Remove Attentive Antivirus Rogue (Uninstall Guide)

Attentive Antivirus is a virus infection that belongs to the Rogue.WinWebSec family. It is a scam which may infect your computer that is not well protected and pretends to be a legitimate security program and alert you fake message that viruses, spywares and Trojans detected on your PC.

 

What is Attentive Antivirus rogue?  

 

Attentive Antivirus is categorized as rogueware program that claims to scan your computer for Virus, Trojan, spywares and malwares and display obvious fake malware detections and warnings. They then pop-up a new window informing you that you need to pay money to register the software or pay money to remove these non-existent threats from your computer and protect your PC from malware infection.

 

Below are screenshots of Attentive Antivirus, a symptom of virus infection:

 

 

Attentive Antivirus is very annoying and damaging that once get settled on your computer, you will be unable to run any program installed on your computer. When you try to start a program, it will be eliminated immediately by Attentive Antivirus and then alert you a message that Program file is infected and you are suggested to buy full edition. Furthermore, it blocks your task manager and legitimate antivirus program and firewall and the same pop-up window will appear and ask some sort of fee.

 

Warning message you will see when you try to open task manager:

 

Warning! Infected file detected

Location: File System

Suspicious activity detected in the application taskmgr.exe similar to the behavior of the virus Win32/Conficker.X. For your security and to avoid loss of data, the operation of application cmd.exe has been temporarily restricted.

 

 

And similar warning message pop-up when you try to use your web browser:

 

Warning! Infected file detected

Location: File System

Suspicious activity detected in the application Chrome.exe similar to the behavior of the virus Win32/Conficker.X. For your security and to avoid loss of data, the operation of application cmd.exe has been temporarily restricted.

 

 

Important Note: Attentive Antivirus is a scam, and you should by no means trust the bogus alerts and take action to remove the rogue as soon as possible with free removal guide below.

 

Remove Attentive Antivirus Rogue (Uninstall Guide)

 

Step 1 > Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:

 

 

Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode (http://forums.anvisoft.com/viewtopic-47-2703-0.html

 

 

 

Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you logged in within the normal Windows mode. Then proceed with the rest of the steps.

 

Step 2 > Download, install the automatic remover-Anvi Smart Defender to scan out and remove the residing files of the infection.

 

Anvi Smart Defender is a powerful anti-malware program which is designed to detect and remove virus, malware, Trojan, worms and PUP. You are highly recommended to download and install the free or paid version of Anvi Smart Defender to remove any possible potential unwanted program related to Attentive Antivirus.

 

1. Download and install the paid or free version of Anvi Smart Defender Anti-malware software.

 

2. After you install the program, please open it, and switch to Scan tab, perform quick or full scan to eliminate possible virus infection file. Anvi Smart Defender will scan registry objects automatically to make sure your registry entries are clean and neat.

 

3. Once the scan is over, you can click view button to check the detail information of the detection. Please make sure to click “Remove” button to completely remove the malicious files from your computer.

 

 

 

 

Attentive Antivirus Technical Information 

 

• Create malicious and dangerous batch file, close relative system security settings

 


.edata:004680E4 aSystem_0 db 'system',0
.edata:004680EB align 10h
.edata:004680F0 aRegAddHklmSo_0 db 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\'
.edata:004680F0 db 'system" /v EnableLUA /t REG_DWORD /d 0 /f',0Dh,0Ah
.edata:004680F0 db 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\'
.edata:004680F0 db 'system" /v EnableVirtualization /t REG_DWORD /d 0 /f',0Dh,0Ah
.edata:004680F0 db 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\System'
.edata:004680F0 db 'Restore" /v RPSessionInterval /t REG_DWORD /d 0 /f',0Dh,0Ah
.edata:004680F0 db 'sc stop windefend',0Dh,0Ah
.edata:004680F0 db 'sc stop msmpsvc',0Dh,0Ah
.edata:004680F0 db 'sc stop wuauserv',0Dh,0Ah
.edata:004680F0 db 'sc stop wscsvc',0Dh,0Ah
.edata:004680F0 db 'ping localhost -w 1000 -n 3 > nul',0Dh,0Ah
.edata:004680F0 db 'sc config windefend start= disabled',0Dh,0Ah
.edata:004680F0 db 'sc config msmpsvc start= disabled',0Dh,0Ah
.edata:004680F0 db 'sc config wuauserv start= disabled',0Dh,0Ah
.edata:004680F0 db 'sc config wscsvc start= disabled',0Dh,0Ah
.edata:004680F0 db 'sc config luafv start= disabled',0Dh,0Ah
.edata:004680F0 db 'ping localhost -w 1000 -n 2 > nul',0Dh,0Ah
.edata:004680F0 db 'reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v '
.edata:004680F0 db 'MSASCui /f',0Dh,0Ah
.edata:004680F0 db 'reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v '
.edata:004680F0 db '"Windows Defender" /f',0Dh,0Ah,0

.edata:0046B758 aServ_bat:
.edata:0046B758 unicode 0, <\serv.bat>,0
.edata:0046B76C aRunas:
.edata:0046B76C unicode 0, <runas>,0
.edata:0046B778 ; const WCHAR Operation
.edata:0046B778 Operation: ; DATA XREF: sub_40CF5A+58o
.edata:0046B778 unicode 0, <open>,0
.edata:0046B782 align 4
.edata:0046B784 aEnablelua:
.edata:0046B784 unicode 0, <EnableLUA>,0
.edata:0046B798 dd offset unk_4F0053
.edata:0046B79C aFtwareMicrosof:
.edata:0046B79C unicode 0, <FTWARE\Microsoft\Windows\CurrentVersion\policies\system>,0
.edata:0046B80C aAntivirusdisab:
.edata:0046B80C unicode 0, <AntiVirusDisableNotify>,0
.edata:0046B83A align 10h
.edata:0046B840 dd offset unk_4F0053
.edata:0046B844 aFtwareMicros_0:
.edata:0046B844 unicode 0, <FTWARE\Microsoft\Security Center>,0
.edata:0046B886 align 4
.edata:0046B888 dd offset unk_4F0053
.edata:0046B88C aFtwareMicros_1:
.edata:0046B88C unicode 0, <FTWARE\Microsoft\Security Center\Svc>,0
.edata:0046B8D6 align 4
.edata:0046B8D8 aAntivirusoverr:
.edata:0046B8D8 unicode 0, <AntiVirusOverride>,0
.edata:0046B8FC aFirewalldisabl:
.edata:0046B8FC unicode 0, <FirewallDisableNotify>,0
.edata:0046B928 aFirewalloverri:
.edata:0046B928 unicode 0, <FirewallOverride>,0
.edata:0046B94A align 4
.edata:0046B94C aUpdatesdisable:
.edata:0046B94C unicode 0, <UpdatesDisableNotify>,0
.edata:0046B976 align 4
.edata:0046B978 aMsascui:
.edata:0046B978 unicode 0, <MSASCui>,0
.edata:0046B988 dd offset unk_4F0053
.edata:0046B98C aFtwareMicros_2:
.edata:0046B98C unicode 0, <FTWARE\Microsoft\Windows\CurrentVersion\Run>,0
.edata:0046B9E4 aWindowsDefende:
.edata:0046B9E4 unicode 0, <Windows Defender>,0
.edata:0046BA06 align 4
.edata:0046BA08 ; const WCHAR aDisplayname
.edata:0046BA08 aDisplayname: ; DATA XREF: sub_4116F4+95o
.edata:0046BA08 unicode 0, <DisplayName>,0
.edata:0046BA20 ; const WCHAR aInstalllocatio
.edata:0046BA20 aInstalllocatio: ; DATA XREF: sub_4116F4+C3o
.edata:0046BA20 unicode 0, <InstallLocation>,0
.edata:0046BA40 ; const WCHAR aNomodify
.edata:0046BA40 aNomodify: ; DATA XREF: sub_4116F4+D7o
.edata:0046BA40 unicode 0, <NoModify>,0
.edata:0046BA52 align 4
.edata:0046BA54 ; const WCHAR aNorepair
.edata:0046BA54 aNorepair: ; DATA XREF: sub_4116F4+E8o
.edata:0046BA54 unicode 0, <NoRepair>,0
.edata:0046BA66 align 4
.edata:0046BA68 asc_46BA68: ; DATA XREF: sub_4116F4+F4o
.edata:0046BA68 ; sub_411D8D+26Eo
.edata:0046BA68 unicode 0, <">,0
.edata:0046BA6C aUninstall_1: ; DATA XREF: sub_4116F4+14Eo
.edata:0046BA6C unicode 0, <" -uninstall>,0
.edata:0046BA86 align 4
.edata:0046BA88 ; const WCHAR aUninstallstrin
.edata:0046BA88 aUninstallstrin: ; DATA XREF: sub_4116F4+17Eo
.edata:0046BA88 unicode 0, <UninstallString>,0
.edata:0046BAA8 a0: ; DATA XREF: sub_4116F4+1A8o
.edata:0046BAA8 unicode 0, <,0>,0
.edata:0046BAAE align 10h
.edata:0046BAB0 ; const WCHAR aDisplayicon
.edata:0046BAB0 aDisplayicon: ; DATA XREF: sub_4116F4+1D8o
.edata:0046BAB0 unicode 0, <DisplayIcon>,0
.edata:0046BAC8 asc_46BAC8 db '\',0 ; DATA XREF: sub_410BF5+21Fo
.edata:0046BAC8 ; sub_410BF5+22Bo ...


