\CLSID\{9dceb7f8-34d0-4934-a849-e71590d72700}]
"(Default)" = "MailUtil Class"

[HKCR\AIMTb.MailUtil.1\CLSID]
"(Default)" = "{9dceb7f8-34d0-4934-a849-e71590d72700}"

[HKCR\AIMTb.WidgetHandler]
"(Default)" = "WidgetHandler Class"

[HKCR\AIMTb.ToolbarInfo.1\CLSID]
"(Default)" = "{d8863379-71e8-4309-89de-bdd8f807f133}"

[HKCR\Interface\{BA884A8A-CE4E-41D8-B13D-05E039D40779}]
"(Default)" = "IMailUtil"

[HKCR\CLSID\{d8863379-71e8-4309-89de-bdd8f807f133}\VersionIndependentProgID]
"(Default)" = "AIMTb.ToolbarInfo"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
"(Default)" = "AOL Messaging Toolbar Loader"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following registry key(s):

[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\InprocServer32]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\TypeLib]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\InprocServer32]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\ProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\VersionIndependentProgID]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\InprocServer32]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Programmable]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Implemented Categories]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\Programmable]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\VersionIndependentProgID]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\InprocServer32]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\Programmable]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\TypeLib]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\TypeLib]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\ProgID]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{5f0383d1-2408-42dd-9e25-1e375a314825}\VersionIndependentProgID]
[HKCR\CLSID\{b0cda128-b425-4eef-a174-61a11ac5dbf8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}\ProgID]
[HKCR\CLSID\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKCR\CLSID\{61539ecd-cc67-4437-a03c-9aaccbd14326}]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\AIM Toolbar\ieToolbar\CurrentVersion]
"appendButtonId"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process dnu.exe:4024 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "DB 35 4E 89 16 19 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AOL\SoftwareUpdateUtility]
"Count" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\AOL\SoftwareUpdateUtility]
"LastCheck" = "1418841973"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "76 1E 30 BD 29 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "76 1E 30 BD 29 1A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process dnu.exe:3420 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\AppID\dnu.EXE]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\dnupdate]
"WarnOnOpen" = "0"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser"

[HKCR\dnUpdate]
"(Default)" = "URL: AOL downloadUpdater Protocol"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppPath" = "%CommonProgramFiles%\Software Update Utility"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dnUpdate]
"URL Protocol" = ""

[HKCR\dnUpdater.DownloadUpdController\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUpdController]
"(Default)" = "DownloadUpdController Class"

[HKCR\dnUpdater.DownloadUIBrowser\CurVer]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\ProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\dnUpdater.DownloadUIBrowser\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\ProgID]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKCR\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}]
"(Default)" = "dnu"

[HKCR\dnUpdater.DownloadUIBrowser.1\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUpdController"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUIBrowser]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKCR\dnUpdater.DownloadUIBrowser.1]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0]
"(Default)" = "dnUpdater 1.0 Type Library"

[HKCR\dnUpdater.DownloadUpdController\CurVer]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppName" = "dnu.exe"
"Policy" = "3"

[HKCR\dnUpdater.DownloadUpdController.1\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

[HKCR\dnUpdater.DownloadUpdController.1]
"(Default)" = "DownloadUpdController Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = "DownloadUpdController Class"
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\dnUpdate\shell\open\command]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe %1"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

The process dnu.exe:2956 makes changes in the system registry.
The Malware deletes the following registry key(s):

[HKCU\Software\AOL\SoftwareUpdateUtility]
[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\LocalServer32]
[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\HELPDIR]
[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\Programmable]
[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\TypeLib]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\VersionIndependentProgID]
[HKCR\dnUpdater.DownloadUpdController\CLSID]
[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Implemented Categories]
[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}]
[HKCR\AppID\dnu.EXE]
[HKCR\dnUpdater.DownloadUpdController.1\CLSID]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\ProgID]
[HKCR\dnUpdate]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
[HKCR\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}]
[HKCR\dnUpdater.DownloadUpdController\CurVer]
[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Programmable]
[HKCR\dnUpdater.DownloadUIBrowser\CurVer]
[HKCR\dnUpdater.DownloadUIBrowser.1]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\ProgID]
[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\TypeLib]
[HKCR\dnUpdater.DownloadUIBrowser.1\CLSID]
[HKCR\dnUpdater.DownloadUpdController.1]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0\win32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\LocalServer32]
[HKCR\dnUpdater.DownloadUpdController]
[HKCR\dnUpdate\shell]
[HKCR\dnUpdater.DownloadUIBrowser]
[HKCR\dnUpdate\shell\open\command]
[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\FLAGS]
[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
[HKCR\dnUpdater.DownloadUIBrowser\CLSID]
[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
[HKCR\dnUpdate\shell\open]
[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]

The Malware deletes the following value(s) in system registry:

[HKCR\dnUpdate]
"URL Protocol"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"AppID"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"AppID"

[HKCR\AppID\dnu.EXE]
"AppID"

The process dnu.exe:2372 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\AppID\dnu.EXE]
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\dnupdate]
"WarnOnOpen" = "0"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser"

[HKCR\dnUpdate]
"(Default)" = "URL: AOL downloadUpdater Protocol"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppPath" = "%CommonProgramFiles%\Software Update Utility"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dnUpdate]
"URL Protocol" = ""

[HKCR\dnUpdater.DownloadUpdController\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUpdController]
"(Default)" = "DownloadUpdController Class"

[HKCR\dnUpdater.DownloadUIBrowser\CurVer]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}\ProgID]
"(Default)" = "dnUpdater.DownloadUIBrowser.1"

[HKCR\dnUpdater.DownloadUIBrowser\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\ProgID]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKCR\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}]
"(Default)" = "dnu"

[HKCR\dnUpdater.DownloadUIBrowser.1\CLSID]
"(Default)" = "{E15A9BFD-D16D-496D-8222-44CADF316E70}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\VersionIndependentProgID]
"(Default)" = "dnUpdater.DownloadUpdController"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}]
"(Default)" = "IDownloadUpdController"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\dnUpdater.DownloadUIBrowser]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"Version" = "1.0"

