Worm.Win32.AutoItGen_855ff7095b

by malwarelabrobot on December 13th, 2014 in Malware Descriptions.

mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 855ff7095b49e99e27b8ff3145da74d5
SHA1: ae759bb60b39c72f48381c6b23b145dfec996ce6
SHA256: 0a8be0b24df9c0640e3e816e960c4528433f29e2b605be4997e954c63c366a1f
SSDeep: 196608:MUNaSTLvDBn dH1Bj8dTivH0Mk2mWut sT7L7laObT3JA6R hPuu:lwS3vDY7B025b67EObDW6R luu
Size: 8728176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Free Software Group
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

FreeMediaPlayer.exe:720
tsassist.exe:3364
tsassist.exe:2836
_silent_full_bundleZenSearch_prod.exe:3052
SetupFileTypes.exe:3008
tsasetup.exe:1992
tsasetup.exe:3208
tsasetup.tmp:3180
tsasetup.tmp:1380
netsh.exe:1256
prepare.exe:1480
makecab.exe:3856
singleZenSearchUpdater.exe:3040
install.exe:3552
TPAutoConnSvc.exe:1844
%original file name%.exe:1660
855ff7095b49e99e27b8ff3145da74d5.tmp:2224
TrustedInstaller.exe:3828
Cloud_Backup_Setup.exe:2672
singleZenSearch.exe:928
zensearchsetup.exe:720
vcredist_x64.exe:3528
MyPC Backup.exe:3888
updater.exe:1952
BackupSetup.exe:3224
helper.exe:3476
zensearchsetup.tmp:2652
taskeng.exe:2836

The Worm injects its code into the following process(es):

ftacfg.exe:1752

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process FreeMediaPlayer.exe:720 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe (274 bytes)

The process tsassist.exe:3364 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\FileTypeAssistant\log.txt (564 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.pci (63 bytes)

The process tsassist.exe:2836 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\log.txt (1655 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.pci (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\prefs.dat (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\req.dat (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\rsp.dat (65 bytes)
%Program Files% (x86)\File Type Assistant\itdownload.dll (208 bytes)

The process _silent_full_bundleZenSearch_prod.exe:3052 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearchUpdater.exe (36747 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe (63999 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\resources.zip (966 bytes)

The process tsasetup.exe:1992 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-JUP7C.tmp\tsasetup.tmp (1416 bytes)

The process tsasetup.exe:3208 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\is-OJD5P.tmp\tsasetup.tmp (1416 bytes)

The process tsasetup.tmp:3180 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\File Type Assistant\unins000.msg (771 bytes)
%Program Files% (x86)\File Type Assistant\unins000.ref (34 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_RegDLL.tmp (4 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\is-P1HEA.tmp (4549 bytes)
C:\Windows\Temp\is-6TP9C.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\unins000.dat (12497 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_setup64.tmp (6 bytes)

The process tsasetup.tmp:1380 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\File Type Assistant\is-KHAIO.tmp (9098 bytes)
%Program Files% (x86)\File Type Assistant\is-V741D.tmp (8281 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\is-7J4AT.tmp (1281 bytes)
%Program Files% (x86)\File Type Assistant\unins000.dat (11020 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.id (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\File Type Assistant\is-9QDMO.tmp (4549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\File Type Assistant\is-R5A85.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\unins000.msg (771 bytes)
%Program Files% (x86)\File Type Assistant\ftacfg.exe (49 bytes)

The process makecab.exe:3856 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Logs\CBS\CbsPersist_20141212153428.cab (11744 bytes)
C:\Windows\Temp\cab_3856_4 (564989 bytes)
C:\Windows\Temp\cab_3856_5 (76 bytes)
C:\Windows\Temp\cab_3856_6 (8 bytes)
C:\Windows\Temp\cab_3856_2 (564989 bytes)
C:\Windows\Temp\cab_3856_3 (76 bytes)

The process singleZenSearchUpdater.exe:3040 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch Updater\updater.exe (28535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\ZenSearch Updater.bat (215 bytes)
%Program Files% (x86)\ZenSearch Updater\uninstall.exe (8281 bytes)
%Program Files% (x86)\ZenSearch Updater\resources.zip (2472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\report[1].htm (2 bytes)

The process install.exe:3552 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\29b8fe1277d49fe83693\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI1267.txt (205235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWL930C.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI1267.txt (132562 bytes)

The process %original file name%.exe:1660 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-FJGAI.tmp\855ff7095b49e99e27b8ff3145da74d5.tmp (1429 bytes)

The process 855ff7095b49e99e27b8ff3145da74d5.tmp:2224 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\FreeAllInOneMediaPlayer\is-I0L4E.tmp (783 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-E95GE.tmp (55 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9JB09.tmp (22284 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe (716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\tsasetup.exe (9147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-OTDJ8.tmp (10 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VLNPC.tmp (7385 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-D425V.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-0BOH6.tmp (14 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VQSHR.tmp (2321 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-BFFP6.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-U6OIC.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-N04MB.tmp (6841 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-173KK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zen.txt (18 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-JJ202.tmp (25 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9PGPG.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-C166H.tmp (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.msg (363 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-3PRFD.tmp (1281 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-H7OJQ.tmp (26 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free All-In-One Media Player.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Uninstall.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-6DUV3.tmp (1425 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-LKF4U.tmp (54589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\Cloud_Backup_Setup.exe (678 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.dat (9740 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-DDS08.tmp (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zensearchsetup.exe (20650 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-78P5N.tmp (24 bytes)

The process TrustedInstaller.exe:3828 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00110000000f40efc0e_manifest (5 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d0012a000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00147000000f40efc0e_vcomp90.dll (120 bytes)
C:\Windows\System32\config\SOFTWARE (46584 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (21016 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00114000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00124000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014d000000f40efc0e_manifest (676 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\ab90c6212116d00105000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00138000000f40efc0e_mfc90jpn.dll (95 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00132000000f40efc0e_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00130000000f40efc0e_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00113000000f40efc0e_msvcm90.dll (1526 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00135000000f40efc0e_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014e000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00146000000f40efc0e_manifest (864 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00104000000f40efc0e_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00103000000f40efc0e_manifest (859 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00148000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e (4 bytes)
C:\Windows\System32\config\COMPONENTS (203596 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00141000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00111000000f40efc0e_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\d5e473262116d0011a000000f40efc0e_catalog (21 bytes)
C:\Windows\Logs\CBS\CBS.log (84188 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00122000000f40efc0e_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\b02b5d272116d00120000000f40efc0e_mfcm90.dll (670 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00137000000f40efc0e_mfc90ita.dll (129 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (80713 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00140000000f40efc0e_manifest (766 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00131000000f40efc0e_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00139000000f40efc0e_mfc90kor.dll (95 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d00129000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4395 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\566caa282116d0013b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00123000000f40efc0e_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00133000000f40efc0e_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0012f000000f40efc0e_manifest (13 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (43534 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (14760 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0013a000000f40efc0e_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\50ca5a272116d0011f000000f40efc0e_manifest (6 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010a000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM (3248 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00136000000f40efc0e_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00121000000f40efc0e_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00134000000f40efc0e_mfc90deu.dll (670 bytes)
C:\Windows (288 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\System32\config (772 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\758371262116d00119000000f40efc0e_manifest (760 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00112000000f40efc0e_msvcp90.dll (7701 bytes)

The process Cloud_Backup_Setup.exe:2672 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse281.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BackupSetup.exe (25515 bytes)

