Since no one else did it yet, I booted up the ol' Windows VM to see what it does on a practical basis.
It starts out appearing as a normal AC installer, ending with the expected opening of the AC website:
1. https://uloadr.com/u/l5p.png
2. https://uloadr.com/u/onc.png
3. https://uloadr.com/u/8lg.png
4. https://uloadr.com/u/6t3.png
5. https://uloadr.com/u/cny.png
6. https://uloadr.com/u/958.png
7. https://uloadr.com/u/jrt.png
8. https://uloadr.com/u/3p4.png
9. https://uloadr.com/u/t4m.png
10. https://uloadr.com/u/3ng.png
11. https://uloadr.com/u/87d.png
During and after this installation, Process Explorer shows no malicious processes:
12. https://uloadr.com/u/654.png
13. https://uloadr.com/u/tuy.png
The AC which was just installed launches OK:
14. https://uloadr.com/u/u6n.png
After launching AC and after closing it, there are still no malicious processes:
15. https://uloadr.com/u/81p.png
16. https://uloadr.com/u/5q2.png
17. https://uloadr.com/u/3yb.png
At this point I rebooted just in case any malware needed a chance to get going.
Updated MBAM and ran a quick scan (full scan is not necessary):
18. https://uloadr.com/u/49j.png
While that was running, I ran a checksum on the "fake" AC installer and the "real" one hosted on the genuine site. They match (fake first, real second):
19. https://uloadr.com/u/am0.png
20. https://uloadr.com/u/0ok.png
The MBAM scan completed clean:
21. https://uloadr.com/u/i05.png
As a final check, GMER (rootkit detector) was also clean. (No screenshot included as there is absolutely nothing to see.)
Conclusion: No malware or anything otherwise malicious -- the installer wasn't even tampered with -- except misdirecting users, possibly in an attempt to get advertisement hits or to establish the false site as genuine for future attacks.
Also, browser search settings were not tampered with, nor were any toolbars or other unwanted packages installed.
It starts out appearing as a normal AC installer, ending with the expected opening of the AC website:
1. https://uloadr.com/u/l5p.png
2. https://uloadr.com/u/onc.png
3. https://uloadr.com/u/8lg.png
4. https://uloadr.com/u/6t3.png
5. https://uloadr.com/u/cny.png
6. https://uloadr.com/u/958.png
7. https://uloadr.com/u/jrt.png
8. https://uloadr.com/u/3p4.png
9. https://uloadr.com/u/t4m.png
10. https://uloadr.com/u/3ng.png
11. https://uloadr.com/u/87d.png
During and after this installation, Process Explorer shows no malicious processes:
12. https://uloadr.com/u/654.png
13. https://uloadr.com/u/tuy.png
The AC which was just installed launches OK:
14. https://uloadr.com/u/u6n.png
After launching AC and after closing it, there are still no malicious processes:
15. https://uloadr.com/u/81p.png
16. https://uloadr.com/u/5q2.png
17. https://uloadr.com/u/3yb.png
At this point I rebooted just in case any malware needed a chance to get going.
Updated MBAM and ran a quick scan (full scan is not necessary):
18. https://uloadr.com/u/49j.png
While that was running, I ran a checksum on the "fake" AC installer and the "real" one hosted on the genuine site. They match (fake first, real second):
19. https://uloadr.com/u/am0.png
20. https://uloadr.com/u/0ok.png
The MBAM scan completed clean:
21. https://uloadr.com/u/i05.png
As a final check, GMER (rootkit detector) was also clean. (No screenshot included as there is absolutely nothing to see.)
Conclusion: No malware or anything otherwise malicious -- the installer wasn't even tampered with -- except misdirecting users, possibly in an attempt to get advertisement hits or to establish the false site as genuine for future attacks.
Also, browser search settings were not tampered with, nor were any toolbars or other unwanted packages installed.