[HKCR\dnUpdater.DownloadUIBrowser.1]
"(Default)" = "DownloadUIBrowser Class"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}\1.0]
"(Default)" = "dnUpdater 1.0 Type Library"

[HKCR\dnUpdater.DownloadUpdController\CurVer]
"(Default)" = "dnUpdater.DownloadUpdController.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7BD9A644-9DC6-42be-8872-CBF5524276BD}]
"AppName" = "dnu.exe"
"Policy" = "3"

[HKCR\dnUpdater.DownloadUpdController.1\CLSID]
"(Default)" = "{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}"

[HKCR\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}\TypeLib]
"(Default)" = "{92380354-381A-471F-BE2E-DD9ACD9777EA}"

[HKCR\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

[HKCR\dnUpdater.DownloadUpdController.1]
"(Default)" = "DownloadUpdController Class"

[HKCR\Wow6432Node\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}]
"(Default)" = "DownloadUpdController Class"
"AppID" = "{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}"

[HKCR\dnUpdate\shell\open\command]
"(Default)" = "%Program Files% (x86)\Common Files\Software Update Utility\dnu.exe %1"

[HKCR\Wow6432Node\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}]
"(Default)" = "IDownloadUIBrowser"

Dropped PE files

MD5 File path
04ad4b80880b32c94be8d0886482c774 c:\Program Files (x86)\AIM Toolbar\7z.dll
bdde01ebf00e7fad5690779de65a93c7 c:\Program Files (x86)\AIM Toolbar\aimtb.dll
48af6994e924487b26d1aab2dcc11ccf c:\Program Files (x86)\AIM Toolbar\aimtbServer.exe
e5c8cececbf8c680abfc9a5fc8d09328 c:\Program Files (x86)\AIM Toolbar\uninstall.exe
6f7c8b14d416aa62302a2e500ae83883 c:\Program Files (x86)\Common Files\Software Update Utility\dnu.exe
40b5edb6ce379c063e78c71ca87e7559 c:\Program Files (x86)\Common Files\Software Update Utility\uninstall.exe
23a37370f275aa63255dfcc703951c37 c:\Program Files\AIM Toolbar\7z.dll
2181ab144bc82529bd075187e7415b6c c:\Program Files\AIM Toolbar\aimtb.dll
37dd8ff0700a8d66397c2be9b3b6c028 c:\Program Files\AIM Toolbar\aimtbServer.exe
e5c8cececbf8c680abfc9a5fc8d09328 c:\Program Files\AIM Toolbar\uninstall.exe
cffa9ee353b9e2f4995488b90e6da41a c:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
77e47dcb08ab9a8ea7141241ac2838fa c:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll
cffa9ee353b9e2f4995488b90e6da41a c:\Users\All Users\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
77e47dcb08ab9a8ea7141241ac2838fa c:\Users\All Users\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll
cffa9ee353b9e2f4995488b90e6da41a c:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtbres.dll
77e47dcb08ab9a8ea7141241ac2838fa c:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll
4bf70b35b943bd73bd6e13eb7c1ba4b3 c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\NPSWF32.dll
b9829ee922823f86d556564e6654d4e9 c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe
81f0a71e0a851f24128ffc92e5b514eb c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aoldiag.dll
149fe0d2d2b0811a3749a210c2b29a65 c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aolload.exe
5119b80bd9e57b218cae5dbdf8e11fb2 c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\icudt.dll
af8dcb44813c1ddcb789aa8eab2ccdc4 c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\libcef.dll
dade3f9101d7ddd88ce76afc1a50b32f c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdres.dll
e01945331345f678afae3ecd5369d61a c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\tbdiag.dll
f586eed77cf57513bd1a62334cc878cf c:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe
42dd26d5e5d8d46373b3902cfb891a64 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe
11781d4660ff929b6b2a584d178ee130 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe
cc0bd4f5a79107633084471dbd4af796 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\Processes.dll
4125926391466fdbe8a4730f2374b033 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\System.dll
5f6679c0a7569277f8dc3d031a125821 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ToolbarDetector.dll
acfb66ee6fc1f4266229ec6098fe1740 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\UAC.dll
2dc35ddcabcb2b24919b9afae4ec3091 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ZipDLL.dll
b4a091c552738676fd5e6c6a61ecad92 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ff.exe
7fd4d3c71d72682f10335c1c3dbfd2ba c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe
4ebec384319165af5a1d2c36019677ce c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\dnupdatersetup.exe
9a7d35d1e9e5dfb6a7872d49cf64db83 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\inetc.dll
7377e5f92a5ce8e4645ac56abfff5040 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsArray.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsExec.dll
b9cd1b0fd3af89892348e5cc3108dce7 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsJSON.dll
293149eb15c8793dbf1ee5c5298bd5d8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\sqlite3.exe
09bc9f32af2af2e9aa2f2c6db2255f2d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll
c17103ae9072a06da581dec998343fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\System.dll
7377e5f92a5ce8e4645ac56abfff5040 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\nsArray.dll
73cb3661d56315a8f61691e0e8b0f464 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll
293149eb15c8793dbf1ee5c5298bd5d8 c:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\sqlite3.exe
c29407ea98713dbeeb849036eca5b602 c:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
e249366ca86974606a715e00be93b7a0 c:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\mailcount.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: AOL Inc.
Product Name: AIM for Windows
Product Version: 8.0.7.1
Legal Copyright: Copyright 2013 AOL Inc.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 8.0.7.1
File Description: AIM Installer
Comments: Installs the software required for running AIM on your desktop.
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 77824 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 225280 42880 43008 4.45152 b9170ccf81cb7aefd12fd98edae10127

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
488f69dd4715e72123c7554267d323bb