The process singleZenSearch.exe:928 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\ZenSearch\ZenSearch\settings\settings.js (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\btn-search2.png (918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (18978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\input-430.png (480 bytes)
%Program Files% (x86)\ZenSearch\resources.zip (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\icons\readme.txt (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\testPrsys.js (2 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\sprs.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery-1.9.1.min.js (601 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\background.html (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery.min.map (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\browser_util.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons (4 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery-1.9.1.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\product.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\sprs.png (56 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\testPrsys.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\settings\settings.js (502 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js (4 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery.min.map (2392 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\browser_util.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\input-430.png (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WDUL1PG1\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch\uninstall000.exe (14988 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\background.html (509 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch (4 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\zensearch.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\product.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\zensearch.png (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\icons\readme.txt (33 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\btn-search2.png (918 bytes)

The process zensearchsetup.exe:720 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-ME10U.tmp\zensearchsetup.tmp (1408 bytes)

The process vcredist_x64.exe:3528 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\29b8fe1277d49fe83693\install.res.1036.dll (1355 bytes)
C:\29b8fe1277d49fe83693\eula.1033.txt (10 bytes)
C:\29b8fe1277d49fe83693 (8 bytes)
C:\29b8fe1277d49fe83693\install.res.1040.dll (2110 bytes)
C:\29b8fe1277d49fe83693\install.res.3082.dll (989 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\29b8fe1277d49fe83693\eula.1031.txt (229 bytes)
C:\29b8fe1277d49fe83693\eula.1040.txt (657 bytes)
C:\29b8fe1277d49fe83693\install.res.2052.dll (1632 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1042.txt (650 bytes)
C:\29b8fe1277d49fe83693\eula.1028.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.res.1041.dll (1126 bytes)
C:\29b8fe1277d49fe83693\eula.1041.txt (5 bytes)
C:\29b8fe1277d49fe83693\install.res.1033.dll (1452 bytes)
C:\29b8fe1277d49fe83693\eula.1049.txt (13 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.3082.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\29b8fe1277d49fe83693\globdata.ini (1 bytes)
C:\29b8fe1277d49fe83693\install.exe (13918 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\$shtdwn$.req (788 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\29b8fe1277d49fe83693\vc_red.cab (65618 bytes)
C:\29b8fe1277d49fe83693\install.res.1042.dll (1988 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1036.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\29b8fe1277d49fe83693\install.res.1049.dll (1720 bytes)
C:\29b8fe1277d49fe83693\install.res.1031.dll (1160 bytes)
C:\29b8fe1277d49fe83693\eula.2052.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.ini (844 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\install.res.1028.dll (1130 bytes)
C:\29b8fe1277d49fe83693\vc_red.msi (3176 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs (8 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\29b8fe1277d49fe83693\vcredist.bmp (5 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)

The process MyPC Backup.exe:3888 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5F7E.tmp (56 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5F7F.tmp (2784 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db (3213 bytes)

The process updater.exe:1952 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\UpdaterTimeOut[1] (81 bytes)

The process BackupSetup.exe:3224 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuC03.tmp (16365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (385701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (320115 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)

The process helper.exe:3476 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\AppAssocReg.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\CityHash.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\System.dll (23 bytes)

The process zensearchsetup.tmp:2652 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_silent_full_bundleZenSearch_prod.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.dat (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.exe (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\InstallerScreen2d.bmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\is-FLUOA.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_RegDLL.tmp (4 bytes)

Registry activity

The process FreeMediaPlayer.exe:720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rm" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mkv" = "1"
".mp4" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup]
"fir" = "0"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".MP2" = "1"
".MP3" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mp4" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".dts" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mka" = "1"
".dts" = "1"
".APE" = "1"
".m4v" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".OGG" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup]
"vol" = "127"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".AAC" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".3gp" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".ogm" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".flv" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3gp" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".ra" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".avi" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".rm" = "1"
".TTA" = "1"
".M4A" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mpa" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mkv" = "1"
".OFR" = "1"
".divx" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mov" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup]
"mut" = "0"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".TTA" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\MostRecentApplication]
"Name" = "FreeMediaPlayer.exe"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".m4v" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AAC" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mka" = "1"
".OFR" = "1"
".ogm" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".MP2" = "1"
".MP3" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".MPC" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".FLAC" = "1"
".divx" = "1"
".WAV" = "1"
".wma" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mpg" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".ra" = "1"
".vob" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".M4A" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3g2" = "1"
".flv" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".wmv" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".WAV" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".AC3" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".rmvb" = "1"
".avi" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rmvb" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "FreeMediaPlayer.exe"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".OGG" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".wmv" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AC3" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".APE" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".FLAC" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mpg" = "1"
".mpeg" = "1"
".MPC" = "1"
".vob" = "1"
".mpa" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mpeg" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1345038576"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".3g2" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".wma" = "1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mov" = "1"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process tsassist.exe:2836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\FileTypeAssistant]
"CHK_GUID" = "9600c9de-ba93f2b5-bddd7810-69819463"
"CHK_ID" = "16696878"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process _silent_full_bundleZenSearch_prod.exe:3052 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

The process SetupFileTypes.exe:3008 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mp4" = "1"

[HKCR\Free All-In-One Media Player.M4V\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".FLAC" = "1"

[HKCR\Free All-In-One Media Player.MP4\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.MKV]
"(Default)" = "Free All-In-One Media Player MKV file"

[HKCR\Free All-In-One Media Player.3GP\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKCR\Free All-In-One Media Player.AAC\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.AC3\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3gp" = "1"

[HKCR\.ra]
"(Default)" = "Free All-In-One Media Player.RA"

[HKCR\Free All-In-One Media Player.RMVB\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rm" = "1"

[HKCR\Free All-In-One Media Player.MKA]
"(Default)" = "Free All-In-One Media Player MKA file"

[HKCR\Free All-In-One Media Player.3G2\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\.m4v]
"(Default)" = "Free All-In-One Media Player.M4V"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AAC" = "1"
".3g2" = "1"

[HKCR\.3g2]
"(Default)" = "Free All-In-One Media Player.3G2"

[HKCR\Free All-In-One Media Player.DTS\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".ra" = "1"

[HKCR\.flv]
"(Default)" = "Free All-In-One Media Player.FLV"

[HKCR\Free All-In-One Media Player.TTA\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.OFR]
"(Default)" = "Free All-In-One Media Player OFR file"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".flv" = "1"

[HKCR\Free All-In-One Media Player.MP4]
"(Default)" = "Free All-In-One Media Player MP4 file"

[HKCR\Free All-In-One Media Player.APE\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.AC3]
"(Default)" = "Free All-In-One Media Player AC3 file"

[HKCR\Free All-In-One Media Player.FLAC\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.DIVX]
"(Default)" = "Free All-In-One Media Player DIVX file"

[HKCR\Free All-In-One Media Player.MPC\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.DTS]
"(Default)" = "Free All-In-One Media Player DTS file"

[HKCR\.mp4]
"(Default)" = "Free All-In-One Media Player.MP4"

[HKCR\Free All-In-One Media Player.VOB\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.MKV\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.MKV\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".APE" = "1"
".m4v" = "1"

[HKCR\Free All-In-One Media Player.RM\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.TTA\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.FLAC]
"(Default)" = "Free All-In-One Media Player FLAC file"

[HKCR\Free All-In-One Media Player.OFR\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.RA]
"(Default)" = "Free All-In-One Media Player RA file"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".vob" = "1"

[HKCR\Free All-In-One Media Player.RM]
"(Default)" = "Free All-In-One Media Player RM file"

