MD5: 08596917f28a797c91f3cb197286ef28
SHA1: 0d03764df20dcb2b097794918d824aec97045526
SHA256: 7d088aa1d649bbbda5c54b40970f03b7d0f9bc27affba6d1ab8a76eaac5bfc28
SSDeep: 24576:SStrUAbM6M/KN9b hGb1u7SYXj2OgOVwluBuNhlD9MPjgL5v3:SStrUAI6Mu9qhGb1uxjFwSu1DomZ3
Size: 1322432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ArcadeFrontier
Created at: 2014-03-04 11:28:35
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

SPIdentifier.exe:1820
%original file name%.exe:368
nsj80.exe:1936

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SPIdentifier.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7E.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V9J33IN2\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PU5GX8YM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9MPS5GZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj80.exe (64797 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj80.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp (0 bytes)

The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect (0 bytes)
%Program Files%\SearchProtect\Main (0 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs (0 bytes)
%Program Files%\SearchProtect\Main\rep (0 bytes)
%Program Files%\SearchProtect (0 bytes)

The process nsj80.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp (0 bytes)

Registry activity

The process SPIdentifier.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu7F.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 B1 C7 49 B0 70 17 31 2E 72 46 DE 28 19 CB 75"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 B0 0C 41 99 E4 35 56 69 C5 7F 5D 7B 52 40 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process nsj80.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 77 27 AE B7 EF 52 CF 27 36 84 0F 20 AC 9C 44"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ArcadeFrontier
Product Name: ArcadeFrontier
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename: SetupGUI.exe
Internal Name: SetupGUI.exe
File Version: 1.0.0.1
File Description: ArcadeFrontier Installer
Comments:
Language: English (United Kingdom)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 266
f93baf6557e104cc2520e63e51beeed9
d8227b13fcf2e9b7d513261f600e2a6b
dd28686e2ae2b2c6077b634434667c6c
7d4eda03a6846d67fb141c16f42121d5
9cec46391e24f11be34895f3f78e89e2
4c7b64db66baff7a94d397f95bbd0f62
ebb3b412e20c450ce922434b2e26c104
3741c8648c63e5349c1ccd9f43c49ce5
3119cd3d5114e9d380ce7f7e3197baa9
973d9451be5089995a4274cdf2f074a7
5f510b5a060ae7bfa8f5351c9eb4483a
ff5c0abc1f9e460ca68f0dc73ff1f1da
c7c7ebfe8f218b15010adfee098f796d
64ebea4671f933787a6eed266660fae4
523be9d38cdfd8ffae58908bf230ccba
27a0e4add6a9e0b8b918eded93aa5581
f6bc68e680a24fe5cde28bd02e02efda
7ed5fcb505b1833baad9e47d84054a38
f37f08f1c9438d9c7ec37a0c642b3ee4
a74f03c68e479e4b030cbf58728874bf
a05f98ea1a0e257c2ca92129f2a8fdaa
995f782c3df4594bb5e4119a9e9f6b20
b20db45fbf1125a1a61d2e030e397779
b1e592994fd233d2f906b2e2c42d323e
59483eef58910cff57e188c7b0ff7be0

URLs

URL	IP
hxxp://74.120.16.113/af/getExternalGamesInfo/ticket=Z4AOX87692PFSPNRxLBS
hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://fagamesframework.com/af/getExternalGamesInfo/ticket=Z4AOX87692PFSPNRxLBS
hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe	23.209.38.93
hxxp://sp-installer.conduit-data.com/	184.72.217.85

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /af/getExternalGamesInfo/ticket=Z4AOX87692PFSPNRxLBS HTTP/1.1

User-Agent: zz_afi 1.28.147

Host: fagamesframework.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 05 Jul 2014 04:27:40 GMT

Server: Apache

Cache-Control: max-age=18000

Expires: Sat, 05 Jul 2014 09:27:40 GMT

Content-Length: 17

Connection: close

Content-Type: text/html; charset=UTF-8
unknown parametar..

