MD5: f04a4d5450ed03a629adb229886f932d
SHA1: 584c08321296660c24ddecb8f6bbb291bc8ac2d1
SHA256: 52ea76bf16d372e9e02d5d92b894112d65802291a09bc3eb5b8afa22eafd75e4
SSDeep: 24576:iStrUAbM6M/nN9b hGb1u7SYXj2OgOVwluBuNhlD9MPjgL5vF:iStrUAI6Ml9qhGb1uxjFwSu1DomZF
Size: 1322432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ArcadeFrontier
Created at: 2014-03-04 11:28:35
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1836
SPIdentifier.exe:448
nsh42.exe:664

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect (0 bytes)
%Program Files%\SearchProtect\Main (0 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs (0 bytes)
%Program Files%\SearchProtect\Main\rep (0 bytes)
%Program Files%\SearchProtect (0 bytes)

The process SPIdentifier.exe:448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh40.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh42.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh42.exe (0 bytes)

The process nsh42.exe:664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 48 E9 D0 20 C5 1C 5C 23 37 67 C0 F2 B5 7E 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process SPIdentifier.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw41.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 2D B9 CD 73 60 70 DB 23 11 EA 6D 2E AA 8E 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsh42.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 00 8D 22 26 3D AB 23 7B 22 4A FF BB F0 BB 35"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ArcadeFrontier
Product Name: ArcadeFrontier
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename: SetupGUI.exe
Internal Name: SetupGUI.exe
File Version: 1.0.0.1
File Description: ArcadeFrontier Installer
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 155
4742ce83904ab79ed83fa4b912d92977
3e6525910ee5573c875f8bf6b13d4430
019871bc01db2d7f1d671506c552c8ca
464852c46811bb361281150fc483273e
b66671376033cbef6109ef0f2eaa462f
3bcab6ffd33ebeb62b51d71cdf636b65
bf3fbd7cb310b7401526ad3e77f490f2
dd43ee7b30ffa653e7b507dee5092b6b
518814017052ec01681c81254ce9540c
c2fdab595bb0ea0de2cab8429eabf59d
1e60b3d86e98aa130207f0fc46198504
f41701136cb3f12359b58a08e7d8ba64
3afae0cbb3dc1c5017a3bb19064f2ed1
400687ff58a089f1ceb75333f397c1b9
b4dce333565b9a4081c0b66a47c9b2b4
b6a91a38c54c3460eb23f2faca508820
3491c9a72489ea0e90223c4df838f08f
2c79823d0bd2007ba3c9c8f598a20959
7ab8445337f4fdb94a99a6f2763e8b36
829e680e307d822c1ba79641144590ae
778a3c0e19074d59f3b6358edbfd50cd
8bb4ed37f190a009cb75cda48ba05c8e
ae824098b8fbe18bc065a9209c7bf43f
21f33f42d43215577ff9afd3560ececf
95060355b1023df8b325f76e195162c8

URLs

URL	IP
hxxp://fagamesframework.com/af/getExternalGamesInfo/ticket=anANb5DIBUSTPzsQPkBF	74.120.16.113
hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe	23.9.99.152
hxxp://sp-installer.conduit-data.com/	54.235.66.89

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE W32/GameVance Adware User Agent
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-storage.conduit-services.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Thu, 12 Jun 2014 09:33:01 GMT

Accept-Ranges: bytes

ETag: "fdb1c3e2dc67975ebdc9856b59404daf"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1115264

Cache-Control: private, max-age=900

Expires: Thu, 12 Jun 2014 06:48:05 GMT

Date: Thu, 12 Jun 2014 06:33:05 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
[email protected]............@.
................................h.....................................
..............0...........`... .......................................
.....................................................text....g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...0...........................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>

GET /af/getExternalGamesInfo/ticket=anANb5DIBUSTPzsQPkBF HTTP/1.1

User-Agent: zz_afi 1.28.147

Host: fagamesframework.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 12 Jun 2014 06:33:03 GMT

Server: Apache

Cache-Control: max-age=18000

Expires: Thu, 12 Jun 2014 11:33:03 GMT

Content-Length: 17

Connection: close

Content-Type: text/html; charset=UTF-8
unknown parametar..