[HKCR\Free All-In-One Media Player.3GP\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".MPC" = "1"

[HKCR\Free All-In-One Media Player.APE\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.MP4\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.FLAC\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.AAC]
"(Default)" = "Free All-In-One Media Player AAC file"

[HKCR\.aac]
"(Default)" = "Free All-In-One Media Player.AAC"

[HKCR\Free All-In-One Media Player.MKA\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.3G2]
"(Default)" = "Free All-In-One Media Player 3G2 file"

[HKCR\.flac]
"(Default)" = "Free All-In-One Media Player.FLAC"

[HKCR\Free All-In-One Media Player.VOB]
"(Default)" = "Free All-In-One Media Player VOB file"

[HKCR\Free All-In-One Media Player.AAC\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.3G2\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.M4V\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.3GP]
"(Default)" = "Free All-In-One Media Player 3GP file"

[HKCR\.rm]
"(Default)" = "Free All-In-One Media Player.RM"

[HKCR\Free All-In-One Media Player.MKA\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.RMVB\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.RA\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.RMVB]
"(Default)" = "Free All-In-One Media Player RMVB file"

[HKCR\Free All-In-One Media Player.M4V]
"(Default)" = "Free All-In-One Media Player M4V file"

[HKCR\Free All-In-One Media Player.RA\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".OFR" = "1"

[HKCR\.mka]
"(Default)" = "Free All-In-One Media Player.MKA"

[HKCR\Free All-In-One Media Player.RM\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\.3gp]
"(Default)" = "Free All-In-One Media Player.3GP"

[HKCR\Free All-In-One Media Player.MPC\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.TTA]
"(Default)" = "Free All-In-One Media Player TTA file"

[HKCR\.ape]
"(Default)" = "Free All-In-One Media Player.APE"

[HKCR\.vob]
"(Default)" = "Free All-In-One Media Player.VOB"

[HKCR\.divx]
"(Default)" = "Free All-In-One Media Player.DIVX"

[HKCR\.dts]
"(Default)" = "Free All-In-One Media Player.DTS"

[HKCR\Free All-In-One Media Player.VOB\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".dts" = "1"

[HKCR\Free All-In-One Media Player.APE]
"(Default)" = "Free All-In-One Media Player APE file"

[HKCR\.ac3]
"(Default)" = "Free All-In-One Media Player.AC3"

[HKCR\.rmvb]
"(Default)" = "Free All-In-One Media Player.RMVB"

[HKCR\.ofr]
"(Default)" = "Free All-In-One Media Player.OFR"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mka" = "1"
".divx" = "1"

[HKCR\Free All-In-One Media Player.DIVX\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\.mkv]
"(Default)" = "Free All-In-One Media Player.MKV"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mkv" = "1"
".TTA" = "1"

[HKCR\Free All-In-One Media Player.DIVX\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.MPC]
"(Default)" = "Free All-In-One Media Player MPC file"

[HKCR\.mpc]
"(Default)" = "Free All-In-One Media Player.MPC"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AC3" = "1"

[HKCR\.tta]
"(Default)" = "Free All-In-One Media Player.TTA"

[HKCR\Free All-In-One Media Player.FLV\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.DTS\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.FLV]
"(Default)" = "Free All-In-One Media Player FLV file"

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rmvb" = "1"

[HKCR\Free All-In-One Media Player.OFR\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"

[HKCR\Free All-In-One Media Player.FLV\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

[HKCR\Free All-In-One Media Player.AC3\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3G2"
".MP4"
".3GP"
".AC3"
".MKA"
".RMVB"
".RM"
".DIVX"
".FLAC"
".APE"
".M4V"
".RA"
".VOB"
".MKV"
".OFR"
".MPC"
".TTA"
".DTS"
".FLV"
".AAC"

The process tsasetup.tmp:3180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"InstallLocation" = "%Program Files% (x86)\File Type Assistant\"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"InstallDate" = "20141212"

"MinorVersion" = "4"

[HKCR\Unknown\shell\openas\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\File Type Assistant"
"Inno Setup: Setup Version" = "5.4.0 (a)"
"QuietUninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe /SILENT"
"DisplayVersion" = "2013.4.8.0"
"NoRepair" = "1"

[HKCR\Unknown\shell\opendlg\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"UninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe"
"Inno Setup: User" = "SYSTEM"
"EstimatedSize" = "691"

[HKCR\*\shell\!fta\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe /showinfo %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"DisplayName" = "File Type Assistant"

[HKCR\*\shell\!fta]
"(Default)" = "Show how to open this file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"MajorVersion" = "2013"
"Inno Setup: Language" = "default"
"Inno Setup: Icon Group" = "File Type Assistant"
"NoModify" = "1"
"URLInfoAbout" = "http://www.trustedsoftware.com"

[HKCR\Unknown\shell\openas\command]
"DelegateExecute" = ""

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]

The Worm deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"AutoConfigURL"
"ProxyServer"

The process tsasetup.tmp:1380 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"InstallLocation" = "%Program Files% (x86)\File Type Assistant\"
"InstallDate" = "20141212"
"MinorVersion" = "4"

[HKCR\*\shell\!fta]
"(Default)" = "Show how to open this file"

[HKCR\Unknown\shell\openas\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\File Type Assistant"

[HKCR\Unknown\shell\openas\command]
"tsa_backup" = "%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"Inno Setup: Setup Version" = "5.4.0 (a)"
"QuietUninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe /SILENT"
"DisplayVersion" = "2013.4.8.0"
"NoRepair" = "1"

[HKCR\Unknown\shell\opendlg\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"UninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
"EstimatedSize" = "6363"

[HKCR\*\shell\!fta\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe /showinfo %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"DisplayName" = "File Type Assistant"

[HKCR\Unknown\shell\opendlg\command]
"tsa_backup" = "%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

[HKCR\Unknown\shell\openas\command]
"tsa_de_backup" = "{e44e9428-bdbc-4987-a099-40dc8fd255e7}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"MajorVersion" = "2013"
"Inno Setup: Language" = "default"
"Inno Setup: Icon Group" = "File Type Assistant"
"NoModify" = "1"
"URLInfoAbout" = "http://www.trustedsoftware.com"

[HKCR\Unknown\shell\openas\command]
"DelegateExecute" = ""

The process netsh.exe:1256 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E\@%SystemRoot%\system32]
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"napipsec.dll,-4" = "1.0"
"tsgqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-102" = "1.0"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"eapqec.dll,-102" = "1.0"
"eapqec.dll,-103" = "Microsoft Corporation"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-3" = "Microsoft Corporation"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-102" = "Microsoft Corporation"

The process prepare.exe:1480 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

The process singleZenSearchUpdater.exe:3040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\ZenSearch\updater]
"sum" = "0100351876eac0c8f432fd010c8d3356"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\ZenSearch]
"Guid" = "{AC3269D3-A9B6-497F-82DD-345F2637B13C}"

[HKCU\Software\ZenSearch\updater]
"need_update" = "true"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"SID" = "1010"
"sum" = "0100351876eac0c8f432fd010c8d3356"
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\ZenSearch\updater]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch Updater"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"ID" = "1010"

[HKCU\Software\ZenSearch\updater]
"SID" = "1010"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch Updater"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\ZenSearch\updater\heal]
"aa7906b26bccabcda7a608c600284784" = "%Program Files% (x86)\ZenSearch Updater\updater.exe"

[HKCU\Software\ZenSearch\updater]
"ID" = "1010"