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.conduit-data.com

Content-Length: 263

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"SPidentifier", "environment":"",  "machine_ID":"BKSBFPQYQFRAR1S0EIQWDCTS7K/4MCAVMXDDMNTWP9BPDHNBFK99IAK XNLOHLHU2MEXZES9T83SVYVXFQIBHW", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted

Date: Sat, 05 Jul 2014 04:27:21 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-storage.conduit-services.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Sat, 05 Jul 2014 07:27:43 GMT

Accept-Ranges: bytes

ETag: "fdb1c3e2dc67975ebdc9856b59404daf"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1115264

Cache-Control: private, max-age=900

Expires: Sat, 05 Jul 2014 04:42:43 GMT

Date: Sat, 05 Jul 2014 04:27:43 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
[email protected]............@.
................................h.....................................
..............0...........`... .......................................
.....................................................text....g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...0...........................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

SSSSh4(C

SSSSh\(C

uISSh

;NTu^SSh

WinHTTP.dll

-1.1.3

1.1.3

163|145|134|162

http://e1.arcadefrontier.com/aj/bundle/891/?p=YTM3MDMzODE2NTV43Hc81pthuSBzThYc+TIMLSHCSfmzx6R3snINWKJa7ZgOq6SBsGSneWyXTplZq2BL3webKYQhMNPTqpl/aawi

gdiplus.dll

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

FRegDeleteKeyExW

operator

GetProcessWindowStation

WINHTTP.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

WinHttpReadData

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpOpenRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpOpen

WinHttpCrackUrl

WinHttpQueryDataAvailable

WinHttpQueryHeaders

WinHttpQueryOption

GdiplusShutdown

COMCTL32.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExW

RegUnLoadKeyW

RegLoadKeyW

RegCreateKeyW

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHDeleteKeyW

SHLWAPI.dll

MSIMG32.dll

GetCPInfo

zcÁ

c:\%original file name%.exe

mconduitinstaller.exe

Ä\;C

.Tt$&

!$.IHBI

Vv.Vf

3{u.FO

>%s4s

[:%UU

OCSetupHlp.dll

-U^5N`^f.Xl

m%x2)

:.RS]L

.DS2 

i@&Q%c

uzg$}uQ

2{.Wt

.ZSLI|

BfTP>

To%F[Y

X.IHIb)rP4{

r%sO]

lJ.mG

vl.qRB

xT%c%

'R.yV

.Ek#"

>.YqX

Y U%x

!UÝ

.huZA

v.RVa )Eca3

#.ta\

M%ud LR

.Hq9I%

0.Bko

-9%X~

_D`.oN

UF%U(

.uH**r

.aUi%

ST%UIS

.KV/-IV

.QO)O:

.rP1HP

.Vkeu=S

OCSetupHlp.dllPK

sp-downloader.exe

(O(%Íd

sj.IE

Nc1m.Xd}

520426026

ahÝ

SPIdentifier.exe

znsqL

.Nh/h

5424224

f.CR9Cr*

(.%%Fu

M[.ab(O

/|.eC

q}\%X;f

~B%CU

#h)j.Zpi

n.SuT

ø^O

m.qiD

$%fR<

C,D.TZ

%c&bta6

-[A$.Glp

w5.zk

 %Uw]:

DEEô

%Xf>m|

 3%Um

\rsid13843124\rsid14169892\rsid15628380\rsid15748077}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator malo_nj}

{\creatim\yr2013\mo3\dy13\hr10\min41}{\revtim\yr2013\mo4\dy10\hr16\min39}{\version9}{\edmins31}{\nofpages1}{\nofwords83}{\nofchars701}{\nofcharsws783}{\vern32859}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}

\par By clicking the "Next" button below, you electronically agree to the ArcadeFrontier }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientEula.af"}{\rtlch\fcs1 \af1\afs18

\par }{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12336207\charrsid222141 and }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientPrivacyPolicy.af"}{\rtlch\fcs1

\par You can uninstall ArcadeFrontier any time via Add/Remove programs or by clicking }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/Deactivate.af"}{\rtlch\fcs1 \af1\afs18

\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator Cvija}{\creatim\yr2013\mo3\dy19\hr9\min50}{\revtim\yr2013\mo5\dy29\hr11\min36}{\version5}{\edmins5}{\nofpages4}{\nofwords2298}{\nofchars13103}{\nofcharsws15371}{\vern49275}}{\*\xmlnstbl {\xmlns1 http:/

/schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect

re ("Desktop Max Software") and Services ("Desktop Max Services") and the advertisement-supported version of the Software ("Desktop Software") and Services ("Desktop Services").