 

• Obtain System Environment Variable, find target that needed to be terminated
 


.edata:0046842C aSystemroot:                            ; DATA XREF: .text:00401869o
.edata:0046842C                 unicode 0, ,0
.edata:00468442                 align 4
.edata:00468444 aWindir:                                ; DATA XREF: .text:0040190Co
.edata:00468444                 unicode 0, ,0
.edata:00468452                 align 4
.edata:00468454 aVmware:                                ; DATA XREF: .text:0040193Eo
.edata:00468454                 unicode 0, ,0
.edata:00468462                 align 4
.edata:00468464 aCabinetwclass:                         ; DATA XREF: .rdata:004028F4o
.edata:00468464                 unicode 0, ,0
.edata:00468480 aActionCenter:                          ; DATA XREF: .rdata:0040291Eo
.edata:00468480                 unicode 0, ,0
.edata:0046849C ; const WCHAR aFwcplui_class
.edata:0046849C aFwcplui_class:                         ; DATA XREF: sub_401772+1Bo
.edata:0046849C                 unicode 0, ,0
.edata:004684B8 ; const WCHAR aWscui_class
.edata:004684B8 aWscui_class:                           ; DATA XREF: sub_401772+2Eo
.edata:004684B8                 unicode 0, ,0
.edata:004684D0 ; const WCHAR aMsascui_class
.edata:004684D0 aMsascui_class:                         ; DATA XREF: sub_401772+41o
.edata:004684D0                 unicode 0, ,0
.edata:004684EC aInvalidStringP db 'invalid string position',0

 

•Create startup item “AA2014”
 


.edata:0046B6F8 aRegAddHklmSoft db 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v ',0
.edata:0046B6F8                                         ; DATA XREF: sub_40A0C3+843o
.edata:0046B739                 align 4
.edata:0046B73C aAa2014         db 'AA2014',0           ; DATA XREF: sub_40A0C3+85Bo
.edata:0046B743                 align 4
.edata:0046B744 aTReg_szD       db ' /t REG_SZ /d ',0   ; DATA XREF: sub_40A0C3+873o
.edata:0046B753                 align 4
.edata:0046B754 asc_46B754      db 0Dh,0Ah,0            ; DATA XREF: sub_40A0C3+8A0o
.edata:0046B757                 align 4



.edata:00408523
.edata:00408523
.edata:00408523 sub_408523      proc near               ; CODE XREF: sub_40C2B1+13Dp
.edata:00408523                                         ; sub_40C2B1+1E8p
.edata:00408523                 push    4
.edata:00408525                 mov     eax, offset unk_445D8C
.edata:0040852A                 call    sub_430649
.edata:0040852F                 mov     esi, ecx
.edata:00408531                 mov     [ebp-10h], esi
.edata:00408534                 push    dword ptr [ebp+8]
.edata:00408537                 call    sub_40881B
.edata:0040853C                 and     dword ptr [ebp-4], 0
.edata:00408540                 call    sub_432F8F
.edata:00408545                 and     eax, 7
.edata:00408548                 lea     ecx, [esi+60h]
.edata:0040854B                 push    ds:off_480AE0[eax*4]	//add startup
.edata:00408552                 call    sub_4014A9
.edata:00408557                 or      dword ptr [ebp-4], 0FFFFFFFFh
.edata:0040855B                 mov     eax, esi
.edata:0040855D                 call    sub_430617
.edata:00408562                 retn    4
.edata:00408562 sub_408523      endp ; sp-analysis failed
.edata:00408562
.edata:00408565

.edata:00480AE0 off_480AE0      dd offset off_46AF18    ; DATA XREF: sub_408523+28r
.edata:00480AE4                 dd offset off_46AF80
.edata:00480AE8                 dd offset off_46AFE8
.edata:00480AEC                 dd offset off_46B058
.edata:00480AF0                 dd offset off_46B0C8
.edata:00480AF4                 dd offset off_46B148
.edata:00480AF8                 dd offset off_46B1C8
.edata:00480AFC                 dd offset off_46B240
.edata:00480B00                 dd offset aNewVersionAvai ; "New version available for downloading\n"
.edata:00480B04                 dd offset aNeueVersionZum ; "Neue Version zum Herunterladen verf"
.edata:00480B08                 dd offset aNuevaEdici   ; "Nueva edici"
.edata:00480B0C                 dd offset aUneNouvelleVer ; "Une nouvelle version est disponible en "...
.edata:00480B10                 dd offset aNuovaVersioneD ; "Nuova versione disponibile da scaricare"...
.edata:00480B14                 dd offset aEst          ; "Est"
.edata:00480B18 off_480B18      dd offset aWindirSystem32 ; DATA XREF: sub_408565+28r
.edata:00480B18                                         ; "%WINDIR%\\System32\\audio.dll"
.edata:00480B1C                 dd offset aWindirSystem_0 ; "%WINDIR%\\System32\\constrols.ocx"
.edata:00480B20                 dd offset aWindirSystem_1 ; "%WINDIR%\\System32\\drivers\\spy.sys"
.edata:00480B24                 dd offset aWindirSystem_2 ; "%WINDIR%\\System32\\drivers\\hide2.sys"
.edata:00480B28                 dd offset aWindirSystem_3 ; "%WINDIR%\\System32\\pp.exe"
.edata:00480B2C                 dd offset aWindirSystem_4 ; "%WINDIR%\\System32\\rundll.exe"
.edata:00480B30                 dd offset aWindirSystem_5 ; "%WINDIR%\\System32\\smss.exe"
.edata:00480B34                 dd offset aWindirSystem_6 ; "%WINDIR%\\System32\\mdm.exe"

 

• Rogueware registration serial number:
 

.edata:0040962C ; int __cdecl sub_40962C(LPCWSTR lpString2)
.edata:0040962C sub_40962C      proc near               ; CODE XREF: sub_4283AA+51p
.edata:0040962C
.edata:0040962C lpString2       = dword ptr  8
.edata:0040962C
.edata:0040962C                 push    ebp
.edata:0040962D                 mov     ebp, esp
.edata:0040962F                 push    [ebp+lpString2]
.edata:00409632                 mov     ecx, offset unk_481318
.edata:00409637                 call    sub_41521D
.edata:0040963C                 test    eax, eax
.edata:0040963E                 jz      short loc_409660
.edata:00409640                 cmp     ds:dword_4A5A68, 0
.edata:00409647                 jnz     short loc_40965C
.edata:00409649                 push    [ebp+lpString2] ; serial number:AA39754E-715219CE
.edata:0040964C                 push    ds:lpString1    ; lpString1
.edata:00409652                 call    ds:lstrcmpW
.edata:00409658                 test    eax, eax
.edata:0040965A                 jz      short loc_409660
.edata:0040965C
.edata:0040965C loc_40965C:                             ; CODE XREF: sub_40962C+1Bj
.edata:0040965C                 xor     eax, eax
.edata:0040965E                 pop     ebp
.edata:0040965F                 retn

 
• Create a mutex ID after registration

 

.edata:004096FC ; =============== S U B R O U T I N E =======================================
.edata:004096FC
.edata:004096FC
.edata:004096FC sub_4096FC      proc near               ; CODE XREF: sub_4170D8:loc_4171FDp
.edata:004096FC                 push    esi
.edata:004096FD                 push    edi
.edata:004096FE                 push    offset off_46B658 ; ID:AA-72857482-618394027-261638484
.edata:00409703                 push    1               ; bInitialOwner
.edata:00409705                 push    0               ; lpMutexAttributes
.edata:00409707                 call    ds:CreateMutexW
.edata:0040970D                 mov     edi, eax
.edata:0040970F                 call    ds:GetLastError
.edata:00409715                 lea     esi, [eax-0B7h]
.edata:0040971B                 neg     esi
.edata:0040971D                 sbb     esi, esi
.edata:0040971F                 inc     esi
.edata:00409720                 test    edi, edi
.edata:00409722                 jz      short loc_40972B
.edata:00409724                 push    edi             ; hMutex
.edata:00409725                 call    ds:ReleaseMutex
.edata:0040972B
.edata:0040972B loc_40972B:                             ; CODE XREF: sub_4096FC+26j
.edata:0040972B                 pop     edi
.edata:0040972C                 test    esi, esi
.edata:0040972E                 pop     esi
.edata:0040972F                 jz      short locret_409760
.edata:00409731                 push    0               ; lpWindowName
.edata:00409733                 push    offset ClassName ; lpClassName
.edata:00409738                 call    ds:FindWindowW
.edata:0040973E                 test    eax, eax
.edata:00409740                 jz      short loc_409758
.edata:00409742                 push    201h            ; lParam
.edata:00409747                 push    4000h           ; wParam
.edata:0040974C                 push    5111h           ; Msg
.edata:00409751                 push    eax             ; hWnd
.edata:00409752                 call    ds:PostMessageW
.edata:00409758
.edata:00409758 loc_409758:                             ; CODE XREF: sub_4096FC+44j
.edata:00409758                 push    0               ; uExitCode
.edata:0040975A                 call    ds:ExitProcess
.edata:00409760 ; ---------------------------------------------------------------------------
.edata:00409760
.edata:00409760 locret_409760:                          ; CODE XREF: sub_4096FC+33j
.edata:00409760                 retn
.edata:00409760 sub_4096FC      endp