"ver" = "2"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"need_update" = "true"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process TPAutoConnSvc.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,LetterÃ‚Â¶40,40,2086,2712, 5,2159,3556,LegalÃ‚Â¶40,40,2086,3474, 9,2100,2970,A4Ã‚Â¶39,39,2032,2890, 7,1842,2667,ExecutiveÃ‚Â¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)Ã‚Â¶40,40,2086,3220, 11,1480,2100,A5Ã‚Â¶39,39,1408,2020, 70,1050,1480,A6Ã‚Â¶39,39,975,1399, 13,1820,2570,B5 (JIS)Ã‚Â¶39,39,1747,2490, 264,1950,2700,16K 195x270Ã‚Â¶39,39,1882,2620, 263,1840,2600,16K 184x260Ã‚Â¶39,39,1761,2520, 257,1970,2730,16K 197x273Ã‚Â¶39,39,1896,2650, 43,1000,1480,Japanese PostcardÃ‚Â¶39,39,921,1399, 82,1480,2000,Double Japan Postcard RotatedÃ‚Â¶39,39,1408,1919, 20,1046,2413,Envelope #10Ã‚Â¶40,40,975,2331, 37,983,1905,Envelope MonarchÃ‚Â¶40,40,907,1823, 34,1760,2500,Envelope B5Ã‚Â¶39,39,1693,2420, 28,1620,2290,Envelope C5Ã‚Â¶39,39,1544,2209, 27,1100,2200,Envelope DLÃ‚Â¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"HP LaserJet Professional M1212nf MFP#:3" = "48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]

The process 855ff7095b49e99e27b8ff3145da74d5.tmp:2224 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash" = "CC 96 B8 B0 42 CC 11 07 12 DA 74 F5 9F 79 E4 0C"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"InstallDate" = "20141212"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe, %Program Files% (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe, %Program Files% (x86)\FreeAllInOneMediaPlayer\avcodec-52.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avcore-0.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avdevice-52.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avfilter-1.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avformat-52.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avutil-50.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\SDL.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\swscale-0.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\myutil.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\FreeAllInOneMediaPlayer"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "8F 34 29 2C 98 E5 45 7A 5B 45 8E 79 A8 50 A0 E2"
"Owner" = "B0 08 00 00 E1 45 82 02 21 16 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"Inno Setup: Deselected Tasks" = ""
"Publisher" = "Free Software Group"
"Inno Setup: Setup Version" = "5.5.3 (a)"
"UninstallString" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe"
"NoModify" = "1"
"EstimatedSize" = "11144"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\FreeAllInOneMediaPlayer]
"SetupFileTypes.exe" = "WINXPSP2"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"InstallLocation" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\"
"Inno Setup: Language" = "default"
"NoRepair" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"Inno Setup: Icon Group" = "Free All-In-One Media Player"
"DisplayIcon" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe"
"DisplayName" = "Free All-In-One Media Player"
"QuietUninstallString" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe /SILENT"
"Inno Setup: Selected Tasks" = "desktopicon,startmenuicon,quicklaunchicon"

The Worm deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

The process ftacfg.exe:1752 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

The process TrustedInstaller.exe:3828 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\COMPONENTS\CanonicalData\Catalogs\333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"S1H" = "14 AA 6E 76 31 91 54 C4 03 11 34 8A 36 B3 FF AB"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"CatalogThumbprint" = "0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba4Ã…â€”"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 0F 8E 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 5A 96 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 B9 C8 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90kor.dll" = "4D 00 46 00 43 00 39 00 30 00 4B 00 4F 00 52 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 00 F9 52 01 E0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll" = "41 54 4C 39 30 2E 64 6C 6C"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"CatalogThumbprint" = "fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3nÃ…â€”"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"S256H" = "24 BE B9 75 C2 7B 1D 95 FD D4 FE 4E 13 54 0E 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 98 E5 52 01 68 13 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"S1H" = "38 09 81 95 0B 31 B2 00 22 13 37 FF CF FB FF 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"CT" = "36 00 64 00 63 00 31 00 62 00 39 00 63 00 33 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"S1H" = "FE 8C 92 2C 75 1D 5B CC FB 3B D3 CB 22 A9 B8 23"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 B0 52 01 C6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"S1H" = "AE 6F 51 9A C7 46 73 82 69 39 92 25 65 46 09 57"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll" = "4D 46 43 39 30 43 48 53 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90u.dll" = "6D 00 66 00 63 00 39 00 30 00 75 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"S1H" = "76 C9 DC 05 BC 6B 6B 4C A3 FA EB 6F 47 42 95 CE"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4e]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 A5 9E 52 01 3E 08 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"CatalogThumbprint" = "333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"S256H" = "26 93 44 15 5C 4C F6 E2 AE DE 35 F5 1F 79 11 C0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"CatalogThumbprint" = "cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 24 08 53 01 6C 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90enu.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 4E 00 55 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
"CatalogThumbprint" = "522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 59 D2 52 01 3F 13 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"ClosureFlags" = "3"