URLs

URL IP
hxxp://api.opencandy.com/?bn=3&bv=10.00.9200.16521&clientv=38&cltzone=120&language=en,en&method=get_offers&mstime=0.202&os=WIN6.1SP1-64&product_key=a4465b72941e93bd290f2a57e7175c61&v=1.0&signature=84fe6077d04595477439da3d7e3569ee
hxxp://a1621.dscg.akamai.net/downloadupdater/products.xml
hxxp://arena10304.egslb.aol.com/toolbarfiles/Prod/downloads/aim/current/aol-messaging_trio.exe
hxxp://api.opencandy.com/?clientv=38&method=track_product_installed&mstime=24.102&product_key=a4465b72941e93bd290f2a57e7175c61&session_key=21c7eaf8d0b66cbb74e37c09137bc464&v=1.0&signature=2b6b94de24edbaa3f1a74d1c4a849d5d
hxxp://www.aim.com.websys.akadns.net/.client
hxxp://www.aim.com.websys.akadns.net/static/2.42.0.1/css/aim.client.css
hxxp://www.aim.com.websys.akadns.net/static/2.42.0.1/js/aim.client.js
hxxp://a1621.dscg.akamai.net/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?e2e6e6ee353044e2
hxxp://www.aim.com.websys.akadns.net/static/2.42.0.1/desktop/images/systray_offline.ico
hxxp://arena10304.egslb.aol.com/toolbarfiles/Prod/Content/time/timestamp.php
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ff_en_us_aim_inst_silent_png_previous_googlecom.Google.._-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://search.aol.com.aol.akadns.net/aol/nocontentxml.jsp
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_previous_-.Bing.-.-_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ch_en_us_aim_inst_silent_png_previous_-.1._-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ff_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://ftp-newaol.egslb.aol.com/aim/win/appcast.xml
hxxp://search.aol.com.aol.akadns.net/aol/log?event=tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hxxp://a1621.dscg.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d1597abc4c85a00a
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMk=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs=


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET MALWARE W32/OpenCandy Adware Checkin
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

The Malware connects to the servers at the folowing location(s):

aim.exe_692:

.text
`.rdata
@.data
.rsrc
@.reloc
8%u:j
u(<%u$
8^%uv
FTPjo
:>t.FOCB
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
Load - Frame start for URL:
.\chromely\main\ClientHandler.cc
ClientHandler::SetAppDomain url:
SystemObject::SetHotKeyWindow
c:\cm\build\public\chromely_win_2014_01\src\apiar\chromely/api/SystemObject.h
Load - Frame end for URL:
OnKeyEvent code:
ClientHandler::CheckForAppDomain url:
<html><body><script>document.location='app://nonet/content.html'</script></body></html>
<html><head><title>Load Failed</title></head><body><h1>Load Failed</h1><h2>Load of URL
NAVTYPE_OTHER - mainUrl is
app://notification/test.js
app://notification/style.css
app://notification/content.html
app://notification/code.js
app://notification/close.png
app://nonet/test.js
app://nonet/style.css
app://nonet/logo.png
app://nonet/content.html
app://nonet/code.js
app://nonet/clouds.png
app://nonet/background.png
FRegDeleteKeyExW
.\chromely\main\main_win.cc
https
manifest.bin
%d sec.
%d msec.
[%s - %s]
vsdiff.exe
OnCmdExit hwnd=
.\chromely\main\BrowserFrame_win.cc
OnChromelyResizeContent - w:
BrowserFrameImpl::OnChromelyHasNavbar
BrowserFrameImpl::OnChromelyGetWindowObject
OnCmdAppRangeHandler wNotifyCode=
OnHotKey
appcmd
AOL_CHROMELY_TRACE_KEYS
.\chromely\main\ChromelySwitches.cc
.\chromely\core\TrackInfo_win.cc
.\chromely\core\string_util.cc
.\chromely\core\BITSDownloadManager_win.cc
.\chromely\core\NetworkServices_win.cc
system.settings
system.displays
system.idle
Cmdline:
.\chromely\core\SystemEventsWindow_win.cc
system.fastUserSwitch
system.locked
CHROMELY
hXXp://aol.com/xml-namespaces/sparkle
hXXp://VVV.andymatuschak.org/xml-namespaces/sparkle
.\chromely\core\ToasterController.cc
sig_sha256=%s
%s?%s
%s&%s&%s
UrlSigner::Add
.\chromely\core\UrlSigner.cc
%s=%s
Kernel32.dll
.\chromely\core\SystemEvents_win.cc
.\chromely\core\XmlParser.cc
8.0.7.1
.\chromely\core\AIMXMigrator.cc
1.2.5
Operation '
.\chromely\core\SimpleTimeLogger.cc
.\chromely\core\SoftwareUpdateManager_win.cc
info.update
Chromely new version:
Removing URL:
.\chromely\core\NavigationPolicyController.cc
Checking Url:
Adding URL:
chrome-devtools:
WM_0xX
WM_CTLCOLORMSGBOX
WM_SYSKEYUP
WM_SYSKEYDOWN
WM_KEYUP
WM_KEYDOWN
WM_GETHOTKEY
WM_SETHOTKEY
WM_VKEYTOITEM
.\chromely\core\ToasterView_win.cc
.\chromely\core\ToasterModel.cc
.\chromely\core\AppConfig.cc
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<meta http-equiv="content-type" content="application/xhtml xml;charset=utf-8"/>
<link rel="stylesheet" href="styles.css" type="text/css">
<title>%s</title>
<h1>%s</h1>
<img src="hXXp://api.oscar.aol.com/expressions/get?f=native&type=buddyIcon&t=%s" height="48" border="1" alt="icon"/> %s <a href="aim:goim?screenName=%s&targetBuddyList=%s">%s</a>
%s %s
<tr><!--ts:%lld--><td colspan="2" class="time">%s, %s %d, %d</td></tr>
<tr><td colspan="2" class="event">%s</td></tr>
%s<!--ts:%lld--><td class="%s">%s (%s):</td><td class="msg" width="100%%">%s</td></tr>
.html
SystemObject::IsHotKeyTag tag=
.\chromely\api\SystemObject.cc
SystemObject::RegisterHotKey did register
SystemObject::UnregisterHotKey did unregister tag=
registerHotKey
unregisterHotKey
.\chromely\api\EventObject.cc
.\chromely\api\AppObject.cc
Check failed: frame.get().
app.terminate
AppObject:TheV8Handler::Execute
Setting BlankWindowUrl to:
addInternalUrl
appWindows
blankWindowUrl
mainUrl
removeInternalUrl
AppObject: CloseAllWindows()
.\chromely\api\AppObject_win.cc
SystemObject::RegisterHotKeyImpl
.\chromely\api\SystemObject_win.cc
SystemObject::UnregisterHotKeyImpl
.\chromely\api\AppContextMenu.cc
Unrecognized keyword '
Unknown URL signing method.
Get URL
AuthObject::SignUrl
POST URL
.\chromely\api\AuthObject.cc
application/x-www-form-urlencoded
clientLogin
migratorLogin
signUrl
.\chromely\api\WindowObject.cc
WindowObject:TheV8Handler::Execute
Chromely
.\chromely\api\InfoObject.cc
UpdateObject:TheV8Handler::Execute
.\chromely\api\WindowObject_win.cc
.\chromely\api\AppContextMenu_win.cc
FCCreateKey
FCSetKeyOptions
FCCreatePersistentKey
FCFlushNonSharedPersistentKeys
FCAddDataToKey
FCDeleteDataFromKey
FCAddIntToKey
FCDeleteIntFromKey
FCAddStringToKey
FCDeleteStringFromKey
FCAddDateToKey
FCDeleteDateFromKey
FCCreateSupportIncidentInternal
FCClearKeys
FCClearKey
FCDeleteKey
SHELL32.dll
inflate 1.2.5 Copyright 1995-2010 Mark Adler
.\time_win.cc
user.js
.\file_path.cc
.\file_util_win.cc
Check failed: histogram_pointer->histogram_name() == "MemoryMappedFile.MapViewOfFile".
MemoryMappedFile.MapViewOfFile
Check failed: histogram_pointer->histogram_name() == "MemoryMappedFile.CreateFileMapping".
MemoryMappedFile.CreateFileMapping
c:\cm\build\public\chromely_win_2014_01\src\base/win/scoped_handle.h
Performing shell operation
ERROR_REPORT
.\logging.cc
.\command_line.cc
.\utf_string_conversions.cc
.\at_exit.cc
.\json\json_writer.cc
.\values.cc
Check failed: IsStringUTF8(key).
ins_res.first->second != in_value
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Check failed: it != outbuf.begin().
.\string_number_conversions.cc
@: Bad boy, the buffer passed to placement new is not aligned!
c:\cm\build\public\chromely_win_2014_01\src\base/lazy_instance.h
Check failed: path.empty().
key >= base::DIR_CURRENT
.\path_service.cc
Y@.\string_util.cc
.\pickle.cc
(%d = %3.1f%%)
R@.\metrics\histogram.cc
Check failed: histogram.bucket_ranges()->HasValidChecksum().
(flags = 0x%x)
samples.sum() == 0
Histogram: %s recorded %d samples
Check failed: histogram_pointer->histogram_name() == "Histogram.InconsistentCountLow".
Histogram.InconsistentCountLow
Check failed: histogram_pointer->histogram_name() == "Histogram.InconsistentCountHigh".
Histogram.InconsistentCountHigh
.\win\scoped_handle.cc
.\platform_file_win.cc
.\win\windows_version.cc
version_number_.minor == 2
.\vlog.cc
.\string_split.cc
value.size() <= 1U
.\callback_internal.cc
\uX
.\json\json_parser.cc
0123456789
.\third_party\dmg_fp\dtoa_wrapper.cc
c:\cm\build\public\chromely_win_2014_01\src\base/win/scoped_co_mem.h
.\threading\thread_local_win.cc
.\metrics\statistics_recorder.cc
Check failed: bucket_index >= 0 && bucket_index < counts_.size().
.\metrics\sample_vector.cc
.\metrics\bucket_ranges.cc
i < ranges_.size()
CHROME_PROFILER_TIME
.\threading\thread_local_storage_win.cc
.\metrics\histogram_samples.cc
requested feature requires XML_DTD support in Expat
unexpected parser state - please send a bug report
xml=hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/2000/xmlns/
kernel32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
GetProcessWindowStation
USER32.DLL
operator
gdiplus.dll
full-memory-crash-report
c:\cm\build\public\chromely_win_2014_01\src\apiar\Release\AIM.pdb
ShellExecuteW
GdiplusShutdown
SHFileOperationW
WININET.dll
VERSION.dll
MSIMG32.dll
WS2_32.dll
SHDeleteKeyW
SHLWAPI.dll
RPCRT4.dll
COMCTL32.dll