 
• Create start menu icon, and desktop startup icon
 

.edata:00410BF5 ; =============== S U B R O U T I N E =======================================
.edata:00410BF5
.edata:00410BF5 ; Attributes: bp-based frame
.edata:00410BF5
.edata:00410BF5 sub_410BF5      proc near               ; CODE XREF: sub_40CFDA+1640p
.edata:00410BF5
.edata:00410BF5 ppidl           = dword ptr -4060h
.edata:00410BF5 hKey            = dword ptr -405Ch
.edata:00410BF5 pidl            = dword ptr -4058h
.edata:00410BF5 var_4054        = dword ptr -4054h
.edata:00410BF5 var_4050        = dword ptr -4050h
.edata:00410BF5 ppv             = dword ptr -404Ch
.edata:00410BF5 cbData          = dword ptr -4048h
.edata:00410BF5 NumberOfBytesWritten= dword ptr -4044h
.edata:00410BF5 lpData          = dword ptr -4040h
.edata:00410BF5 var_4030        = dword ptr -4030h
.edata:00410BF5 var_402C        = dword ptr -402Ch
.edata:00410BF5 lpFileName      = dword ptr -4028h
.edata:00410BF5 var_4018        = dword ptr -4018h
.edata:00410BF5 var_4014        = dword ptr -4014h
.edata:00410BF5 var_4010        = word ptr -4010h
.edata:00410BF5 pszPath         = byte ptr -2010h
.edata:00410BF5 var_10          = dword ptr -10h
.edata:00410BF5 var_C           = dword ptr -0Ch
.edata:00410BF5 var_4           = dword ptr -4
.edata:00410BF5
.edata:00410BF5                 push    ebp
.edata:00410BF6                 mov     ebp, esp
.edata:00410BF8                 push    0FFFFFFFFh
.edata:00410BFA                 push    offset unk_446585
.edata:00410BFF                 mov     eax, large fs:0
.edata:00410C05                 push    eax
.edata:00410C06                 mov     eax, 4054h
.edata:00410C0B                 call    sub_430B10
.edata:00410C10                 mov     eax, ds:___security_cookie
.edata:00410C15                 xor     eax, ebp
.edata:00410C17                 mov     [ebp+var_10], eax
.edata:00410C1A                 push    ebx
.edata:00410C1B                 push    esi
.edata:00410C1C                 push    edi
.edata:00410C1D                 push    eax
.edata:00410C1E                 lea     eax, [ebp+var_C]
.edata:00410C21                 mov     large fs:0, eax
.edata:00410C27                 lea     eax, [ebp+hKey]
.edata:00410C2D                 push    eax             ; phkResult
.edata:00410C2E                 push    offset SubKey   ; "Software\\Microsoft\\Windows\\CurrentVersi"...
.edata:00410C33                 push    80000001h       ; hKey
.edata:00410C38                 xor     ebx, ebx
.edata:00410C3A                 mov     [ebp+cbData], 1000h
.edata:00410C44                 call    ds:RegOpenKeyW
.edata:00410C4A                 xor     edi, edi
.edata:00410C4C                 inc     edi
.edata:00410C4D                 test    eax, eax
.edata:00410C4F                 jnz     short loc_410C89
.edata:00410C51                 lea     eax, [ebp+cbData]
.edata:00410C57                 push    eax             ; lpcbData
.edata:00410C58                 lea     eax, [ebp+pszPath]
.edata:00410C5E                 push    eax             ; lpData
.edata:00410C5F                 push    ebx             ; lpType
.edata:00410C60                 push    ebx             ; lpReserved
.edata:00410C61                 push    offset ValueName ; "Programs"
.edata:00410C66                 push    [ebp+hKey]      ; hKey
.edata:00410C6C                 call    ds:RegQueryValueExW
.edata:00410C72                 push    [ebp+hKey]      ; hKey
.edata:00410C78                 test    eax, eax
.edata:00410C7A                 mov     esi, ebx
.edata:00410C7C                 cmovz   esi, edi
.edata:00410C7F                 call    ds:RegCloseKey
.edata:00410C85                 test    esi, esi
.edata:00410C87                 jnz     short loc_410CA3
.edata:00410C89
.edata:00410C89 loc_410C89:                             ; CODE XREF: sub_410BF5+5Aj
.edata:00410C89                 lea     eax, [ebp+pszPath]
.edata:00410C8F                 push    eax             ; pszPath
.edata:00410C90                 push    ebx             ; dwFlags
.edata:00410C91                 push    ebx             ; hToken
.edata:00410C92                 push    2               ; csidl
.edata:00410C94                 push    ebx             ; hwnd
.edata:00410C95                 call    ds:SHGetFolderPathW
.edata:00410C9B                 test    eax, eax
.edata:00410C9D                 js      loc_4115FC
.edata:00410CA3
.edata:00410CA3 loc_410CA3:                             ; CODE XREF: sub_410BF5+92j
.edata:00410CA3                 push    offset word_465C54 ; pMore
.edata:00410CA8                 lea     eax, [ebp+pszPath]
.edata:00410CAE                 push    eax             ; pszPath
.edata:00410CAF                 call    ds:PathAppendW
.edata:00410CB5                 test    eax, eax
.edata:00410CB7                 jz      loc_4115FC
.edata:00410CBD                 lea     eax, [ebp+pszPath]
.edata:00410CC3                 push    eax             ; lpFileName
.edata:00410CC4                 call    ds:GetFileAttributesW
.edata:00410CCA                 cmp     eax, 0FFFFFFFFh
.edata:00410CCD                 jz      short loc_410CD3
.edata:00410CCF                 test    al, 10h
.edata:00410CD1                 jnz     short loc_410CE9
.edata:00410CD3
.edata:00410CD3 loc_410CD3:                             ; CODE XREF: sub_410BF5+D8j
.edata:00410CD3                 push    ebx             ; lpSecurityAttributes
.edata:00410CD4                 lea     eax, [ebp+pszPath]
.edata:00410CDA                 push    eax             ; lpPathName
.edata:00410CDB                 call    ds:CreateDirectoryW
.edata:00410CE1                 test    eax, eax
.edata:00410CE3                 jz      loc_4115FC
.edata:00410CE9
.edata:00410CE9 loc_410CE9:                             ; CODE XREF: sub_410BF5+DCj
.edata:00410CE9                 lea     eax, [ebp+ppv]
.edata:00410CEF                 push    eax             ; ppv
.edata:00410CF0                 push    offset riid     ; riid
.edata:00410CF5                 push    edi             ; dwClsContext
.edata:00410CF6                 push    ebx             ; pUnkOuter
.edata:00410CF7                 push    offset rclsid   ; rclsid
.edata:00410CFC                 call    ds:CoCreateInstance
.edata:00410D02                 mov     edi, offset dword_4810F0
.edata:00410D07                 mov     ebx, offset lpData
.edata:00410D0C                 mov     esi, offset dword_481150
.edata:00410D11                 test    eax, eax
.edata:00410D13                 jnz     loc_410E72
.edata:00410D19                 cmp     ds:dword_481104, 8
.edata:00410D20                 mov     eax, [ebp+ppv]
.edata:00410D26                 mov     edx, edi
.edata:00410D28                 cmovnb  edx, ds:dword_4810F0
.edata:00410D2F                 mov     ecx, [eax]
.edata:00410D31                 push    edx
.edata:00410D32                 push    eax
.edata:00410D33                 call    dword ptr [ecx+50h]
.edata:00410D36                 test    eax, eax
.edata:00410D38                 jnz     loc_410E66
.edata:00410D3E                 cmp     ds:dword_4810BC, 8
.edata:00410D45                 mov     eax, [ebp+ppv]
.edata:00410D4B                 mov     edx, ebx
.edata:00410D4D                 cmovnb  edx, ds:lpData
.edata:00410D54                 mov     ecx, [eax]
.edata:00410D56                 push    edx
.edata:00410D57                 push    eax
.edata:00410D58                 call    dword ptr [ecx+24h]
.edata:00410D5B                 test    eax, eax
.edata:00410D5D                 jnz     loc_410E66
.edata:00410D63                 cmp     ds:dword_481164, 8
.edata:00410D6A                 mov     eax, [ebp+ppv]
.edata:00410D70                 mov     edx, esi
.edata:00410D72                 cmovnb  edx, ds:dword_481150
.edata:00410D79                 mov     ecx, [eax]
.edata:00410D7B                 push    0
.edata:00410D7D                 push    edx
.edata:00410D7E                 push    eax
.edata:00410D7F                 call    dword ptr [ecx+44h]
.edata:00410D82                 test    eax, eax
.edata:00410D84                 jnz     loc_410E66
.edata:00410D8A                 mov     eax, [ebp+ppv]
.edata:00410D90                 push    offset word_465C54
.edata:00410D95                 mov     ecx, [eax]
.edata:00410D97                 push    eax
.edata:00410D98                 call    dword ptr [ecx+1Ch]
.edata:00410D9B                 test    eax, eax
.edata:00410D9D                 jnz     loc_410E66
.edata:00410DA3                 mov     eax, [ebp+ppv]
.edata:00410DA9                 lea     edx, [ebp+var_4054]
.edata:00410DAF                 mov     ecx, [eax]
.edata:00410DB1                 push    edx
.edata:00410DB2                 push    offset unk_46C1C8
.edata:00410DB7                 push    eax
.edata:00410DB8                 call    dword ptr [ecx]
.edata:00410DBA                 test    eax, eax
.edata:00410DBC                 jnz     loc_410E66
.edata:00410DC2                 xor     ecx, ecx
.edata:00410DC4                 mov     [ebp+var_4018], ecx
.edata:00410DCA                 mov     [ebp+var_4014], ecx
.edata:00410DD0                 mov     [ebp+var_4014], 7
.edata:00410DDA                 mov     [ebp+var_4018], ecx
.edata:00410DE0                 mov     word ptr [ebp+lpFileName], ax