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.conduit-data.com

Content-Length: 263

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"SPidentifier", "environment":"",  "machine_ID":"WCB0QMMWHQEIXXX5YMYDHFIANR5RJXVRS0KQJIL7Y9JFHQ/PF3DBRALGTADV1CIJ55NRHXCYS5GOEFIZIJWDJA", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted

Date: Thu, 12 Jun 2014 06:32:05 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

SSSSh4(C

SSSSh\(C

uISSh

;NTu^SSh

WinHTTP.dll

-1.1.3

1.1.3

163|145|162

http://e1.arcadefrontier.com/aj/bundle/833/?p=YTMzMzc4MjE4MzV43Hc81pthuSBzThYc+TIMdLqMGyQxnSOTvvfZZn2noQMaMhD/18+abK1YxZv/UD1HGvZFJ5MFuCXWSHflvb1R

gdiplus.dll

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

FRegDeleteKeyExW

operator

GetProcessWindowStation

WINHTTP.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

WinHttpReadData

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpOpenRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpOpen

WinHttpCrackUrl

WinHttpQueryDataAvailable

WinHttpQueryHeaders

WinHttpQueryOption

GdiplusShutdown

COMCTL32.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExW

RegUnLoadKeyW

RegLoadKeyW

RegCreateKeyW

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHDeleteKeyW

SHLWAPI.dll

MSIMG32.dll

GetCPInfo

zcÁ

c:\%original file name%.exe

mconduitinstaller.exe

Ä\;C

.Tt$&

!$.IHBI

Vv.Vf

3{u.FO

>%s4s

[:%UU

OCSetupHlp.dll

-U^5N`^f.Xl

m%x2)

:.RS]L

.DS2 

i@&Q%c

uzg$}uQ

2{.Wt

.ZSLI|

BfTP>

To%F[Y

X.IHIb)rP4{

r%sO]

lJ.mG

vl.qRB

xT%c%

'R.yV

.Ek#"

>.YqX

Y U%x

!UÝ

.huZA

v.RVa )Eca3

#.ta\

M%ud LR

.Hq9I%

0.Bko

-9%X~

_D`.oN

UF%U(

.uH**r

.aUi%

ST%UIS

.KV/-IV

.QO)O:

.rP1HP

.Vkeu=S

OCSetupHlp.dllPK

sp-downloader.exe

(O(%Íd

sj.IE

Nc1m.Xd}

520426026

ahÝ

SPIdentifier.exe

znsqL

.Nh/h

5424224

f.CR9Cr*

(.%%Fu

M[.ab(O

/|.eC

q}\%X;f

~B%CU

#h)j.Zpi

n.SuT

ø^O

m.qiD

$%fR<

C,D.TZ

%c&bta6

-[A$.Glp

w5.zk

 %Uw]:

DEEô

%Xf>m|

 3%Um

\rsid13843124\rsid14169892\rsid15628380\rsid15748077}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator malo_nj}

{\creatim\yr2013\mo3\dy13\hr10\min41}{\revtim\yr2013\mo4\dy10\hr16\min39}{\version9}{\edmins31}{\nofpages1}{\nofwords83}{\nofchars701}{\nofcharsws783}{\vern32859}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}

\par By clicking the "Next" button below, you electronically agree to the ArcadeFrontier }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientEula.af"}{\rtlch\fcs1 \af1\afs18

\par }{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12336207\charrsid222141 and }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/ClientPrivacyPolicy.af"}{\rtlch\fcs1

\par You can uninstall ArcadeFrontier any time via Add/Remove programs or by clicking }{\field\flddirty{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid15628380 HYPERLINK "http://arcadefrontier.com/Deactivate.af"}{\rtlch\fcs1 \af1\afs18

\mintLim0\mnaryLim1}{\info{\author malo_nj}{\operator Cvija}{\creatim\yr2013\mo3\dy19\hr9\min50}{\revtim\yr2013\mo5\dy29\hr11\min36}{\version5}{\edmins5}{\nofpages4}{\nofwords2298}{\nofchars13103}{\nofcharsws15371}{\vern49275}}{\*\xmlnstbl {\xmlns1 http:/

/schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect

re ("Desktop Max Software") and Services ("Desktop Max Services") and the advertisement-supported version of the Software ("Desktop Software") and Services ("Desktop Services").

y subsequent versions of the Software. You agree to comply with TWCi's Terms and Conditions, as set forth on TWCi's web site, }{\field{\*\fldinst {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0

\par C. You understand that the Software is a voluntary software program, and you may uninstall the Software at any time by using your appropriate operating systems' add/remove or uninstall functionality. However, by uninstalling the Software,

HYPERLINK "http://www.weather.com/services/desktop/desktopplatinumfaq.html#17"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield

\cs17\f1\fs18\ul\cf17\insrsid12658121\charrsid5594936 www.weather.com/services/desktop/desktopplatinumfaq.html#17}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0

\par C. ANY MATERIAL, DATA OR INFORMATION, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS, DOWNLOADED OR OTHERWISE OBTAINED THROUGH T

ACY, USEFULNESS OR AVAILABILITY OF ANY INFORMATION OR DATA TRANSMITTED VIA THE SOFTWARE, INCLUDING WEATHER-RELATED INFORMATION AND REPORTS.