[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 42 89 52 01 CD 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"S1H" = "E4 EC 8B 0B 75 55 36 62 51 1D 04 0E 86 AD 97 AC"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"CatalogThumbprint" = "d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a"
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90fra.dll" = "4D 00 46 00 43 00 39 00 30 00 46 00 52 00 41 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 CD 52 01 D2 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90rus.dll" = "4D 00 46 00 43 00 39 00 30 00 52 00 55 00 53 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7d]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 90 0D 53 01 8F 04 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 1F 12 53 01 D6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 74 84 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"S1H" = "EF 36 D4 10 E0 A9 EA 70 90 91 65 79 2A 07 E7 18"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 E3 A6 52 01 D4 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)]
"UtilizedSpace_MCP_c22d037d" = "F7 22 52 01 00 00 00 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"CT" = "64 00 32 00 63 00 61 00 38 00 66 00 33 00 35 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"S1H" = "83 EB 34 D7 CE D2 B9 DC 71 DB B8 49 AA 21 EA 78"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"S256H" = "69 55 F7 F5 CC 99 69 B8 69 B9 90 86 6D B9 02 DA"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll" = "4D 46 43 39 30 46 52 41 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"CT" = "30 00 32 00 34 00 34 00 65 00 61 00 63 00 36 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"CatalogThumbprint" = "95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"S1H" = "DD 16 14 4C C5 08 00 43 4F CC B2 B6 FE 9C 3F 5E"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"S1H" = "AA 99 E7 4A 4B C1 C0 3A D2 57 8D E2 4A 0B 3A 42"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
"S256H" = "6C E2 C2 01 E1 39 B8 B7 FD D6 B0 15 1A D0 20 DB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 B3 02 53 01 71 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"S1H" = "23 CA 6B 65 00 D5 28 6A FC B4 CD 40 F3 13 09 16"
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"S256H" = "34 66 B6 B0 1E 23 20 74 33 3A E8 90 DE BA 8F D9"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esn.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 4E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"f!atl90.dll" = "41 00 54 00 4C 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"CatalogThumbprint" = "4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343Ã…â€”"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 9F 79 52 01 6B 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90.dll" = "6D 00 66 00 63 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"S1H" = "59 FC 44 3F E4 A9 36 69 AC E0 F5 9F A7 98 6B C9"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 FC BE 52 01 BD 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 B7 AB 52 01 D0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90enu.dll" = "4D 46 43 39 30 45 4E 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90jpn.dll" = "4D 00 46 00 43 00 39 00 30 00 4A 00 50 00 4E 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"CT" = "39 00 35 00 63 00 65 00 30 00 36 00 33 00 38 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90deu.dll" = "4D 00 46 00 43 00 39 00 30 00 44 00 45 00 55 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"CatalogThumbprint" = "6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4eÃ…â€”"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"S1H" = "4F C7 D7 36 AD BC B2 7C 10 86 7E 21 90 BD D1 34"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"CT" = "34 00 63 00 34 00 31 00 39 00 37 00 31 00 63 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"S1H" = "DA 6E 20 D5 AE 2F 76 AF 71 19 31 70 48 42 36 52"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll" = "4D 46 43 39 30 4B 4F 52 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"CT" = "61 00 38 00 30 00 39 00 35 00 65 00 66 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"CT" = "63 00 63 00 37 00 30 00 61 00 38 00 36 00 31 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PublisherPolicyChangeTime" = "Type: REG_QWORD, Length: 8"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 E0 FD 52 01 D3 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"S1H" = "E6 CA F0 F6 A2 0D C9 9F 62 27 42 55 D7 B2 1B 34"
"CT" = "66 00 65 00 30 00 66 00 61 00 63 00 34 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"CT" = "35 00 32 00 32 00 65 00 64 00 34 00 30 00 31 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcm90.dll" = "6D 00 73 00 76 00 63 00 6D 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2014/12/12:15:34:34.920 6.1.7601.17592 (win7sp1_gdr.110408-1631)"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"S1H" = "64 21 A7 13 7F 81 51 EC C9 C6 32 1F CB 89 4E ED"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"f!vcomp90.dll" = "76 00 63 00 6F 00 6D 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esp.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 50 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"CatalogThumbprint" = "a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7dGÃ…â€”"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"S1H" = "CC E5 48 A1 81 09 83 7C D5 26 1A F8 35 AB 54 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esp.dll" = "4D 46 43 39 30 45 53 50 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"S1H" = "74 EA A7 88 4B 21 D7 1F 33 34 94 89 89 7C 0A F6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90ita.dll" = "4D 00 46 00 43 00 39 00 30 00 49 00 54 00 41 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90cht.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 54 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll" = "4D 46 43 39 30 45 53 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcp90.dll" = "6D 00 73 00 76 00 63 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"S1H" = "80 93 28 44 A9 44 70 27 55 3E C3 07 5D F5 63 DF"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"S1H" = "31 95 AA CA BF 6A 85 7B 8A 02 CC 29 B3 F8 BA 35"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 4D B5 52 01 AF 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"S256H" = "08 8C D1 14 A3 5A A0 03 0F 8A C8 09 40 2C 7C 22"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"CT" = "33 00 33 00 33 00 63 00 33 00 63 00 38 00 61 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll" = "4D 46 43 39 30 4A 50 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"S256H" = "8D C0 05 84 25 4A F1 6C 47 CA 9C 96 C9 44 75 51"

[HKLM\COMPONENTS]
"ExecutionState" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 0A 7F 52 01 6A 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"S256H" = "FE AE 5D B0 21 40 AA 1D 6C CD 8E EF 81 27 94 DF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"S256H" = "EB E1 76 88 C7 DC EA 0B F8 87 58 62 C8 C7 2A 58"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll" = "4D 46 43 39 30 52 55 53 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll" = "4D 46 43 39 30 44 45 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcr90.dll" = "6D 00 73 00 76 00 63 00 72 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"S1H" = "9E 2C 9A 79 1D 8E C7 78 4A 73 08 8C 2E 1E AF C1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"S256H" = "0E DF 78 65 CB 6E 59 40 E6 8D 63 1A FE E7 83 B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\CanonicalData\Catalogs\cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"S1H" = "E3 17 DA F8 C4 AE B9 52 16 AF B2 EE 85 45 57 D7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"sf" = "1"

[HKLM\COMPONENTS]
"StoreDirty" = "01"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90chs.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 53 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90u.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 75 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll" = "4D 46 43 39 30 43 48 54 2E 44 4C 4C"
"mfc90ita.dll" = "4D 46 43 39 30 49 54 41 2E 44 4C 4C"

The Worm deletes the following registry key(s):

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]

The Worm deletes the following value(s) in system registry:

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll"
"mfc90esp.dll"

[HKLM\COMPONENTS]
"PoqexecFailure"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll"
"mfc90enu.dll"

[HKLM\COMPONENTS]
"PendingXmlIdentifier"
"LastScavengeFlags"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll"
"msvcp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll"

[HKLM\COMPONENTS]
"RepairTransactionPended"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll"

[HKLM\COMPONENTS]
"LastScavengeCookie"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll"

[HKLM\COMPONENTS]
"ExecutionState"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS]
"StoreDirty"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90ita.dll"

The process singleZenSearch.exe:928 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".session.restore_on_startup_migrated#1" = "true"

[HKCU\Software\ZenSearch\ZenSearch]
"sum" = "temp_hash"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".homepage_is_newtabpage#0" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"QuietUninstallString" = "%Program Files% (x86)\ZenSearch\uninstall000.exe /uninstall"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"SID" = "1010"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"DisplayName" = "ZenSearch"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Policies\Microsoft\Internet Explorer\Infodelivery]
"Restrictions|UsePolicySearchProvidersOnly|0" = "Internet Explorer\Infodelivery\Restrictions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.newtab.url" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"DisplayIcon" = "%Program Files% (x86)\ZenSearch\uninstall000.exe"
"URLUpdateInfo" = "http://zensearch.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483650|SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]
"Ext|IgnoreFrameApprovalCheck|0" = "Ext"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"InstallLocation" = "%Program Files% (x86)\ZenSearch\"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Policies\Microsoft\Internet Explorer]
"SearchScopes|DefaultScope|0" = "Internet Explorer\SearchScopes"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.startup.homepage" = "user_pref(browser.startup.homepage_override.buildID, 20140506152807);"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\WebData]
"DefSearchEngine" = "UPDATE meta SET value=2 where key='Default Search Provider ID'"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"HelpLink" = "http://zensearch.com/"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
"3|1609|1" = "1"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"MAO Settings|AddonLoadTimeThreshold|0" = ""

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"Guid" = "{AC3269D3-A9B6-497F-82DD-345F2637B13C}"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.search.defaultenginename" = ""

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".session.restore_on_startup#0" = ""

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"ContinuousBrowsing|Enabled|1" = "0"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"TabbedBrowsing|Enabled|0" = ""
"Recovery|AutoRecover|0" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "4F BA F2 15 21 16 D0 01"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.search.selectedEngine" = ""

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData]
"FFProfilePath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default"

[HKCU\Software\ZenSearch\ZenSearch]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"ID" = "1001"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Policies\Microsoft\Internet Explorer\Infodelivery]
"Restrictions|NoChangeDefaultSearchProvider|0" = "Internet Explorer\Infodelivery\Restrictions"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.startup.page" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"UninstallString" = "%Program Files% (x86)\ZenSearch\uninstall000.exe /uninstall"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"ver" = "2"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483650|SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]
"Ext|DisableAddonLoadTimePerformanceNotifications|0" = "Ext"

[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"sum" = "temp_hash"
"need_update" = "true"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"

[HKCU\Software\ZenSearch\ZenSearch]
"HomePageWasInstalledCH" = "1"
"Guid" = "{AC3269D3-A9B6-497F-82DD-345F2637B13C}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"URLInfoAbout" = "http://zensearch.com/"