.edata:00410DE7                 cmp     word ptr [ebp+pszPath], ax
.edata:00410DEE                 jz      short loc_410DFD
.edata:00410DF0                 lea     eax, [ebp+pszPath]
.edata:00410DF6                 push    eax
.edata:00410DF7                 call    sub_4304EE
.edata:00410DFC                 pop     ecx
.edata:00410DFD
.edata:00410DFD loc_410DFD:                             ; CODE XREF: sub_410BF5+1F9j
.edata:00410DFD                 push    eax
.edata:00410DFE                 lea     eax, [ebp+pszPath]
.edata:00410E04                 push    eax
.edata:00410E05                 lea     ecx, [ebp+lpFileName]
.edata:00410E0B                 call    sub_40272C
.edata:00410E10                 and     [ebp+var_4], 0
.edata:00410E14                 push    offset asc_46BAC8 ; "\\"
.edata:00410E19                 call    sub_4304EE
.edata:00410E1E                 pop     ecx
.edata:00410E1F                 push    eax
.edata:00410E20                 push    offset asc_46BAC8 ; "\\"
.edata:00410E25                 lea     ecx, [ebp+lpFileName]
.edata:00410E2B                 call    sub_405CA4
.edata:00410E30                 cmp     [ebp+var_4014], 8
.edata:00410E37                 mov     eax, [ebp+var_4054]
.edata:00410E3D                 lea     edx, [ebp+lpFileName]
.edata:00410E43                 cmovnb  edx, [ebp+lpFileName]
.edata:00410E4A                 mov     ecx, [eax]
.edata:00410E4C                 push    1
.edata:00410E4E                 push    edx
.edata:00410E4F                 push    eax
.edata:00410E50                 call    dword ptr [ecx+18h]
.edata:00410E53                 or      [ebp+var_4], 0FFFFFFFFh
.edata:00410E57                 push    0
.edata:00410E59                 push    1
.edata:00410E5B                 lea     ecx, [ebp+lpFileName]
.edata:00410E61                 call    sub_40251F
.edata:00410E66
.edata:00410E66 loc_410E66:                             ; CODE XREF: sub_410BF5+143j
.edata:00410E66                                         ; sub_410BF5+168j ...
.edata:00410E66                 mov     eax, [ebp+ppv]
.edata:00410E6C                 push    eax
.edata:00410E6D                 mov     ecx, [eax]
.edata:00410E6F                 call    dword ptr [ecx+8]
.edata:00410E72
.edata:00410E72 loc_410E72:                             ; CODE XREF: sub_410BF5+11Ej
.edata:00410E72                 cmp     ds:dword_4A65EC, 0
.edata:00410E79                 jz      loc_41104F
.edata:00410E7F                 lea     eax, [ebp+ppv]
.edata:00410E85                 push    eax             ; ppv
.edata:00410E86                 push    offset riid     ; riid
.edata:00410E8B                 push    1               ; dwClsContext
.edata:00410E8D                 push    0               ; pUnkOuter
.edata:00410E8F                 push    offset rclsid   ; rclsid
.edata:00410E94                 call    ds:CoCreateInstance
.edata:00410E9A                 test    eax, eax
.edata:00410E9C                 jnz     loc_41104F
.edata:00410EA2                 mov     [ebp+var_4030], eax
.edata:00410EA8                 mov     [ebp+var_402C], eax
.edata:00410EAE                 mov     [ebp+var_402C], 7
.edata:00410EB8                 mov     [ebp+var_4030], eax
.edata:00410EBE                 mov     word ptr [ebp+lpData], ax
.edata:00410EC5                 mov     [ebp+var_4], 1
.edata:00410ECC                 cmp     ds:dword_481104, 8
.edata:00410ED3                 mov     eax, [ebp+ppv]
.edata:00410ED9                 mov     edx, edi
.edata:00410EDB                 cmovnb  edx, ds:dword_4810F0
.edata:00410EE2                 mov     ecx, [eax]
.edata:00410EE4                 push    edx
.edata:00410EE5                 push    eax
.edata:00410EE6                 call    dword ptr [ecx+50h]
.edata:00410EE9                 test    eax, eax
.edata:00410EEB                 jnz     loc_411030
.edata:00410EF1                 mov     eax, [ebp+ppv]
.edata:00410EF7                 push    offset aUninstall ; "-uninstall"
.edata:00410EFC                 mov     ecx, [eax]
.edata:00410EFE                 push    eax
.edata:00410EFF                 call    dword ptr [ecx+2Ch]
.edata:00410F02                 test    eax, eax
.edata:00410F04                 jnz     loc_411030
.edata:00410F0A                 cmp     ds:dword_4810BC, 8
.edata:00410F11                 mov     eax, [ebp+ppv]
.edata:00410F17                 mov     edx, ebx
.edata:00410F19                 cmovnb  edx, ds:lpData
.edata:00410F20                 mov     ecx, [eax]
.edata:00410F22                 push    edx
.edata:00410F23                 push    eax
.edata:00410F24                 call    dword ptr [ecx+24h]
.edata:00410F27                 test    eax, eax
.edata:00410F29                 jnz     loc_411030
.edata:00410F2F                 cmp     ds:dword_481164, 8
.edata:00410F36                 mov     eax, [ebp+ppv]
.edata:00410F3C                 mov     edx, esi
.edata:00410F3E                 cmovnb  edx, ds:dword_481150
.edata:00410F45                 mov     ecx, [eax]
.edata:00410F47                 push    0
.edata:00410F49                 push    edx
.edata:00410F4A                 push    eax
.edata:00410F4B                 call    dword ptr [ecx+44h]
.edata:00410F4E                 test    eax, eax
.edata:00410F50                 jnz     loc_411030
.edata:00410F56                 mov     eax, [ebp+ppv]
.edata:00410F5C                 push    offset word_465C54
.edata:00410F61                 mov     ecx, [eax]
.edata:00410F63                 push    eax
.edata:00410F64                 call    dword ptr [ecx+1Ch]
.edata:00410F67                 test    eax, eax
.edata:00410F69                 jnz     loc_411030
.edata:00410F6F                 mov     eax, [ebp+ppv]
.edata:00410F75                 lea     edx, [ebp+var_4054]
.edata:00410F7B                 mov     ecx, [eax]
.edata:00410F7D                 push    edx
.edata:00410F7E                 push    offset unk_46C1C8
.edata:00410F83                 push    eax
.edata:00410F84                 call    dword ptr [ecx]
.edata:00410F86                 test    eax, eax
.edata:00410F88                 jnz     loc_411030
.edata:00410F8E                 xor     ecx, ecx
.edata:00410F90                 mov     [ebp+var_4018], ecx
.edata:00410F96                 mov     [ebp+var_4014], ecx
.edata:00410F9C                 mov     [ebp+var_4014], 7
.edata:00410FA6                 mov     [ebp+var_4018], ecx
.edata:00410FAC                 mov     word ptr [ebp+lpFileName], ax
.edata:00410FB3                 cmp     word ptr [ebp+pszPath], ax
.edata:00410FBA                 jz      short loc_410FC9
.edata:00410FBC                 lea     eax, [ebp+pszPath]
.edata:00410FC2                 push    eax
.edata:00410FC3                 call    sub_4304EE
.edata:00410FC8                 pop     ecx
.edata:00410FC9
.edata:00410FC9 loc_410FC9:                             ; CODE XREF: sub_410BF5+3C5j
.edata:00410FC9                 push    eax
.edata:00410FCA                 lea     eax, [ebp+pszPath]
.edata:00410FD0                 push    eax
.edata:00410FD1                 lea     ecx, [ebp+lpFileName]
.edata:00410FD7                 call    sub_40272C
.edata:00410FDC                 mov     byte ptr [ebp+var_4], 2
.edata:00410FE0                 mov     edi, offset aUninstall_0 ; "\\Uninstall "
.edata:00410FE5                 push    edi
.edata:00410FE6                 call    sub_4304EE
.edata:00410FEB                 pop     ecx
.edata:00410FEC                 push    eax
.edata:00410FED                 push    edi
.edata:00410FEE                 lea     ecx, [ebp+lpFileName]
.edata:00410FF4                 call    sub_405CA4
.edata:00410FF9                 cmp     [ebp+var_4014], 8
.edata:00411000                 mov     eax, [ebp+var_4054]
.edata:00411006                 lea     edx, [ebp+lpFileName]
.edata:0041100C                 cmovnb  edx, [ebp+lpFileName]
.edata:00411013                 mov     ecx, [eax]
.edata:00411015                 push    1
.edata:00411017                 push    edx
.edata:00411018                 push    eax
.edata:00411019                 call    dword ptr [ecx+18h]
.edata:0041101C                 xor     eax, eax
.edata:0041101E                 inc     eax
.edata:0041101F                 mov     byte ptr [ebp+var_4], al
.edata:00411022                 push    0
.edata:00411024                 push    eax
.edata:00411025                 lea     ecx, [ebp+lpFileName]
.edata:0041102B                 call    sub_40251F
.edata:00411030
.edata:00411030 loc_411030:                             ; CODE XREF: sub_410BF5+2F6j
.edata:00411030                                         ; sub_410BF5+30Fj ...
.edata:00411030                 mov     eax, [ebp+ppv]
.edata:00411036                 push    eax
.edata:00411037                 mov     ecx, [eax]
.edata:00411039                 call    dword ptr [ecx+8]
.edata:0041103C                 or      [ebp+var_4], 0FFFFFFFFh
.edata:00411040                 push    0
.edata:00411042                 push    1
.edata:00411044                 lea     ecx, [ebp+lpData]
.edata:0041104A                 call    sub_40251F
.edata:0041104F
.edata:0041104F loc_41104F:                             ; CODE XREF: sub_410BF5+284j
.edata:0041104F                                         ; sub_410BF5+2A7j