CT LIABILITY, FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF TWCi HAS BEEN ADVISED OF THE POSS

OF $5.00 OR THE AMOUNT YOU PAID TO TWCi. B. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF SECTIONS 4 A

h if applicable, the Software from your operating system and immediately discontinue use of the Services. Your obligation to pay accrued charges and fees shall survive any termination of this Agreement.

\par 8. EXPORT CONTROLS. THE SOFTWARE AND ANY UNDERLYING

TECHNOLOGY MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES IN A MANNER THAT IS PROHIBITED BY APPLICABLE EXPORT LAWS AND REGULATIONS. BY DOWNLOADING OR USING THE SOFTWARE OUTSIDE THE UNITED STATES OF AMERICA, YOU ASSUME RESPONSIBILITY FOR COMPLIANCE WITH THE

\par 9. AMENDMENT. TWCi may, in its sole discretion, change, modify, add or remove portions of this license or the Services at any time. TWCi may notify you of any such changes by posting notice of such changes on the TWCi website }{\field\fldedit{\*\fldinst {

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 HYPERLINK "http://www.weather.com/"}{\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid5594936 {\*\datafield

\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \cs17\f1\fs18\ul\cf17\insrsid5594936 www.weather.com/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14353197\sftnbj {\rtlch\fcs1 \af1\afs18 \ltrch\fcs0 \f1\fs18\insrsid12658121\charrsid7081360

by you, or (b) violation of any law or regulation by you. If you are importing the Software from the United States, you shall hold harmless, indemnify and defend TWCi and its affiliated companies and their officers, directors and employees, from and agai

nst any import and export duties or other claims arising from such importation.

confirmation or by certified mail with delivery confirmation; provided that, TWCi may provide notice to you via the Software. All notices to TWCi shall be addressed to The Weather Channel Interactive, Inc. 300 Interstate North Parkway, Atlanta, Georgia 30

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCHFLY TOOLBAR END USER INSTRUCTIONS\par

You have elected to download the SearchFly toolbar, an application designed to deliver fresh content directly to your browser, provide you with a choice of useful search engines, allow you to choose from thousands of free apps for your browser, and provide you with hand-picked links to check out from across the web. \par

Your use of the toolbar is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://%CTID%.ourtoolbar.com/eula/" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/contentpolicy" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par

\cf3 The toolbar will be installed in one of the following ways: On your current browser, on your default browser, or on all of your browsers (Windows\'ae Internet Explorer\'ae, Firefox\'ae, and Chrome\'99).\cf0\par

\cf3 Note for Windows 8 Users: When you open Internet Explorer or Firefox from the Start screen (rather than the desktop), the installed toolbar will not be visible or functional.\cf0\par

\cf3 To uninstall the toolbar, you may use the standard uninstall procedures offered by your device's Operating System or your Internet Browser, as applicable.\cf0\par

\cf3 For example: To uninstall the toolbar from Firefox, click the Firefox button (or \ldblquote Tools\rdblquote menu) at the top of the browser, select \ldblquote Add-ons\rdblquote and then select \ldblquote Extensions.\rdblquote Find the software you want to uninstall and click the \ldblquote Disable\rdblquote or \ldblquote Remove\rdblquote button. If you want to change your web search settings, depending on the Internet browser you use, you may be able to do so from the drop-down menu of the search box built into your browser. \cf0\par

\cf3 Additional information for changing search settings for some browsers is available on our \cf0{\field{\*\fldinst{HYPERLINK "http://toolbar.conduit.com/changing-search-settings.aspx" }}{\fldrslt{\cf2\ul search settings page}}}\cf0\ulnone\f0\fs18 .\par

\cf3 Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://support.conduit.com/HelpCenter/Uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sa200\sl276\slmult1\qj\lang1033\kerning1\fs18 SEARCH PROTECT END USER INSTRUCTIONS\par