[HKCU\Software\ZenSearch\ZenSearch]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadNetworkName" = "Network"
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\ZenSearch\ZenSearch]
"need_update" = "true"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"Main|Start Page|1" = "about:Tabs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionTime" = "4F BA F2 15 21 16 D0 01"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"MINIE|ShowTabsBelowAddressBar|0" = ""

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".homepage#0" = ""

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"TabbedBrowsing|NewTabPageShow|0" = ""

[HKCU\Software\ZenSearch\ZenSearch]
"SID" = "1010"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"Publisher" = "ZenSearch"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483650|Software\Policies\Microsoft\Internet Explorer]
"Restrictions|NoCrashDetection|0" = "Internet Explorer\Restrictions"

[HKCU\Software\ZenSearch\ZenSearch]
"ID" = "1001"

[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"SearchScopes|DefaultScope|1" = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process MyPC Backup.exe:3888 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

The process updater.exe:1952 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process BackupSetup.exe:3224 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\PUPautoinsaller_v1.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayName" = "MyPC Backup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayVersion" = ""
"URLInfoAbout" = "http://www.mypcbackup.com"
"Publisher" = "JDi Backup Ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayIcon" = "%Program Files% (x86)\MyPC Backup\MyPC Backup.exe"
"UninstallString" = "%Program Files% (x86)\MyPC Backup\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup]
"(Default)" = "%Program Files% (x86)\MyPC Backup\BackupStack.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"HelpLink" = "http://support.mypcbackup.com"

The Worm deletes the following value(s) in system registry:

The process helper.exe:3476 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\TaskBarIDs\%Program Files% (x86)]
"Mozilla Firefox" = "8A9158DB3763B7C8"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "FirefoxURL"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "36"

[HKCU\Software\Classes\FirefoxURL\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "FirefoxURL"

[HKCU\Software\Classes\FirefoxHTML\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\FirefoxURL]
"FriendlyTypeName" = "Firefox URL"
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\FirefoxURL\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\FirefoxHTML\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\FirefoxURL\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\FirefoxHTML]
"(Default)" = "Firefox HTML Document"

[HKCU\Software\Classes\FirefoxHTML\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "FirefoxURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Classes\FirefoxHTML]
"FriendlyTypeName" = "Firefox HTML Document"

[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\FirefoxURL]
"(Default)" = "Firefox URL"

[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "FIREFOX.EXE"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid" = "FirefoxHTML"

The Worm deletes the following registry key(s):

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
[HKCU\Software\Classes\https\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
[HKCU\Software\Classes\http\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"

The process zensearchsetup.tmp:2652 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZS_cleanup1" = "C:\Windows\system32\cmd.exe /c rmdir /q /s C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp"

The Worm deletes the following value(s) in system registry:

The process taskeng.exe:2836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{49A380DA-87FA-49EE-B405-28A5BBFBBBAC}]
"data" = "4D 45 4F 57 01 00 00 00 E4 B7 BD 92 8B F2 A0 46"