y subsequent versions of the Software. You agree to comply with TWCi's Terms and Conditions, as set forth on TWCi's web site, }{\field{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0

\par C. You understand that the Software is a voluntary software program, and you may uninstall the Software at any time by using your appropriate operating systems' add/remove or uninstall functionality. However, by uninstalling the Software,

HYPERLINK "http://www.weather.com/services/desktop/desktopplatinumfaq.html#17"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield

\cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com/services/desktop/desktopplatinumfaq.html#17}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0

\par C. ANY MATERIAL, DATA OR INFORMATION, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS, DOWNLOADED OR OTHERWISE OBTAINED THROUGH T

ACY, USEFULNESS OR AVAILABILITY OF ANY INFORMATION OR DATA TRANSMITTED VIA THE SOFTWARE, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS.

CT LIABILITY, FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF TWCi HAS BEEN ADVISED OF THE POSS

OF $5.00 OR THE AMOUNT YOU PAID TO TWCi. B. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF SECTIONS 4 A

h if applicable, the Software from your operating system and immediately discontinue use of the Services. Your obligation to pay accrued charges and fees shall survive any termination of this Agreement.

\par 8. EXPORT CONTROLS. THE SOFTWARE AND ANY UNDERLYING

TECHNOLOGY MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES IN A MANNER THAT IS PROHIBITED BY APPLICABLE EXPORT LAWS AND REGULATIONS. BY DOWNLOADING OR USING THE SOFTWARE OUTSIDE THE UNITED STATES OF AMERICA, YOU ASSUME RESPONSIBILITY FOR COMPLIANCE WITH THE

\par 9. AMENDMENT. TWCi may, in its sole discretion, change, modify, add or remove portions of this license or the Services at any time. TWCi may notify you of any such changes by posting notice of such changes on the TWCi website }{\field\fldedit{\*\fldinst {

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid5594936 www.weather.com/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12658121\charrsid7081360

by you, or (b) violation of any law or regulation by you. If you are importing the Software from the United States, you shall hold harmless, indemnify and defend TWCi and its affiliated companies and their officers, directors and employees, from and agai

nst any import and export duties or other claims arising from such importation.

confirmation or by certified mail with delivery confirmation; provided that, TWCi may provide notice to you via the Software. All notices to TWCi shall be addressed to The Weather Channel Interactive, Inc. 300 Interstate North Parkway, Atlanta, Georgia 30

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCHFLY TOOLBAR END USER INSTRUCTIONS\par

You have elected to download the SearchFly toolbar, an application designed to deliver fresh content directly to your browser, provide you with a choice of useful search engines, allow you to choose from thousands of free apps for your browser, and provide you with hand-picked links to check out from across the web. \par

Your use of the toolbar is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://%CTID%.ourtoolbar.com/eula/" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/contentpolicy" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par

\cf3 The toolbar will be installed in one of the following ways: On your current browser, on your default browser, or on all of your browsers (Windows\'ae Internet Explorer\'ae, Firefox\'ae, and Chrome\'99).\cf0\par

\cf3 Note for Windows 8 Users: When you open Internet Explorer or Firefox from the Start screen (rather than the desktop), the installed toolbar will not be visible or functional.\cf0\par

\cf3 To uninstall the toolbar, you may use the standard uninstall procedures offered by your device's Operating System or your Internet Browser, as applicable.\cf0\par

\cf3 For example: To uninstall the toolbar from Firefox, click the Firefox button (or \ldblquote Tools\rdblquote menu) at the top of the browser, select \ldblquote Add-ons\rdblquote and then select \ldblquote Extensions.\rdblquote Find the software you want to uninstall and click the \ldblquote Disable\rdblquote or \ldblquote Remove\rdblquote button. If you want to change your web search settings, depending on the Internet browser you use, you may be able to do so from the drop-down menu of the search box built into your browser. \cf0\par

\cf3 Additional information for changing search settings for some browsers is available on our \cf0{\field{\*\fldinst{HYPERLINK "http://toolbar.conduit.com/changing-search-settings.aspx" }}{\fldrslt{\cf2\ul search settings page}}}\cf0\ulnone\f0\fs18 .\par

\cf3 Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://support.conduit.com/HelpCenter/Uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCH PROTECT END USER INSTRUCTIONS\par