Your use of the Search Protect application is governed by the terms and conditions of the product\rquote s {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/legal/searchprotectdescription" }}{\fldrslt{\cf2\ul End User License Agreement}}}\cf0\ulnone\f0\fs18 and {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/privacy/search-protect-privacy-policy.aspx" }}{\fldrslt{\cf2\ul Privacy Policy}}}\cf0\ulnone\f0\fs18 , which are updated intermittently. \par

\cf3 Search Protect will alert you if a third party attempts to change your browser settings. You can elect to change your browser settings at any time through the Search Protect application, which is accessible from the desktop taskbar, or through your browser\rquote s Settings/Options tab. {\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect" }}{\fldrslt{\cf2\ul Learn more}}}\cf0\ulnone\f0\fs18 \par

If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome\'99, Firefox\'ae, and Internet Explorer\'ae. This facilitates your ability to maintain your preferred settings.\par

If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.\par

In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking \ldblquote Restore\rdblquote on the bottom of the page.\par

You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system.\par

In Microsoft Windows\'ae, go to the Control Panel and click \ldblquote Uninstall a program\rdblquote or \ldblquote Programs and Features.\rdblquote Right-click on Search Protect in the list of programs and select Uninstall/Change.\par

Additional information can be found on our \cf0{\field{\*\fldinst{HYPERLINK "http://www.conduit.com/searchprotect/uninstall" }}{\fldrslt{\cf2\ul help page}}}\cf0\ulnone\f0\fs18 .\par

9a-U}.Vy @_

Bb'Qu-V} Qx(Mr'Kq'Lt U

;)
> >$>(>,>0>
1,141<1\1|1
?@?\?`?|?
3 3$3(3,3034383
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
chrome.exe
http://arcadefrontier.com/aj/thanks.php
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\Ntuser.dat
lzz_afi 1.28.147
zz_afi 1.28.147
ESOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Advapi32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
http://pages.arcadefrontier.com/aj/bund.php
%x|%s|%s|%s|%s
IEXPLORE.EXE
iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http://arcadefrontier.com/aj/ireport.php
msftedit.dll
RichEd20.dll
mism.exe
, Firefox
, and Chrome
. [http://%CTID%.ourtoolbar.com/LearnMore|Learn more]
%CTID%
s customized web search and web search page, and install [http://%CTID%.ourtoolbar.com/terms|Search Protect]. Send me info from the Toolbar (can be disabled later).
[http://
.ourtoolbar.com/terms|Search Protect].
[http://%CTID%.ourtoolbar.com/terms|terms, license agreements, and privacy policies]. The Toolbar may contain apps that access, collect, and use your personal data, including your IP address and the address and content of web pages you visit. See also the apps
Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
"%s" -carrier_type=ctid -carrier_id=%s -defaultsearch=true -startpage=true -install_time_revert=%s
\Main\rep\SystemRepository.dat
Please read the following important information and terms before continuing.
s home page and search settings. [http://www.conduit.com/searchprotect|Learn more]
By clicking "Agree" you confirm that you have read and agreed to the Search Protect`s [http://www.conduit.com/legal/searchprotectdescription|Terms] and [http://www.conduit.com/privacy/searchprotectprivacypolicy|Privacy Policy], and agree to install Search Protect.
{B34AAD8A-B699-4A45-8665-2B59F5AAD82B}
1.28.147
You need to install Windows XP SP1 or higher.
You need to install Windows XP SP2 or higher.
_tpd.exe
00000000
ArcadeFrontier will be enabled in certain browsers.
http://www.arcadefrontier.com/BrowserOptimization.af
Software\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup
Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
http://aff-software.s3-website-us-east-1.amazonaws.com/f7fcdd99a2e75d6ad7c29954e075a8b6/Cloud_Backup_Setup.exe
For Windows, Mac and Linux
Check below to accept the [http://www.mypcbackup.com/terms|terms] and to install the free MyPCBackup, then click Next.
AOCSetupHlp.dll
http://www.opencandy.com/eulas/b/sneula.html
{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}
http://fagamesframework.com/af/getExternalGamesInfo/ticket=
gameurl
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
\The Weather Channel\Desktop\apps.ini
\The Weather Channel\The Weather Channel App\installsettings.xml
Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2468871
http://static.af.facdn.com/offers/wd/twcsetup.exe
http://www.arcadefrontier.com/offers/wd/twcsetup.exe
ekernel32.dll
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.0.0.1
SetupGUI.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1836
   SPIdentifier.exe:448
   nsh42.exe:664

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsw41.tmp\inetc.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh40.tmp (2820 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh42.exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\inetc.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsp44.tmp\SPtool.dll (49229 bytes)
   %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.