Dropped PE files

MD5	File path
cec66e3ca216a4783c6fc54b4fe36dbd	c:\Program Files (x86)\File Type Assistant\TSASetup.exe
e328186d80be4a621b7b3d47441385a6	c:\Program Files (x86)\File Type Assistant\ftacfg.exe
d82a429efd885ca0f324dd92afb6b7b8	c:\Program Files (x86)\File Type Assistant\itdownload.dll
88b6d362e111d87cbca6ca94e152b7c6	c:\Program Files (x86)\File Type Assistant\tsassist.exe
6b741cb59f745ae8f8785717207c0d9c	c:\Program Files (x86)\File Type Assistant\unins000.exe
cf9d8d598ae756ad699879532273450f	c:\Program Files (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe
4f55ea944891d501adb2afcee5a1130a	c:\Program Files (x86)\FreeAllInOneMediaPlayer\SDL.dll
e403d24f4fea7915d6e3324bdd8ebdc3	c:\Program Files (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe
abbbbc9fdddfc9aac6297cfb7115cf77	c:\Program Files (x86)\FreeAllInOneMediaPlayer\avcodec-52.dll
7005b8271fe80f7900325d3bbe908708	c:\Program Files (x86)\FreeAllInOneMediaPlayer\avcore-0.dll
3fc95f12ece46be26eaa1a690db5a7cb	c:\Program Files (x86)\FreeAllInOneMediaPlayer\avdevice-52.dll
47441ae6b4efc6f8e5cbbbf8d65f1ead	c:\Program Files (x86)\FreeAllInOneMediaPlayer\avfilter-1.dll
3debed69443e52e7060db6be79ad5088	c:\Program Files (x86)\FreeAllInOneMediaPlayer\avformat-52.dll
032bacb31a6b64a76ff72d170eafbcd1	c:\Program Files (x86)\FreeAllInOneMediaPlayer\avutil-50.dll
362c0f67ce58b7e58f5d86ee9ff23268	c:\Program Files (x86)\FreeAllInOneMediaPlayer\myutil.dll
082c25627166874e1860baf697c5df64	c:\Program Files (x86)\FreeAllInOneMediaPlayer\swscale-0.dll
877ece348a0735bcb698423013d59c14	c:\Program Files (x86)\FreeAllInOneMediaPlayer\unins000.exe
96f6e497f8ce5bc21b9d3140965104aa	c:\Program Files (x86)\MyPC Backup\AlphaFS.dll
5bfc53c0daee82e70ef02b9cf7ae3042	c:\Program Files (x86)\MyPC Backup\AlphaVSS.51.x86.dll
ba1d420f7fa1b4eef8cc127bee74a023	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x64.dll
568754948b2aa5fcc41217fb28425cc5	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x86.dll
a3ef02398e089dcd9708cbc4e427d0f7	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x64.dll
057cf7fd20135899d616714534d0b7a8	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x86.dll
3116e40a8b9709917e1dc1db4e068152	c:\Program Files (x86)\MyPC Backup\AlphaVSS.Common.dll
a0a4dd8d711d55884c163a3784eac55e	c:\Program Files (x86)\MyPC Backup\BackupStack.exe
3c3cb9d58660b527d47e7d46d292940c	c:\Program Files (x86)\MyPC Backup\BackupStackUI.dll
d15d57943417ca58884e643da0ce2464	c:\Program Files (x86)\MyPC Backup\BplusDotNet.dll
f5b669bd36f27089b36323ccbf8ebcda	c:\Program Files (x86)\MyPC Backup\Configuration Updater.exe
76928476bdcf7ea4dbe8589d85793315	c:\Program Files (x86)\MyPC Backup\GetText.dll
c97cc489f20c67c3b2f36782ca139ce4	c:\Program Files (x86)\MyPC Backup\InstMgr.dll
6ded8fcbf5f1d9e422b327ca51625e24	c:\Program Files (x86)\MyPC Backup\Ionic.Zip.dll
e5cc3997457cd365e43c19f0f9110148	c:\Program Files (x86)\MyPC Backup\LinqBridge.dll
9b2ac62a9aab3369b253411c14b92fcb	c:\Program Files (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll
e4da474b2f2415664a286c07022222a0	c:\Program Files (x86)\MyPC Backup\MPCBClient.dll
dddf97700f9d4a951783b73d5971ce48	c:\Program Files (x86)\MyPC Backup\MPCBContextMenu.dll
24b83d9a02acf4b10c3fe0e9f7153eef	c:\Program Files (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll
01623e484d03fe777a733f3f6f28d673	c:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
f89e670f3f9de99e80b4d39436a27d9e	c:\Program Files (x86)\MyPC Backup\NativeHashWrapper.dll
16da92c91e58f6d8a22e493ae442edbf	c:\Program Files (x86)\MyPC Backup\Newtonsoft.Json.dll
6e0e7abd35565d70986eedc71f1a7bb5	c:\Program Files (x86)\MyPC Backup\ObjectListView.dll
6605874ea071ad6904aa8f67e75c18a1	c:\Program Files (x86)\MyPC Backup\PipeDiff.dll
4bb211393828d585cb5396a273008d94	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe
74a8c01b69adedd7f1330245cd994821	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe
bb830033c3e24a0b82caf23662918278	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe
a6a26e38b3596fa740f7039d98bd3a22	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe
0d8aa68059d0103b04ef5afdf755f779	c:\Program Files (x86)\MyPC Backup\Service Start.exe
6f5ab2bf45a14dedcb642e804480c9c7	c:\Program Files (x86)\MyPC Backup\Shared Stack.dll
9d0cc110ab0605885d98ae08377f6f66	c:\Program Files (x86)\MyPC Backup\Signup Wizard.exe
eeabc4815562083a50a666e2709c5998	c:\Program Files (x86)\MyPC Backup\SignupWizard.dll
0790e1d72901d1b98a9abfd43d1c592c	c:\Program Files (x86)\MyPC Backup\System.Data.SQLite.DLL
ba95c010731d3a1b20816242995e5a5a	c:\Program Files (x86)\MyPC Backup\UnRegisterExtensions.exe
da063ab4cd89efa829dbdce1fcb1cf70	c:\Program Files (x86)\MyPC Backup\Updater.exe
0cc8dad6c96bb0f2a833e0cb460d4191	c:\Program Files (x86)\MyPC Backup\Updater_.dll
53b9dfe8be74f29dc10d12df6b438f31	c:\Program Files (x86)\MyPC Backup\uninst.exe
1688cecb8af9cedde1b60163c98d1765	c:\Program Files (x86)\MyPC Backup\websocket-sharp.dll
fd666249228fb1be3f9fc9399aa70d3a	c:\Program Files (x86)\MyPC Backup\x64\SQLite.Interop.dll
f25a493607f771a033a3afe8ac26a505	c:\Program Files (x86)\MyPC Backup\x86\SQLite.Interop.dll
0100351876eac0c8f432fd010c8d3356	c:\Program Files (x86)\ZenSearch Updater\uninstall.exe
aa7906b26bccabcda7a608c600284784	c:\Program Files (x86)\ZenSearch Updater\updater.exe
a81fec94b89b1c35d70f206a739ea094	c:\Program Files (x86)\ZenSearch\uninstall000.exe
bcba8747ab53932f8613c006444078e9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\BackupSetup.exe
a81fec94b89b1c35d70f206a739ea094	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe
d8278cf7b83f9d09d1555ed5e400ef6f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_silent_full_bundleZenSearch_prod.exe
a091b7148ce0e1851ec1df67dd560119	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\Cloud_Backup_Setup.exe
62efa7b730eb0523a026ea4325403b77	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll
40395c175553cb14d2050888efccdf00	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe
c101f49f8fbdc203757ebf954d83af12	c:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8
45e475fa46d8f04a682eb5eed5476e08	c:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818\ATL90.dll
1e7ce519349ca4b49930ad843470a3f9	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcm90.dll
1f914c93052445e6629c37b81d421f7b	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcp90.dll
425d035880430fbed64dd6205c77f5b2	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcr90.dll
e75de70a944462a9912c93e888b4106f	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90.dll
6962af1e97d8566e9c3496dc118fd3b7	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90u.dll
e6ffdd8f997366fd88a799743579d389	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90.dll
f668d2f0c2377cc3b1459506a00b0f0b	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90u.dll
deebddd75a0ecb8afd463bd3b2d9131a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHS.DLL
b0552cba0f603e1730762056add5eb9a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHT.DLL
2822498a5df669d223e6b093c00cb93a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90DEU.DLL
91e5d7df820fb0fe7ead68c32bead0da	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ENU.DLL
85bdf40f2af1944f579a7a134bd08a34	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESN.DLL
390ab412debb2be22fcaca5a59c9a3c2	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESP.DLL
598dcb951afd9a3d3d2e1abf7603de60	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90FRA.DLL
9e87f90e281ea1f41669920b349189c5	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ITA.DLL
67695d68d782b48625a6c3ec08954216	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90JPN.DLL
91f1a8b875354dd5a1939e329af45656	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90KOR.DLL
32a4c8c6c2d09b98b14af92cd991a6d8	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90RUS.DLL
63e472c8410a0e9ce25c35a0482bbbbf	c:\Windows\winsxs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633\vcomp90.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Free Software Group
Product Name: Free All-In-One Media Player
Product Version: 2012
Legal Copyright: Copyright 2011-2012 Free Software Group
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2012
File Description: Free All-In-One Media Player Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40240	40448	4.59679	c3bd95c4b1a8e5199981e0d9b45fd18c
DATA	45056	592	1024	1.90742	1ee71d84f1c77af85f1f5c278f880572
BSS	49152	3724	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2244	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	11264	11264	3.13561	3ac8fba529cc16ce83dd89c6fafb567c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
e7f868919bbaceb5e34a6738ea345461
cf6ccc9ab044360a34a424e26c72baae
170d5cdf182b20775eff4cbc0e86edc4