.edata:0041104F                 cmp     ds:dword_4812E0, 0
.edata:00411056                 mov     edi, ds:SHGetSpecialFolderLocation
.edata:0041105C                 mov     ebx, ds:SHGetPathFromIDListW
.edata:00411062                 jz      loc_4112B5
.edata:00411068                 xor     ecx, ecx
.edata:0041106A                 xor     eax, eax
.edata:0041106C                 mov     [ebp+var_4018], ecx
.edata:00411072                 mov     [ebp+var_4014], ecx
.edata:00411078                 mov     [ebp+var_4014], 7
.edata:00411082                 mov     [ebp+var_4018], ecx
.edata:00411088                 mov     word ptr [ebp+lpFileName], ax
.edata:0041108F                 cmp     word ptr [ebp+pszPath], ax
.edata:00411096                 jz      short loc_4110A5
.edata:00411098                 lea     eax, [ebp+pszPath]
.edata:0041109E                 push    eax
.edata:0041109F                 call    sub_4304EE
.edata:004110A4                 pop     ecx
.edata:004110A5
.edata:004110A5 loc_4110A5:                             ; CODE XREF: sub_410BF5+4A1j
.edata:004110A5                 push    eax
.edata:004110A6                 lea     eax, [ebp+pszPath]
.edata:004110AC                 push    eax
.edata:004110AD                 lea     ecx, [ebp+lpFileName]
.edata:004110B3                 call    sub_40272C
.edata:004110B8                 mov     [ebp+var_4], 3
.edata:004110BF                 mov     esi, offset unk_46BB48
.edata:004110C4                 push    esi
.edata:004110C5                 call    sub_4304EE
.edata:004110CA                 pop     ecx
.edata:004110CB                 push    eax
.edata:004110CC                 push    esi
.edata:004110CD                 lea     ecx, [ebp+lpFileName]
.edata:004110D3                 call    sub_405CA4
.edata:004110D8                 cmp     [ebp+var_4014], 8
.edata:004110DF                 lea     eax, [ebp+lpFileName]
.edata:004110E5                 cmovnb  eax, [ebp+lpFileName]
.edata:004110EC                 xor     ecx, ecx
.edata:004110EE                 push    ecx             ; hTemplateFile
.edata:004110EF                 push    80h             ; dwFlagsAndAttributes
.edata:004110F4                 push    2               ; dwCreationDisposition
.edata:004110F6                 push    ecx             ; lpSecurityAttributes
.edata:004110F7                 push    ecx             ; dwShareMode
.edata:004110F8                 push    1F01FFh         ; dwDesiredAccess
.edata:004110FD                 push    eax             ; lpFileName
.edata:004110FE                 call    ds:CreateFileW
.edata:00411104                 mov     esi, eax
.edata:00411106                 cmp     esi, 0FFFFFFFFh
.edata:00411109                 jz      loc_41129D
.edata:0041110F                 cmp     ds:dword_4812E4, 8
.edata:00411116                 push    0               ; lpOverlapped
.edata:00411118                 lea     eax, [ebp+NumberOfBytesWritten]
.edata:0041111E                 push    eax             ; lpNumberOfBytesWritten
.edata:0041111F                 mov     eax, ds:dword_4812E0
.edata:00411124                 mov     ecx, offset lpBuffer
.edata:00411129                 cmovnb  ecx, ds:lpBuffer
.edata:00411130                 lea     eax, ds:2[eax*2]
.edata:00411137                 push    eax             ; nNumberOfBytesToWrite
.edata:00411138                 push    ecx             ; lpBuffer
.edata:00411139                 push    esi             ; hFile
.edata:0041113A                 call    ds:WriteFile
.edata:00411140                 push    esi             ; hObject
.edata:00411141                 call    ds:CloseHandle
.edata:00411147                 lea     eax, [ebp+var_4050]
.edata:0041114D                 push    eax             ; ppv
.edata:0041114E                 push    offset stru_46C198 ; riid
.edata:00411153                 push    1               ; dwClsContext
.edata:00411155                 xor     esi, esi
.edata:00411157                 push    esi             ; pUnkOuter
.edata:00411158                 push    offset stru_46C188 ; rclsid
.edata:0041115D                 mov     [ebp+var_4050], esi
.edata:00411163                 call    ds:CoCreateInstance
.edata:00411169                 test    eax, eax
.edata:0041116B                 jnz     loc_41129D
.edata:00411171                 cmp     [ebp+var_4014], 8
.edata:00411178                 mov     eax, [ebp+var_4050]
.edata:0041117E                 lea     edx, [ebp+lpFileName]
.edata:00411184                 cmovnb  edx, [ebp+lpFileName]
.edata:0041118B                 mov     ecx, [eax]
.edata:0041118D                 push    esi
.edata:0041118E                 push    edx
.edata:0041118F                 push    eax
.edata:00411190                 call    dword ptr [ecx+0Ch]
.edata:00411193                 test    eax, eax
.edata:00411195                 jnz     loc_411291
.edata:0041119B                 mov     eax, [ebp+var_4050]
.edata:004111A1                 lea     edx, [ebp+var_4054]
.edata:004111A7                 mov     ecx, [eax]
.edata:004111A9                 push    edx
.edata:004111AA                 push    offset unk_46C1C8
.edata:004111AF                 push    eax
.edata:004111B0                 call    dword ptr [ecx]
.edata:004111B2                 test    eax, eax
.edata:004111B4                 jnz     loc_411291
.edata:004111BA                 lea     eax, [ebp+pidl]
.edata:004111C0                 push    eax             ; ppidl
.edata:004111C1                 push    esi             ; csidl
.edata:004111C2                 push    esi             ; hwnd
.edata:004111C3                 call    edi ; SHGetSpecialFolderLocation
.edata:004111C5                 test    eax, eax
.edata:004111C7                 jnz     loc_411285
.edata:004111CD                 lea     eax, [ebp+var_4010]
.edata:004111D3                 push    eax             ; pszPath
.edata:004111D4                 push    [ebp+pidl]      ; pidl
.edata:004111DA                 call    ebx ; SHGetPathFromIDListW
.edata:004111DC                 test    eax, eax
.edata:004111DE                 jz      loc_411285
.edata:004111E4                 xor     eax, eax
.edata:004111E6                 mov     [ebp+var_4030], esi
.edata:004111EC                 mov     [ebp+var_402C], esi
.edata:004111F2                 mov     [ebp+var_402C], 7
.edata:004111FC                 mov     [ebp+var_4030], esi
.edata:00411202                 mov     word ptr [ebp+lpData], ax
.edata:00411209                 cmp     [ebp+var_4010], ax
.edata:00411210                 jz      short loc_41121F
.edata:00411212                 lea     eax, [ebp+var_4010]
.edata:00411218                 push    eax
.edata:00411219                 call    sub_4304EE
.edata:0041121E                 pop     ecx
.edata:0041121F
.edata:0041121F loc_41121F:                             ; CODE XREF: sub_410BF5+61Bj
.edata:0041121F                 push    eax
.edata:00411220                 lea     eax, [ebp+var_4010]
.edata:00411226                 push    eax
.edata:00411227                 lea     ecx, [ebp+lpData]
.edata:0041122D                 call    sub_40272C
.edata:00411232                 mov     byte ptr [ebp+var_4], 4
.edata:00411236                 mov     esi, offset unk_46BB98
.edata:0041123B                 push    esi
.edata:0041123C                 call    sub_4304EE
.edata:00411241                 pop     ecx
.edata:00411242                 push    eax
.edata:00411243                 push    esi
.edata:00411244                 lea     ecx, [ebp+lpData]
.edata:0041124A                 call    sub_405CA4
.edata:0041124F                 cmp     [ebp+var_402C], 8
.edata:00411256                 mov     eax, [ebp+var_4054]
.edata:0041125C                 lea     edx, [ebp+lpData]
.edata:00411262                 cmovnb  edx, [ebp+lpData]
.edata:00411269                 mov     ecx, [eax]
.edata:0041126B                 push    1
.edata:0041126D                 push    edx
.edata:0041126E                 push    eax
.edata:0041126F                 call    dword ptr [ecx+18h]
.edata:00411272                 mov     byte ptr [ebp+var_4], 3
.edata:00411276                 push    0
.edata:00411278                 push    1
.edata:0041127A                 lea     ecx, [ebp+lpData]
.edata:00411280                 call    sub_40251F
.edata:00411285
.edata:00411285 loc_411285:                             ; CODE XREF: sub_410BF5+5D2j
.edata:00411285                                         ; sub_410BF5+5E9j
.edata:00411285                 mov     eax, [ebp+var_4054]
.edata:0041128B                 push    eax
.edata:0041128C                 mov     ecx, [eax]
.edata:0041128E                 call    dword ptr [ecx+8]
.edata:00411291
.edata:00411291 loc_411291:                             ; CODE XREF: sub_410BF5+5A0j
.edata:00411291                                         ; sub_410BF5+5BFj
.edata:00411291                 mov     eax, [ebp+var_4050]
.edata:00411297                 push    eax
.edata:00411298                 mov     ecx, [eax]
.edata:0041129A                 call    dword ptr [ecx+8]
.edata:0041129D
.edata:0041129D loc_41129D:                             ; CODE XREF: sub_410BF5+514j
.edata:0041129D                                         ; sub_410BF5+576j