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
EnumThreadWindows
RegisterHotKey
UnregisterHotKey
GetKeyNameTextW
MapVirtualKeyExW
USER32.dll
GDI32.dll
COMDLG32.dll
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
libcef.dll
CRYPT32.dll
SensApi.dll
IPHLPAPI.DLL
WTSAPI32.dll
WINMM.dll
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
cef_parse_url
cef_web_urlrequest_create
cef_string_map_key
cef_string_multimap_key
system.trackInfo
system.sleep
app.oncommand
network.available
network.ipaddrchange
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><ms_asmv2:trustInfo xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel xmlns:ms_asmv3="urn:schemas-microsoft-com:asm.v3" level="asInvoker" ms_asmv3:uiAccess="false"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
g%u%w
eYb)ý
5-x}&
.no&Gmh<s
 x%d{
V%xk&
.ml)5
var state = this.readyState;
if (state == this.DONE) {
if (this.status == 200) {
redirected = this.responseText.toUpperCase().indexOf(app.validityId) < 0;
console.log("XMLHttpRequest response "   (redirected ? "redirected" : "valid"));
console.log("XMLHttpRequest status: "  this.status);
if (app.network.available) {
if (app.validityId) {
console.log("Starting XMLHttpRequest for "   app.mainUrl);
var req = new XMLHttpRequest();
req.onreadystatechange = onReadyStateChange;
req.open("GET", app.mainUrl);
req.send();
console.log("Reloading page (no validity id) "   app.mainUrl);
appWindow.resizeTo(kWidth, kHeight, false);
appWindow.setMinContentSize(kWidth, kHeight);
appWindow.center();
app.events.register("network.available", check);
app.events.unregister("network.available", check);
timerid = setTimeout(check, app.validityId ? 250 : 5000);
var tryagain = document.getElementById('tryagain');
tryagain.addEventListener("click", onReady, false);
appWindow.oncontextmenu = onContextMenu;
appWindow.oncontextmenu = null;
menu.deleteItemByTag( [9, 10, 40005, 40006] );
document.location = app.mainUrl;
app.system.openExternal("hXXp://VVV.aim.com");
<script src="test.js"></script>
<script src="code.js"></script>
<link rel="stylesheet" href="style.css" type="text/css"/>
background-image:url(background.png);
.center {
background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#ffffff), color-stop(25%, #ffffff), to(#e6e6e6));
background-image: -webkit-linear-gradient(#ffffff, #ffffff 25%, #e6e6e6);
-webkit-transition: 0.1s linear all;
button.good {
background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #62c462), color-stop(100%, #04a500));
background-image: -webkit-linear-gradient(top, #62c462, #04a500);
background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #F26C24), color-stop(100%, #E6490C));
background-image: -webkit-linear-gradient(top, #F26C24, #E6490C);
-webkit-box-shadow: inset 0 2px 4px rgba(0, 0, 0, 0.25), 0 1px 2px rgba(0, 0, 0, 0.05);
.logo {
background-image: url('logo.png');
.clouds {
background-image: url('clouds.png');
fiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:09801174072068118C98FAD59F8C9BDF" xmpMM:DocumentID="xmp.did:19A31753E8A811E0810AB2F4AEBC9664" xmpMM:InstanceID="xmp.iid:19A31752E8A811E0810AB2F4AEBC9664" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:09801174072068118C98FAD59F8C9BDF" stRef:documentID="xmp.did:09801174072068118C98FAD59F8C9BDF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
config = appNotification.getConfig();
window.addEventListener("load", function() {
document.body.style.width = config.width   "px";
window.addEventListener("unload", function() {
appNotification.closed(false);
window.addEventListener("message", function(e) {
var cmd = e.data[0];
console.log('onmessage', e.data);
if (cmd == 'hi') {
var child = document.body.firstChild;
if (child.nodeName == "DIV") {
child.firstChild.contentWindow.postMessage(["id", parseInt(child.id)], "*");
child = child.nextSibling;
} else if (cmd == 'size') {
} else if (cmd == 'keep') {
HandleKeepOpen(e.data[1]);
} else if (cmd == 'close') {
HandleClose(e.data[1], e.data[2]);
} else if (cmd == 'click') {
appNotification.clicked(e.data[1]);
appWindow.setExtraPixels(0, config.height);
console.debug("HandleResize()");
var heightDelta = document.body.clientHeight - lastHeight;
var widthDelta = document.body.clientWidth - lastWidth;
lastHeight = document.body.clientHeight;
lastWidth = document.body.clientWidth;
appWindow.resizeTo(lastWidth, lastHeight, true);
element = document.getElementById(id);
appNotification.closed(id, userClosed);
element.parentNode.removeChild(element);
var e = document.getElementById(id);
e.onmouseout = null;
e.onmouseover = null;
if (data.timerId) {
clearTimeout(data.timerId);
data.timerId = 0;
var ticks = timers[id].endAt - ( new Date());
if (ticks < config.mouseOutWaitMS)
ticks = config.mouseOutWaitMS;
timers[id].timerId = setTimeout( function() {
timers[id].timerId = 0;
var element = document.createElement(tag);
function CreateMsgElemForId(id) {
"className": "msg",
appNotification.clicked(id);
e.stopPropagation();
function ShowNotification(id, url) {
console.debug("frame src: "   url);
var div = CreateMsgElemForId(id);
"src": url
if (config.width && config.height) {
frame.style.width = (config.width - 6)   "px";
frame.style.height = config.height   "px";
div.appendChild(frame);
div.appendChild(img);
document.body.appendChild(div);
HandleInsertTimeout(id, config.displayMS);
appNotification.displayed(id);
<html><head><script src="test.js"></script><script src="code.js"></script>
<link rel="stylesheet" href="style.css" type="text/css"/>
.msg {
.close {
background: url("close.png") repeat scroll 0 0 transparent;
.msg:hover .close {
4A4U4t4y4~4
:%: :1:6:<:
:":3:8:=:
7-7A7U7i7}7
2%3x3
7%8x8
0"012:2@2
= =$=(=,=0=4=
= =$=(=,=0=
> >$>(>,>0>
5!5,5?5}5
;$; ;1;8;
6!6(6/666=6
3 3$3(3,3
<,<0<4<8<
: :$:(:,:0:4:8:<:
<(<,<0<4<8<<<
5'5,50545]5
0014181<1
3 3$3(3,303
0<4<8<<<
0 0<0@0\0`0
10181<1@1`1
devtools_resources.pak
console.log
Chrome_MessagePumpWindow
WAdvapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
npswf32.dll
json_data_1.txt
"%s" "%s" "%s"
json_data_2.txt
comctl32.dll
ChromelyFrameWindow
{97E27FAA-C0B3-4b8e-A693-ED7881E99FC1}
- MediaMonkey
DShell32.dll
Software\Classes\%s\shell\open\command
"%s,0"
URL Protocol
Software\Classes\%s
https=
http=
AOL Chromely Update
eChromelySystemEventsWindow
chromely:show
https:
http:
%s,%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
aimx.bin
aimx.migrated
config.xml
install.exe
NPSWF32.dll
*.tmp
"%s" /S /RELAUNCH=%s
"%s" /RELAUNCH=%s
ChromelyNotificationWindow
hXXp://VVV.aim.com
%s-%d-d-d--d-d-d.png
styles.css
sndvol32.exe
sndvol.exe
%s%c%s
ChromelyCloakWindow
aolload.exe
tbdiag.dll
debug_message.exe
debug.log
.\debug.log
psapi.dll
$kernel32.dll
mscoree.dll
KERNEL32.DLL
C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe
AIM for Windows
AIM for Windows Version 8.0.7.1
%s Sounds
aim.exe