Your use of the Search Protect application is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/legal/searchprotectdescription" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/search-protect-privacy-policy.aspx" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par

\cf3 Search Protect will alert you if a third party attempts to change your browser settings. You can elect to change your browser settings at any time through the Search Protect application, which is accessible from the desktop taskbar, or through your browser\rquote s Settings/Options tab. {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect" }}{\fldrslt{\cf2\ul Learn more}}}\cf0\ulnone\f0\fs18 \par

If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome\'99, Firefox\'ae, and Internet Explorer\'ae. This facilitates your ability to maintain your preferred settings.\par

If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.\par

In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking \ldblquote Restore\rdblquote on the bottom of the page.\par

You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system.\par

In Microsoft Windows\'ae, go to the Control Panel and click \ldblquote Uninstall a program\rdblquote or \ldblquote Programs and Features.\rdblquote Right-click on Search Protect in the list of programs and select Uninstall/Change.\par

Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect/uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par

9a-U}.Vy @_

Bb'Qu-V} Qx(Mr'Kq'Lt U

;)
> >$>(>,>0>
1,141<1\1|1
?@?\?`?|?
3 3$3(3,3034383
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
chrome.exe
http://arcadefrontier.com/aj/thanks.php
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\Ntuser.dat
lzz_afi 1.28.147
zz_afi 1.28.147
ESOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Advapi32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
http://pages.arcadefrontier.com/aj/bund.php
%x|%s|%s|%s|%s
IEXPLORE.EXE
iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http://arcadefrontier.com/aj/ireport.php
msftedit.dll
RichEd20.dll
mism.exe
, Firefox
, and Chrome
. [http://%CTID%.ourtoolbar.com/LearnMore|Learn more]
%CTID%
s customized web search and web search page, and install [http://%CTID%.ourtoolbar.com/terms|Search Protect]. Send me info from the Toolbar (can be disabled later).
[http://
.ourtoolbar.com/terms|Search Protect].
[http://%CTID%.ourtoolbar.com/terms|terms, license agreements, and privacy policies]. The Toolbar may contain apps that access, collect, and use your personal data, including your IP address and the address and content of web pages you visit. See also the apps
Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
"%s" -carrier_type=ctid -carrier_id=%s -defaultsearch=true -startpage=true -install_time_revert=%s
\Main\rep\SystemRepository.dat
Please read the following important information and terms before continuing.
s home page and search settings. [http://www.conduit.com/searchprotect|Learn more]
By clicking "Agree" you confirm that you have read and agreed to the Search Protect`s [http://www.conduit.com/legal/searchprotectdescription|Terms] and [http://www.conduit.com/privacy/searchprotectprivacypolicy|Privacy Policy], and agree to install Search Protect.
{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}
1.28.147
You need to install Windows XP SP1 or higher.
You need to install Windows XP SP2 or higher.
_tpd.exe
00000000
ArcadeFrontier will be enabled in certain browsers.
http://www.arcadefrontier.com/BrowserOptimization.af
Software\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup
Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
http://aff-software.s3-website-us-east-1.amazonaws.com/f7fcdd99a2e75d6ad7c29954e075a8b6/Cloud_Backup_Setup.exe
For Windows, Mac and Linux
Check below to accept the [http://www.mypcbackup.com/terms|terms] and to install the free MyPCBackup, then click Next.
AOCSetupHlp.dll
http://www.opencandy.com/eulas/b/sneula.html
{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}
http://fagamesframework.com/af/getExternalGamesInfo/ticket=
gameurl
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
\The Weather Channel\Desktop\apps.ini
\The Weather Channel\The Weather Channel App\installsettings.xml
Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2468871
http://static.af.facdn.com/offers/wd/twcsetup.exe
http://www.arcadefrontier.com/offers/wd/twcsetup.exe
ekernel32.dll
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.0.0.1
SetupGUI.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   SPIdentifier.exe:1820
   %original file name%.exe:368
   nsj80.exe:1936

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nse7E.tmp (2820 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V9J33IN2\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu7F.tmp\inetc.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PU5GX8YM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9MPS5GZ\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1QVC5Y3\SPIdentifierImpl[1].exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsj80.exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\inetc.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\SPtool.dll (49229 bytes)
   %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.