.edata:0041129D                 or      [ebp+var_4], 0FFFFFFFFh
.edata:004112A1                 push    0
.edata:004112A3                 push    1
.edata:004112A5                 lea     ecx, [ebp+lpFileName]
.edata:004112AB                 call    sub_40251F
.edata:004112B0                 mov     esi, offset dword_481150
.edata:004112B5
.edata:004112B5 loc_4112B5:                             ; CODE XREF: sub_410BF5+46Dj
.edata:004112B5                 and     [ebp+pidl], 0
.edata:004112BC                 lea     eax, [ebp+pidl]
.edata:004112C2                 push    eax             ; ppv
.edata:004112C3                 push    offset stru_46C198 ; riid
.edata:004112C8                 push    1               ; dwClsContext
.edata:004112CA                 push    0               ; pUnkOuter
.edata:004112CC                 push    offset stru_46C188 ; rclsid
.edata:004112D1                 call    ds:CoCreateInstance
.edata:004112D7                 test    eax, eax
.edata:004112D9                 jnz     loc_4115F7
.edata:004112DF                 cmp     ds:dword_48123C, 8
.edata:004112E6                 mov     eax, [ebp+pidl]
.edata:004112EC                 mov     edx, offset dword_481228
.edata:004112F1                 cmovnb  edx, ds:dword_481228
.edata:004112F8                 mov     ecx, [eax]
.edata:004112FA                 push    0
.edata:004112FC                 push    edx
.edata:004112FD                 push    eax
.edata:004112FE                 call    dword ptr [ecx+0Ch]
.edata:00411301                 test    eax, eax
.edata:00411303                 jnz     loc_4115EB
.edata:00411309                 mov     eax, [ebp+pidl]
.edata:0041130F                 lea     edx, [ebp+var_4054]
.edata:00411315                 mov     ecx, [eax]
.edata:00411317                 push    edx
.edata:00411318                 push    offset unk_46C1C8
.edata:0041131D                 push    eax
.edata:0041131E                 call    dword ptr [ecx]
.edata:00411320                 test    eax, eax
.edata:00411322                 jnz     loc_4115EB
.edata:00411328                 lea     eax, [ebp+ppidl]
.edata:0041132E                 push    eax             ; ppidl
.edata:0041132F                 push    0               ; csidl
.edata:00411331                 push    0               ; hwnd
.edata:00411333                 call    edi ; SHGetSpecialFolderLocation
.edata:00411335                 test    eax, eax
.edata:00411337                 jnz     loc_4115DF
.edata:0041133D                 lea     eax, [ebp+var_4010]
.edata:00411343                 push    eax             ; pszPath
.edata:00411344                 push    [ebp+ppidl]     ; pidl
.edata:0041134A                 call    ebx ; SHGetPathFromIDListW
.edata:0041134C                 test    eax, eax
.edata:0041134E                 jz      loc_4115DF
.edata:00411354                 xor     ebx, ebx
.edata:00411356                 xor     eax, eax
.edata:00411358                 mov     [ebp+var_4018], ebx
.edata:0041135E                 mov     [ebp+var_4014], ebx
.edata:00411364                 mov     [ebp+var_4014], 7
.edata:0041136E                 mov     [ebp+var_4018], ebx
.edata:00411374                 mov     word ptr [ebp+lpFileName], ax
.edata:0041137B                 cmp     [ebp+var_4010], ax
.edata:00411382                 jz      short loc_411391
.edata:00411384                 lea     eax, [ebp+var_4010]
.edata:0041138A                 push    eax
.edata:0041138B                 call    sub_4304EE
.edata:00411390                 pop     ecx
.edata:00411391
.edata:00411391 loc_411391:                             ; CODE XREF: sub_410BF5+78Dj
.edata:00411391                 push    eax
.edata:00411392                 lea     eax, [ebp+var_4010]
.edata:00411398                 push    eax
.edata:00411399                 lea     ecx, [ebp+lpFileName]
.edata:0041139F                 call    sub_40272C
.edata:004113A4                 mov     [ebp+var_4], 5
.edata:004113AB                 mov     edi, offset unk_46BBF0
.edata:004113B0                 push    edi
.edata:004113B1                 call    sub_4304EE
.edata:004113B6                 pop     ecx
.edata:004113B7                 push    eax
.edata:004113B8                 push    edi
.edata:004113B9                 lea     ecx, [ebp+lpFileName]
.edata:004113BF                 call    sub_405CA4
.edata:004113C4                 cmp     [ebp+var_4014], 8
.edata:004113CB                 mov     eax, [ebp+var_4054]
.edata:004113D1                 lea     edx, [ebp+lpFileName]
.edata:004113D7                 cmovnb  edx, [ebp+lpFileName]
.edata:004113DE                 mov     ecx, [eax]
.edata:004113E0                 xor     edi, edi
.edata:004113E2                 inc     edi
.edata:004113E3                 push    edi
.edata:004113E4                 push    edx
.edata:004113E5                 push    eax
.edata:004113E6                 call    dword ptr [ecx+18h]
.edata:004113E9                 cmp     word ptr [ebp+pszPath], 0
.edata:004113F1                 jnz     short loc_4113F7
.edata:004113F3                 mov     eax, ebx
.edata:004113F5                 jmp     short loc_411404
.edata:004113F7 ; ---------------------------------------------------------------------------
.edata:004113F7
.edata:004113F7 loc_4113F7:                             ; CODE XREF: sub_410BF5+7FCj
.edata:004113F7                 lea     eax, [ebp+pszPath]
.edata:004113FD                 push    eax
.edata:004113FE                 call    sub_4304EE
.edata:00411403                 pop     ecx
.edata:00411404
.edata:00411404 loc_411404:                             ; CODE XREF: sub_410BF5+800j
.edata:00411404                 push    eax
.edata:00411405                 lea     eax, [ebp+pszPath]
.edata:0041140B                 push    eax
.edata:0041140C                 lea     ecx, [ebp+lpFileName]
.edata:00411412                 call    sub_40272C
.edata:00411417                 push    offset unk_46BBF0
.edata:0041141C                 call    sub_4304EE
.edata:00411421                 pop     ecx
.edata:00411422                 push    eax
.edata:00411423                 push    offset unk_46BBF0
.edata:00411428                 lea     ecx, [ebp+lpFileName]
.edata:0041142E                 call    sub_405CA4
.edata:00411433                 cmp     [ebp+var_4014], 8
.edata:0041143A                 mov     eax, [ebp+var_4054]
.edata:00411440                 lea     edx, [ebp+lpFileName]
.edata:00411446                 cmovnb  edx, [ebp+lpFileName]
.edata:0041144D                 mov     ecx, [eax]
.edata:0041144F                 push    edi
.edata:00411450                 push    edx
.edata:00411451                 push    eax
.edata:00411452                 call    dword ptr [ecx+18h]
.edata:00411455                 lea     eax, [ebp+var_4050]
.edata:0041145B                 push    eax             ; ppv
.edata:0041145C                 push    offset riid     ; riid
.edata:00411461                 push    edi             ; dwClsContext
.edata:00411462                 push    ebx             ; pUnkOuter
.edata:00411463                 push    offset rclsid   ; rclsid
.edata:00411468                 call    ds:CoCreateInstance
.edata:0041146E                 test    eax, eax
.edata:00411470                 jnz     loc_4115CE
.edata:00411476                 cmp     ds:dword_481104, 8
.edata:0041147D                 mov     eax, [ebp+var_4050]
.edata:00411483                 mov     edx, offset dword_4810F0
.edata:00411488                 cmovnb  edx, ds:dword_4810F0
.edata:0041148F                 mov     ecx, [eax]
.edata:00411491                 push    edx
.edata:00411492                 push    eax
.edata:00411493                 call    dword ptr [ecx+50h]
.edata:00411496                 test    eax, eax
.edata:00411498                 jnz     loc_4115C2
.edata:0041149E                 cmp     ds:dword_4810BC, 8
.edata:004114A5                 mov     eax, [ebp+var_4050]
.edata:004114AB                 mov     edx, offset lpData
.edata:004114B0                 cmovnb  edx, ds:lpData
.edata:004114B7                 mov     ecx, [eax]
.edata:004114B9                 push    edx
.edata:004114BA                 push    eax
.edata:004114BB                 call    dword ptr [ecx+24h]
.edata:004114BE                 test    eax, eax
.edata:004114C0                 jnz     loc_4115C2
.edata:004114C6                 cmp     ds:dword_481164, 8
.edata:004114CD                 mov     eax, [ebp+var_4050]
.edata:004114D3                 cmovnb  esi, ds:dword_481150
.edata:004114DA                 mov     ecx, [eax]
.edata:004114DC                 push    ebx
.edata:004114DD                 push    esi
.edata:004114DE                 push    eax
.edata:004114DF                 call    dword ptr [ecx+44h]
.edata:004114E2                 test    eax, eax
.edata:004114E4                 jnz     loc_4115C2
.edata:004114EA                 mov     eax, [ebp+var_4050]
.edata:004114F0                 push    offset word_465C54
.edata:004114F5                 mov     ecx, [eax]
.edata:004114F7                 push    eax
.edata:004114F8                 call    dword ptr [ecx+1Ch]
.edata:004114FB                 test    eax, eax
.edata:004114FD                 jnz     loc_4115C2
.edata:00411503                 mov     eax, [ebp+var_4050]