aol-messaging_trio1C76.exe_2744:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe"
ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp
inetc.dll
4-db756a951760}\
refs.js
\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp
tbconfig.ini
AOL_Search.exe
pData\Local\Temp\nsf64BC.tmp\inetc.dll
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
-America Online Root Certification Authority 10
'hXXps://pki-info.aol.com/AOL/index.html05
$hXXp://crl.aol.com/AOL/MasterCRL.crl0
hXXp://ocsp.web.aol.com:80/ocsp0<
 hXXp://crl.aol.com/AOLMSPKI/aolCodeSign.crl0
 hXXp://pki-info.aol.com/AOLMSPKI/index.html0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
VVV.aol.com 0
E.BUK
%%9UU
R.mT5
SSSSSShUf1G=ttttt xxxxxx:::httt
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
(D;.Ey
\.lR%
%ulDK
*fz%F
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe\"
{c2f863cd-0429-48c7-bb54-db756a951760}
-12-2014
\AppData\Local\Temp\nsf64BC.tmp
ers\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome\aimtoolbar.jar
1.1.0.1.ieff
pData\Local\AIM Toolbar\ieToolbar\en-US\default_aim.xml
content\aoltoolbar.xul
ref("toolkit.telemetry.previousBuildID", "20140506152807");
"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\browser\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");
ttp://web.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}
ttp://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}
//toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE
er\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1401956265768,\"rdfTime\":1399421153000}}}]");
IEXPLORE.EXE
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
bble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe" /t_target=ieff /s_target=ieffch /h_target=ieffch /closeprompt=0 /S
%Program Files% (x86)\AIM Toolbar
29-48c7-bb54-db756a951760}
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
aol-messaging_trio1C76.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsk648C.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe
iexplore.exe
C:\ProgramData\AIM Toolbar\ieToolbar\resources
\Program Files (x86)\Google\Chrome\Application
hXXp://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ff&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1
hXXp://toolbar.aol.com/utilities/rtw/bubble/congrats.htm?postinstall&lang=en&locale=US&title=AOL Messaging Toolbar&brand=aim&source=aimright-ie&instd=2C27121BAFDF4B8CB86ABE75623F7CFE&hp=1&ds=1
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default
.google.com
hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE
hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE
9.10.9200.16521
10.9200.16521
hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid={uid}
hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid={uid}
tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-
17-12-2014
5.96.10.10013
hXXp://search.aol.com/aol/log?event=tlb_aim_10013.10014_-_w7_ie_en_us_aim_inst_silent_png_complete_1.1.1.0.1.ieff_-&s_it=aimright&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
e.com
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default
444444444
2888888
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
5.96.174.1
aol-messaging_toolbar_ie.exe
ogle\Chrome\Application
${_DUALEXENAME_}

