2 replies to this topic

[SecurityInfo]

"I think these work by automatically rebranding a core installer based on temp info . I was able to get all variants installed by grabbing the 14 meg unbranded installer (AVSystemcare) installer and then interrupting the install process of each variation and then dropping the 14 meg file into the temp folder . I had to clear my temp folders each time to get this to work ."

I have tried to install other variants all of them download the same exe (install_en.exe) this installs the AVSystemCare, can you tell me how to install other variants, I think the generic installer takes its settings from a ini file in the temp folder (ga6plicense.ini).

[RubbeR DuckY]

Just to clear up, this question is aimed toward nosirrah's post. Nosirrah, if you could post back.

[SwampDiner]

I had the same question you did, but I already PMed him earlier. Here's Nosirrah's reply.

Quote

I will do this step by step . There may be extra steps in here but this does work every time (for at least the ones that mentioned in my first post in the forum , I did not test the foreign language ones yet) .


Start by using ccleaner (or equivalent) to wipe out all traces of previous temp info , otherwise you will only get the last one you downloaded . Also nuke you downloaded programs files , you can use IceSword to browse this folder and kill only the ones created while working on this . If you browse this folder for explorer , windows will prevent you from dealing with these files correctly . IceSword will also lest you copy these files to a second location where you can work with them normally .

Go to the home page , lets start with http://antiworm2008.com . I think that this step sets up the temp info for branding .

Now add /data/?450801071357510a5501&mpt=1181125634&gai=swg_av&gli=3948&gff=pp_1084837492&ax=4&wqbp=7484-46197-7784-0 and click go . This step will bring up a page where you can download the downloader . Click "click here to scan" to start the download (install_en.exe) . This file has the same MD5 for all versions . Run the app directly from the web .

The Antiworm2008 installer will pop up once the 155k file is downloaded , click continue .

This will bring up a downloader that will begin the 14 meg download of the unbranded AVSystemcare core installer . This is the only time you have to actually download this file . It drops into C:\Documents and Settings\********\Local Settings\Temp\NI.UGA6P_0001_N105M2704\setup.exe . Once the install finishes this file is executed but not removed , copy it to your desktop . Once you have collected all of the data for RR removal , remove the rogue and then go back to step one to clear out your temp and downloaded programs . For me the first 155k downloader sometimes went into downloaded programs and sometimes went into temp internet files , nuke them both just to be certain .

The next trip through with a second rogue you can bypass the 14 meg download by doing the following .

Allow the 14 meg download to start and then kill the process install_en.exe .

Go to the following folder and replace the partially downloaded setup.exe file with the one you saved earlier : C:\Documents and Settings\*******\Local Settings\Temp\NI.UGA6P_0001_N105M2704 .

Now click "click here to scan" a second time and the install will be almost instant because the core will already be in place . What ever page you started with will brand setup.exe as it installs .

The GUIDs from AVSystemcare are all reused and identical for each rogue , the only things that are different are the folder paths for the install . There should be appdata and commonfiles folders as well as the program folder .

As this sounded too complicated for me I just took the time to redownload the 14 mb file everytime. To do this, it is still necessary to get the temp information from the website you which to download from. The trick here is the /data Nosirrah already posted in addition to the homepage you want.