.edata:00411509                 lea     edx, [ebp+NumberOfBytesWritten]
.edata:0041150F                 mov     ecx, [eax]
.edata:00411511                 push    edx
.edata:00411512                 push    offset unk_46C1C8
.edata:00411517                 push    eax
.edata:00411518                 call    dword ptr [ecx]
.edata:0041151A                 test    eax, eax
.edata:0041151C                 jnz     loc_4115C2
.edata:00411522                 mov     [ebp+var_4030], ebx
.edata:00411528                 mov     [ebp+var_402C], ebx
.edata:0041152E                 mov     [ebp+var_402C], 7
.edata:00411538                 mov     [ebp+var_4030], ebx
.edata:0041153E                 mov     word ptr [ebp+lpData], ax
.edata:00411545                 cmp     [ebp+var_4010], ax
.edata:0041154C                 jnz     short loc_411552
.edata:0041154E                 mov     eax, ebx
.edata:00411550                 jmp     short loc_41155F
.edata:00411552 ; ---------------------------------------------------------------------------
.edata:00411552
.edata:00411552 loc_411552:                             ; CODE XREF: sub_410BF5+957j
.edata:00411552                 lea     eax, [ebp+var_4010]
.edata:00411558                 push    eax
.edata:00411559                 call    sub_4304EE
.edata:0041155E                 pop     ecx
.edata:0041155F
.edata:0041155F loc_41155F:                             ; CODE XREF: sub_410BF5+95Bj
.edata:0041155F                 push    eax
.edata:00411560                 lea     eax, [ebp+var_4010]
.edata:00411566                 push    eax
.edata:00411567                 lea     ecx, [ebp+lpData]
.edata:0041156D                 call    sub_40272C
.edata:00411572                 mov     byte ptr [ebp+var_4], 6
.edata:00411576                 mov     esi, offset asc_46BAC8 ; "\\"
.edata:0041157B                 push    esi
.edata:0041157C                 call    sub_4304EE
.edata:00411581                 pop     ecx
.edata:00411582                 push    eax
.edata:00411583                 push    esi
.edata:00411584                 lea     ecx, [ebp+lpData]
.edata:0041158A                 call    sub_405CA4
.edata:0041158F                 cmp     [ebp+var_402C], 8
.edata:00411596                 mov     eax, [ebp+NumberOfBytesWritten]
.edata:0041159C                 lea     edx, [ebp+lpData]
.edata:004115A2                 cmovnb  edx, [ebp+lpData]
.edata:004115A9                 mov     ecx, [eax]
.edata:004115AB                 push    edi
.edata:004115AC                 push    edx
.edata:004115AD                 push    eax
.edata:004115AE                 call    dword ptr [ecx+18h]
.edata:004115B1                 mov     byte ptr [ebp+var_4], 5
.edata:004115B5                 push    ebx
.edata:004115B6                 push    edi
.edata:004115B7                 lea     ecx, [ebp+lpData]
.edata:004115BD                 call    sub_40251F
.edata:004115C2
.edata:004115C2 loc_4115C2:                             ; CODE XREF: sub_410BF5+8A3j
.edata:004115C2                                         ; sub_410BF5+8CBj ...
.edata:004115C2                 mov     eax, [ebp+var_4050]
.edata:004115C8                 push    eax
.edata:004115C9                 mov     ecx, [eax]
.edata:004115CB                 call    dword ptr [ecx+8]
.edata:004115CE
.edata:004115CE loc_4115CE:                             ; CODE XREF: sub_410BF5+87Bj
.edata:004115CE                 or      [ebp+var_4], 0FFFFFFFFh
.edata:004115D2                 push    ebx
.edata:004115D3                 push    edi
.edata:004115D4                 lea     ecx, [ebp+lpFileName]
.edata:004115DA                 call    sub_40251F
.edata:004115DF
.edata:004115DF loc_4115DF:                             ; CODE XREF: sub_410BF5+742j
.edata:004115DF                                         ; sub_410BF5+759j
.edata:004115DF                 mov     eax, [ebp+var_4054]
.edata:004115E5                 push    eax
.edata:004115E6                 mov     ecx, [eax]
.edata:004115E8                 call    dword ptr [ecx+8]
.edata:004115EB
.edata:004115EB loc_4115EB:                             ; CODE XREF: sub_410BF5+70Ej
.edata:004115EB                                         ; sub_410BF5+72Dj
.edata:004115EB                 mov     eax, [ebp+pidl]
.edata:004115F1                 push    eax
.edata:004115F2                 mov     ecx, [eax]
.edata:004115F4                 call    dword ptr [ecx+8]
.edata:004115F7
.edata:004115F7 loc_4115F7:                             ; CODE XREF: sub_410BF5+6E4j
.edata:004115F7                 xor     edi, edi
.edata:004115F9                 xor     ebx, ebx
.edata:004115FB                 inc     edi
.edata:004115FC
.edata:004115FC loc_4115FC:                             ; CODE XREF: sub_410BF5+A8j
.edata:004115FC                                         ; sub_410BF5+C2j ...
.edata:004115FC                 lea     eax, [ebp+hKey]
.edata:00411602                 push    eax             ; phkResult
.edata:00411603                 mov     esi, offset aControlPanelDo ; "Control Panel\\don't load"
.edata:00411608                 push    esi             ; lpSubKey
.edata:00411609                 push    80000001h       ; hKey
.edata:0041160E                 call    ds:RegOpenKeyW
.edata:00411614                 test    eax, eax
.edata:00411616                 jz      short loc_411641
.edata:00411618                 push    ebx             ; lpdwDisposition
.edata:00411619                 lea     eax, [ebp+hKey]
.edata:0041161F                 push    eax             ; phkResult
.edata:00411620                 push    ebx             ; lpSecurityAttributes
.edata:00411621                 push    0F003Fh         ; samDesired
.edata:00411626                 push    ebx             ; dwOptions
.edata:00411627                 push    offset Class    ; lpClass
.edata:0041162C                 push    ebx             ; Reserved
.edata:0041162D                 push    esi             ; lpSubKey
.edata:0041162E                 push    80000001h       ; hKey
.edata:00411633                 call    ds:RegCreateKeyExW
.edata:00411639                 test    eax, eax
.edata:0041163B                 jnz     loc_4116DA
.edata:00411641
.edata:00411641 loc_411641:                             ; CODE XREF: sub_410BF5+A21j
.edata:00411641                 xor     eax, eax
.edata:00411643                 mov     [ebp+var_4030], ebx
.edata:00411649                 mov     [ebp+var_402C], ebx
.edata:0041164F                 mov     [ebp+var_402C], 7
.edata:00411659                 mov     [ebp+var_4030], ebx
.edata:0041165F                 mov     word ptr [ebp+lpData], ax
.edata:00411666                 mov     esi, offset aNo ; "No"
.edata:0041166B                 cmp     word ptr ds:aNo, ax ; "No"
.edata:00411672                 jnz     short loc_411678
.edata:00411674                 mov     eax, ebx
.edata:00411676                 jmp     short loc_41167F
.edata:00411678 ; ---------------------------------------------------------------------------
.edata:00411678
.edata:00411678 loc_411678:                             ; CODE XREF: sub_410BF5+A7Dj
.edata:00411678                 push    esi
.edata:00411679                 call    sub_4304EE
.edata:0041167E                 pop     ecx
.edata:0041167F
.edata:0041167F loc_41167F:                             ; CODE XREF: sub_410BF5+A81j
.edata:0041167F                 push    eax
.edata:00411680                 push    esi
.edata:00411681                 lea     ecx, [ebp+lpData]
.edata:00411687                 call    sub_40272C
.edata:0041168C                 mov     [ebp+var_4], 7
.edata:00411693                 mov     eax, [ebp+var_4030]
.edata:00411699                 cmp     [ebp+var_402C], 8
.edata:004116A0                 lea     eax, ds:2[eax*2]
.edata:004116A7                 push    eax             ; cbData
.edata:004116A8                 lea     ecx, [ebp+lpData]
.edata:004116AE                 cmovnb  ecx, [ebp+lpData]
.edata:004116B5                 push    ecx             ; lpData
.edata:004116B6                 push    edi             ; dwType
.edata:004116B7                 push    ebx             ; Reserved
.edata:004116B8                 push    offset aWscui_cpl ; "wscui.cpl"
.edata:004116BD                 push    [ebp+hKey]      ; hKey
.edata:004116C3                 call    ds:RegSetValueExW
.edata:004116C9                 or      [ebp+var_4], 0FFFFFFFFh
.edata:004116CD                 push    ebx
.edata:004116CE                 push    edi
.edata:004116CF                 lea     ecx, [ebp+lpData]
.edata:004116D5                 call    sub_40251F
.edata:004116DA
.edata:004116DA loc_4116DA:                             ; CODE XREF: sub_410BF5+A46j
.edata:004116DA                 mov     ecx, [ebp+var_C]
.edata:004116DD                 mov     large fs:0, ecx
.edata:004116E4                 pop     ecx
.edata:004116E5                 pop     edi
.edata:004116E6                 pop     esi
.edata:004116E7                 pop     ebx
.edata:004116E8                 mov     ecx, [ebp+var_10]
.edata:004116EB                 xor     ecx, ebp
.edata:004116ED                 call    sub_4305AD
.edata:004116F2                 leave
.edata:004116F3                 retn
.edata:004116F3 sub_410BF5      endp
.edata:004116F3
.edata:004116F4