AOL_Search.exe_3728:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
Local\Temp\nsf99C0.tmp\AOL.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll
43789B7-F39C-4b5c-9287-DA72D38F4FE6}
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp
@.reloc
c:\cm\build\public\setiesearch_05022013_9\toolbar\addons\nsis\homepagesearch\setiesearch\Release\AOL.pdb
MSVCR90.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
UrlEscapeW
SHLWAPI.dll
MSVCP90.dll
AOL.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
-America Online Root Certification Authority 10
'hXXps://pki-info.aol.com/AOL/index.html05
$hXXp://crl.aol.com/AOL/MasterCRL.crl0
hXXp://ocsp.web.aol.com:80/ocsp0<
 hXXp://crl.aol.com/AOLMSPKI/aolCodeSign.crl0
 hXXp://pki-info.aol.com/AOLMSPKI/index.html0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
VVV.aol.com 0
SELECT %s WHERE rowid=?
INSERT INTO %Q.'%q_content' VALUES(%s)
SQL logic error or missing database
unknown operation
large file support is disabled
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
CREATE TEMP TABLE sqlite_temp_master(
sql text
CREATE TABLE sqlite_master(
SQLite format 3
foreign_keys
sqlite_attach
sqlite_detach
RowKey
(%d) %s
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
/**** ERROR: (%d) %s *****/
DELETE FROM sqlite_sequence;
sqlite_sequence
sqlite_stat1
ANALYZE sqlite_master;
sqlite_
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
Kernel32.dll
Error: unable to open database "%s": %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
|O%D$V
'%s("B!
.nnnI
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
CPU Time: user %f sys %f
Error: near line %d:
%s %s
Error: incomplete SQL: %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot write to "%s"
sqlite_master
CREATE TABLE sqlite_master (
sqlite_temp_master
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), name
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), name
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') ORDER BY 1
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') AND name LIKE shellstatic() ORDER BY 1
%s%-*s
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
SQLite header and source version mismatch
sqlite>
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: cannot locate your home directory
%s: Error: out of memory
%s/.sqliterc
-- Loading resources from %s
%s: Error: missing argument for option: %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
%s/.sqlite_history
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
iskeyword
Kmingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
msvcrt.dll
unable to open database: %s
unrecognized parameter: %s
unrecognized matchinfo: %s
unrecognized order: %s
error parsing prefix parameter: %s
missing %s parameter in fts4 constructor
,%s(x.'c%d%q')
FROM '%q'.'%q%s' AS x
,%s(?)
docid INTEGER PRIMARY KEY
%z, 'c%d%q'
CREATE TABLE %Q.'%q_content'(%s)
CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)
cannot open value of type %s
foreign key
indexed
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
cannot open %s column for writing
%s_segments
malformed MATCH expression: [%s]
SELECT %s ORDER BY rowid %s
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
cannot change %s wal mode from within a transaction
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
database table is locked: %s
zeroblob(%d)
statement aborts at %d: [%s] %s
E.BUK
%%9UU
nsf99C0.tmp
{443789B7-F39C-4b5c-9287-DA72D38F4FE6}
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini
Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini
0633EE93-D776-472f-A0FF-E1416B8B2E3A}
ewtaburl
turl
ttp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp
AOL_Search.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsp99AF.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe
9.10.9200.16521
hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000013&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE
hXXp://web.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}&s_it=aimright-ie&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE&tb_oid=17-12-2014&tb_mrud=17-12-2014
hXXp://autocomplete.search.aol.com/autocomplete/get?q={searchTerms}&count=10&it={source}-en-us&output=json&it=aimright-ie
17-12-2014
hXXp://VVV.aol.com/?mtmhp=hyplogusaolp00000083&tb_uuid=2C27121BAFDF4B8CB86ABE75623F7CFE
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
888816666554443
6666554443
!6666554443
1.3.11.1

AOL_Search.exe_3728_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dnupdatersetup.exe:2392
    WerFault.exe:3408
    aol-messaging_trio1C76.exe:2744
    aimtbServer.exe:2388
    aimtbServer.exe:1676
    aimtbServer.exe:3896
    aimtbServer.exe:3388
    aol-messaging_toolbar_ff.exe:2736
    dlupd.exe:2712
    RunDll32.exe:3852
    %original file name%.exe:3300
    %original file name%.exe:2728
    aol-messaging_toolbar_ie.exe:3716
    regsvr32.exe:3468
    dnu.exe:4024
    dnu.exe:3420
    dnu.exe:2956
    dnu.exe:2372

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\nsJSON.dll (15 bytes)
    %Program Files% (x86)\Common Files\Software Update Utility\uninstall.exe (313 bytes)
    %Program Files% (x86)\Common Files\Software Update Utility\dnu.exe (6526 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State (2156387 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa6D73.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_dnupdatersetup.e_50eae638e7cd79cff7e41844acbd428498edc5_0d5c7e53\Report.wer (156854 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\vc9rt.msi (39033 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\182NGY1Y\nocontentxml[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\timestamp[1].htm (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\tbconfig.ini (27962 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P3RWXGAD.txt (112 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spr5.htm (85 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ToolbarDetector.dll (16476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\upgrade.xml (164 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\timestamp.txt (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\ZipDLL.dll (5667 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsJSON.dll (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\AOL_Search.exe (14383 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWR9ROHK\nocontentxml[1].htm (34 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ff.exe (48083 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\nsArray.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\44WP93FS\nocontentxml[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JOM1A130.txt (304 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\dnupdatersetup.exe (6665 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-messaging_toolbar_ie.exe (166927 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V8U5K4H\nocontentxml[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\Processes.dll (1461 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\UAC.dll (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\update\config.xml (223 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000005 (394 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000004 (87 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000007 (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000006 (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000001 (77 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000003 (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000002 (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000009 (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\f_000008 (69 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FAP56A8.tmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\manifest.bin (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies (383 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Local Storage\http_www.aim.com_0.localstorage-journal (5114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_9QXbgnrIl1bcXkL (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\index (368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\Cookies-journal (2799 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AOLDiag\AOL\ChromelyAIMUSGM\Win32\8.0.7.1\fcs4AB5.tmp (703 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_3 (6376 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_2 (12792 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_1 (32536 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\cache\WebCache\data_0 (186740 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (5416 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IaimUninstallObserver.xpt (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\pinit.zip (2903 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa7FBB.tmp\nsArray.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll (6762 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\share.zip (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\youtube.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\weather.zip (8430 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\aolmail.zip (3355 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\amazon.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\mailcount.dll (1228 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\trendingtopics.zip (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\surfometer.zip (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\source.dat (1368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimUninstallObserver.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAddonObserver.js (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\calendar.zip (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\widgets\facebook.zip (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\aimAutoSuggest.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\IMailUtil.xpt (194 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome\aimtoolbar.jar (11620 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\chrome.manifest (975 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\aimToolbarData\install\sqlite3.exe (11050 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf192C.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\nsArray.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\sqlite3.exe (11050 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\AOL.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf64BC.tmp\aol-search.xml (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf99C0.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdres.dll (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locales\en-US.pak (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\nsisext.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\manifest.bin (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\locale\en\tbdl10n.ini (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\credits.txt (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\icudt.dll (325923 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\NPSWF32.dll (524009 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\uninstall.exe (6584 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\Uninstaller.exe (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\OCSetupHlp.dll (26610 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\register.bat (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\config.xml (321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aolload.exe (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\unregister.bat (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuEA4F.tmp (1220470 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe (33504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aoldiag.dll (13368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\libcef.dll (766772 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\tbdiag.dll (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIM for Windows\Uninstall AIM.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\dlupd.exe (5211 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEA60.tmp\modern-header.bmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE946.tmp (28210 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\nsisext.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nspE947.tmp\modern-header.bmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\trendingtopics.zip (11 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_0.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addbuddybutton.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_0.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_left.gif (138 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\jquery.js (3436 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevdown.gif (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints_frame.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_bot.gif (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_left.gif (138 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\x64\aimtbres.dll (8320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\footprints.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buddy.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\09.gif (317 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints_frame.htm (4 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\amazon.zip (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\privacy_icon.gif (468 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdown.gif (477 bytes)
    %Program Files% (x86)\AIM Toolbar\uninstall.exe (8368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_2.gif (914 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\content.html (828 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupover.gif (445 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_0.gif (908 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.css (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\06.gif (318 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttonManager.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_left.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left_large.gif (170 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsearch.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\evergreen.html (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addbuddybutton.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_bot.gif (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\bullet.gif (70 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enabletoolbar.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html (714 bytes)
    %Program Files% (x86)\AIM Toolbar\7z.dll (19117 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dropcustombutton.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\buttons\defaultButtons.xml (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\bullet.gif (70 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtb.cfg (1568 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownover.gif (452 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\weather.zip (8430 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\latest.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\renamecustombutton.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_0.gif (905 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\07.gif (307 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\firsttimepage.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_2.gif (906 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enabletoolbar.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.htm (495 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints_confirm.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\qap.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_large.gif (170 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\olderversion.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\04.gif (310 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bottom.gif (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\preferences.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsearch.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply_over.png (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevover.gif (152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_top.gif (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_frame.htm (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttonManager.js (6 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_right.gif (108 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_large.gif (171 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextover.gif (155 bytes)
    %Program Files%\AIM Toolbar\7z.dll (31890 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_0.gif (909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.htm (495 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowright.png (939 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\weather.zip (8430 bytes)
    %Program Files%\AIM Toolbar\uninstall.exe (8368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownover.gif (452 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\share.zip (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\UserInfo.dll (8 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdisabled.gif (456 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_2.gif (914 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dots32.gif (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_left.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.css (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_2.gif (900 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabOver.gif (904 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\json2.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\shadowleft.png (938 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\enable_bg.jpg (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndown.gif (482 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_1.gif (820 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\pinit.zip (2903 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\calendar.zip (16 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\youtube.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_right_tile.gif (54 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options_frame.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_0.gif (908 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buttons_frame.htm (3 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\09.gif (317 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\resettoolbar.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_top.gif (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\surfometer.zip (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_1.gif (820 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_0.gif (909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\jquery.js (3436 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addcustombutton.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\03.gif (314 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_0.gif (911 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\share.zip (4 bytes)
    %Program Files% (x86)\AIM Toolbar\aimtbServer.exe (6897 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_icon.gif (582 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dot.gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\07.gif (307 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_1.gif (820 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_2.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\facebook.zip (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevup.gif (219 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabActive.gif (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\metrics.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\00.gif (313 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndown.gif (482 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_2.gif (909 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\about.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\branding.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextdown.gif (159 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownup.gif (490 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_left_tile.gif (54 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\olderversion.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_0.gif (910 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdown.gif (477 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\03.gif (314 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\about.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options_frame.htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabActive.gif (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevdown.gif (157 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popup_icon.gif (240 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextover.gif (155 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\aolmail.zip (3355 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_right.gif (108 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\surfometer.zip (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_frame.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\02.gif (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\calendar.zip (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\options.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextup.gif (222 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupover.gif (445 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_1.gif (821 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_right_bot.gif (72 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\ani_media_icon.gif (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blocker.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_over_2.gif (911 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_2.gif (906 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right.gif (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\02.gif (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_normal_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_right_tile.gif (54 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_frame.htm (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedownup.gif (490 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\qap.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\privacy_icon.gif (468 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\defaultsprompt.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\addcustombutton.htm (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blocker.js (6 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\amazon.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bg.gif (64 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_tile.gif (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevup.gif (219 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.html (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\general_icon.gif (470 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\widgets.css (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_icon.gif (462 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_movedowndisabled.gif (455 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dot.gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextup.gif (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabNormal.gif (884 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\content.html (828 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\apply_over.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\upgradeToolbar.exe (3428 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll (8320 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\customize_icon.gif (480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\clearprints_confirm.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupup.gif (488 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_0.gif (905 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf89E8.tmp\nsArray.dll (14 bytes)
    %Program Files%\AIM Toolbar\aimtbServer.exe (11642 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\metrics.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.html (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\08.gif (316 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_2.gif (907 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\general_icon.gif (470 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\00.gif (313 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtb.cfg (1568 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_2.gif (911 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\buddy.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\firsttimepage.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_1.gif (821 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupup.gif (488 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowleft.png (938 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\resettoolbar.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\latest.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\customize_icon.gif (480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\sidebar_bottom.gif (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dropcustombutton.htm (4 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\05.gif (314 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndisabled.gif (455 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_1.gif (820 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_frame.htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\06.gif (318 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\pinit.zip (2903 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\01.gif (201 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons_frame.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_normal_1.gif (820 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bg.gif (64 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_0.gif (908 bytes)
    %Program Files% (x86)\AIM Toolbar\aimtb.dll (63702 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\apply.png (1 bytes)
    %Program Files%\AIM Toolbar\aimtb.dll (82243 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_0.gif (908 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\ani_media_icon.gif (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\facebook.zip (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\renamecustombutton.htm (4 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsprompt.htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\local\search.html (714 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_over_1.gif (820 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_left_tile.gif (54 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_tile.gif (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\rss\rss.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons.js (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\branding.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_bot.gif (72 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabNormal.gif (884 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\default\youtube.zip (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\05.gif (314 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\SettingTabOver.gif (904 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\04.gif (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\widgets\json2.js (18 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\01.gif (201 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\buttons\defaultButtons.xml (9 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\aolmail.zip (3355 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_2.gif (910 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popup_icon.gif (240 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\search_icon.gif (582 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\disabled_input_2.gif (900 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_nextdown.gif (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\dots32.gif (5 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_2.gif (907 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\evergreen.html (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\stylesheet.css (7 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\default\trendingtopics.zip (11 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\08.gif (316 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_left.gif (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\x64\aimtbres.dll (8320 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\enable_bg.jpg (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_0.gif (911 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left.gif (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\custombutton.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_moveupdisabled.gif (456 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\blue_input_down_2.gif (910 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_bottom_tile.gif (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\aimtbres.dll (8696 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\stylesheet.css (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\pan_top_tile.gif (53 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_0.gif (910 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\popups_icon.gif (462 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\widgets.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\green_input_down_1.gif (821 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AIM Toolbar\ieResources\en-US\ui\button_prevover.gif (152 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_large.gif (171 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\custombutton.js (1 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options.js (2 bytes)
    C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\widgets\shadowright.png (939 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aol-messaging_trio1C76.exe (1181785 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\prd1AA1.tmp (1444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\user.js (68 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "AIM for Windows" = "C:\Users\"%CurrentUserName%"\AppData\Local\AOL\AIM\aim.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now