 

• Release malicious files
 

C:\Users\Administrator\Desktop\Attentive Antivirus.lnk
C:\Users\Administrator\Desktop\Uninstall Attentive Antivirus.lnk
C:\Users\Administrator\Desktop\Attentive Antivirus purchase info.html
C:\Users\Administrator\Desktop\Attentive Antivirus registration info.url
C:\Users\Administrator\Desktop\Attentive Antivirus support.url
C:\ProgramData\[*random*]\[*random*].exe
C:\ProgramData\g[*random*]\[*random*].exe.manifest

 

• Modify and create registry entries
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Attentive Antivirus
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|AA2014
  • IMMA

    Thanks for this article.

    I have followed all the steps for getting rid of Hola Search engine.

    It has worked for firefox. But for Google Chrome it is still there.

    I changed all the settings and I made as a default engine AVG Secure. When I open Google Chrome again the first page is again HOLA SEARCH.

    If then I do a specific search in the Chrome bar, it goes with AVG Secure. But with each new page it appears Hola Search again.

    How can I eliminate it completely?

    Thanks for your help,

    IMMA

    • Ivy_Anvisoft

      Hi IMMA,

      Thank you for posting your problem here.

      The hola search can be removed manually and completely. You must missed something when you try to remove the search engine from your Google Chrome. Please try again with instruction below to check if anything related to hola search left behind on your computer.

      1. Go to control panel, Add Remove programs, search program that related to hola search and then remove it. Please check carefully.

      2. Repair Google Chrome search engine as instructed in the article.

      http://blog.anvisoft.com/news-threats/remove-hola-search-www-holasearch-com-homepage-uninstall-guide/

      3. Check startup item

      1) Click on the Start button to launch the Start menu.

      2) Type msconfig into the text box and then press Enter to locate msconfig; if you are using Windows XP, please click Run and then type msconfig to start msconfig. You will be prompted system configuration page.

      3) Switch to Startup tab; you will see the programs that run at the application level when Windows starts. Remove the check from the box next to programs that you related to hola search. And then confirm your settings by press Apply and OK button.

      If any problem, please let me know. I am always glad to offer help.

      • IMMA

        Thank you very much for your reply.

        I have done everything again. I typed msconfig and I checked
        the list with the programs that run when windows starts. There was nothing related to HolaSearch.

        What happens is that even after the correction of the
        settings, the first time I open Chrome, appears Hola Search. Then if I select new tab, in that new one it appears AVG Secure Search (as I want).

        I have now pasted a new URL in “On start-up” (in Settings).
        It works, I have now that custom HomePage. And I thought Hola Search had disappeared, but I can see it again in Settings “Search, and Manage Search engines”. So I guess it is still doing something to the computer.

        Do you think of something that is changing the settings after I correct them?

        Thank you very much for your help,

        Imma

        • Ivy_Anvisoft

          Have you performed the tips 4 to repair the search engine?

          If you ignore the step, the hola search of course will come back.

          By the way, you can try alternative way to troubleshoot your problem by restore your Google Chrome settings:

          1. Exit Google Chrome completely.

          2. Enter the keyboard shortcut Windows key +E to open Windows Explorer.

          2. In the Windows Explorer window that appears enter the following in the address bar.

          Windows XP: %USERPROFILE%Local SettingsApplication DataGoogleChromeUser Data
          Windows Vista/ Windows 7/ Windows 8: %LOCALAPPDATA%GoogleChromeUser Data

          4. Locate the folder called “Default” in the directory window that opens and rename it as “Backup default.”

          4. Try opening Google Chrome again. A new “Default” folder is automatically created as you start using the browser.

          • IMMA

            THANK YOU VERY MUCH!

            IT IS DONE

            (Yes, I had done all the previous steps you recommended before many times…
            With the alternative instructions, this new “default folder” has been created and Google Chrome is restored. I have checked the settings and there is NO Hola Search).

            Thank you again, you have been very helpful.

          • Ivy_Anvisoft

            Glad to hear that. Thanks a lot for letting me know.

  • IMMA

    I write again because of the HOLA SEARCH.
    Another problem is that when I open Google Chrome again it has not saved all the settings. When I check them all , I can see that “Manage Search Engine” has again the same HOLA SEARCH.
    Thanks for your help in adavance