URLs

URL	IP
hxxp://file.org/updatecheck/updcheck.php?v=20130408&p=pmoiafgsf	66.39.64.146
hxxp://zensearch.com/_searchbar/api/report?r=api/report&action=4&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0	216.92.114.3
hxxp://zensearch.com/_searchbar/api/report?r=api/report&action=7&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0	216.92.114.3
hxxp://zensearch.com/_searchbar/api/product/UpdaterTimeOut?product=1010&cb=12817	216.92.114.3
hxxp://zensearch.com/_searchbar/api/report?action=4&pid=1001&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0	216.92.114.3
hxxp://track.mypcbackup.com/0ebf8ab7/D0wnloads/MyPCBackup_Setup.exe	184.154.150.131
hxxp://mypcbackup.jdibackup.netdna-cdn.com/MyPCBackup_Setup.exe
hxxp://track.mypcbackup.com/aadebc4830c51c2794a960fe5a9e11df.php	184.154.150.131
hxxp://freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
hxxp://a767.dscms.akamai.net/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
hxxp://freemediaplayer.net/css/style.css
hxxp://freemediaplayer.net/js/jquery.js
hxxp://freemediaplayer.net/js/jqueryslidemenu.js
hxxp://freemediaplayer.net/js/jquery.prettyPhoto.js
hxxp://freemediaplayer.net/js/functions.js
hxxp://freemediaplayer.net/js/jquery.tools.tabs.min.js
hxxp://freemediaplayer.net/js/cufon-yui.js
hxxp://freemediaplayer.net/js/fonts/TitilliumText14L_400.font.js
hxxp://freemediaplayer.net/images/favicon.ico
hxxp://freemediaplayer.net/css/reset.css
hxxp://freemediaplayer.net/css/jqueryslidemenu.css
hxxp://download.dynect.mozilla.net/?product=firefox-34.0.5-complete&os=win&lang=en-US
hxxp://freemediaplayer.net/images/free-media-player.png
hxxp://freemediaplayer.net/images/topwrapper.png
hxxp://freemediaplayer.net/images/mainwrapper.png
hxxp://freemediaplayer.net/images/bg-header.png
hxxp://freemediaplayer.net/images/sidebar-line.jpg
hxxp://freemediaplayer.net/images/bottomwrapper.png
hxxp://a1284.g.akamai.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
hxxp://ep.backupgrid.net/install/win/1/live/net2	184.154.150.137
hxxp://backupgrid.jdibackup.netdna-cdn.com/mypcbackup.1.5.0.2.101.7z
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32c8ac288c5b764f
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?10c977ff9b187534
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://file.org/updatecheck/ftaupdcheck.php?v=20130408&i=16696878&g=9600c9de-ba93f2b5-bddd7810-69819463	66.39.64.146
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRtl6lMY2+iPob4twryIF+FfgUdvwQUK8NGq7oOyWUqRtF5R8Ri4uHa/LgCEBBwnU/1VAjXMGAB2OqRdbs=	178.255.83.1
hxxp://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG+EAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQDEU71+eIGhmN3szB/EMtPt	178.255.83.1
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.202.16
hxxp://www.freemediaplayer.net/css/reset.css	216.92.13.169
hxxp://www.freemediaplayer.net/js/jqueryslidemenu.js	216.92.13.169
hxxp://www.freemediaplayer.net/js/functions.js	216.92.13.169
hxxp://clients1.google.com/ocsp	173.194.113.196
hxxp://www.freemediaplayer.net/images/bg-header.png	216.92.13.169
hxxp://www.freemediaplayer.net/js/cufon-yui.js	216.92.13.169
hxxp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar	87.245.202.43
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32c8ac288c5b764f	87.245.202.24
hxxp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z	94.31.29.237
hxxp://www.freemediaplayer.net/js/jquery.js	216.92.13.169
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://www.freemediaplayer.net/images/favicon.ico	216.92.13.169
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?10c977ff9b187534	87.245.202.24
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	87.245.202.16
hxxp://www.freemediaplayer.net/images/mainwrapper.png	216.92.13.169
hxxp://www.freemediaplayer.net/images/sidebar-line.jpg	216.92.13.169
hxxp://cdn.mypcbackup.com/MyPCBackup_Setup.exe	94.31.29.238
hxxp://www.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419	216.92.13.169
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://download.mozilla.org/?product=firefox-34.0.5-complete&os=win&lang=en-US	63.245.217.36
hxxp://www.freemediaplayer.net/images/free-media-player.png	216.92.13.169
hxxp://www.freemediaplayer.net/js/fonts/TitilliumText14L_400.font.js	216.92.13.169
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://www.freemediaplayer.net/css/style.css	216.92.13.169
hxxp://www.freemediaplayer.net/js/jquery.tools.tabs.min.js	216.92.13.169
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=	93.184.220.29
hxxp://www.freemediaplayer.net/css/jqueryslidemenu.css	216.92.13.169
hxxp://www.freemediaplayer.net/images/topwrapper.png	216.92.13.169
hxxp://www.freemediaplayer.net/images/bottomwrapper.png	216.92.13.169
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe	95.101.0.90
hxxp://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG+EAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQDEU71+eIGhmN3szB/EMtPt	178.255.83.1
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=	93.184.220.29
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://www.freemediaplayer.net/js/jquery.prettyPhoto.js	216.92.13.169
safebrowsing-cache.google.com	74.125.232.5
safebrowsing.google.com	173.194.113.197
aus3.mozilla.org	63.245.217.137

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

POST /updatecheck/ftaupdcheck.php?v=20130408&i=16696878&g=9600c9de-ba93f2b5-bddd7810-69819463 HTTP/1.0

Host: file.org

User-Agent: InnoTools_Downloader


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:36:01 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

GET /_searchbar/api/product/UpdaterTimeOut?product=1010&cb=12817 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: zensearch.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:11 GMT

Server: Apache/2.2.29

Content-Length: 81

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: json

{"start_at_login":true,"period_day_in_time":"1;13:00:00","period_secon
d":"43200"}HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:11 GMT..Serve
r: Apache/2.2.29..Content-Length: 81..Keep-Alive: timeout=5, max=100..
Connection: Keep-Alive..Content-Type: json..{"start_at_login":true,"pe
riod_day_in_time":"1;13:00:00","period_second":"43200"}..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=568740, public, no-transform, must-revalidate

Last-Modified: Fri, 12 Dec 2014 05:33:31 GMT

Expires: Fri, 19 Dec 2014 05:33:31 GMT

Date: Fri, 12 Dec 2014 15:37:58 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
2053331Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20141212053331Z....20141219053331Z0...*.H........
.....!......VV^.Fv.#.....<........../...=..G.`.S...c....P...X4C....
.l...?.d.s.....l.."...N..[....Ig..Kv@...o.......OsQ.?..A..VD...&*....]
.%...d.....35..D....L.k...n......A..#..<Q7j...rT1`t>J.k.....b...
....BJ.K............=i.`..C...O.ve,%.h.y\C\.V{...3HH.IR..#.....#0...0.
..0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of
 use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 
Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US
1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2T
erms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSig
n Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.
........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk...
.(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..
~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<
.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?10c977ff9b187534 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Fri, 12 Dec 2014 15:34:35 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
..............@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....<<< skipped >>>

GET /js/functions.js HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Tue, 01 Apr 2014 13:40:12 GMT

Accept-Ranges: bytes

Content-Length: 3102

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/javascript
  $(document).ready(function() {.    .    if ($.browser.msie && $.brow
ser.version < 7) return; // Don't execute code if it's IE6 or below
 cause it doesn't support it..    .      $(".fade").fadeTo(1, 1);.    
  $(".fade").hover(.        function () {.          $(this).fadeTo("fa
st", 0.6);.        },.        function () {.          $(this).fadeTo("
slow", 1);.        }.    );  .    .    /* initialize prettyphoto */.  
  $("a[rel^='prettyPhoto']").prettyPhoto({.  ..theme: 'dark_square'.  
  });.    ..    $(".tabs_container").each(function(){.    .$("ul.tabs"
,this).tabs("div.panes > div", {tabs:'li',effect: 'fade', fadeOutSp
eed: -400});.    });.    $(".mini_tabs_container").each(function(){.  
  .$("ul.mini_tabs",this).tabs("div.panes > div", {tabs:'li',effect
: 'fade', fadeOutSpeed: -400});.    });.    $.tools.tabs.addEffect("sl
ide", function(i, done) {.    .this.getPanes().slideUp();.    .this.ge
tPanes().eq(i).slideDown(function()  {.    ..done.call();.    .});.   
 });.    .    $('.toggle .toggle_content:first').show();.    $(".toggl
e_title").toggle(.    .function(){.    ..$(this).addClass('toggle_acti
ve');.    ..$(this).siblings('.toggle_content').slideDown("fast");.   
 .},.    .function(){.    ..$(this).removeClass('toggle_active');.    
..$(this).siblings('.toggle_content').slideUp("fast");.    .}.    );. 
 .  .  $('#buttonsend').click( function() {.....var name    = $('#cont
actname').val();...var subject = $('#contactsubject').val();...var ema
il   = $('#contactemail').val();...var message = $('#contactmessag<<< skipped >>>

GET /js/fonts/TitilliumText14L_400.font.js HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Thu, 04 Aug 2011 16:53:44 GMT

Accept-Ranges: bytes

Content-Length: 33704

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: application/javascript

/*!. * The following copyright notice may not be removed under any cir
cumstances.. * . * Copyright:. * Generated in 2009 by FontLab Studio. 
Copyright info pending.. * . * Full name:. * TitilliumText14L-400wt. *
/.Cufon.registerFont({"w":190,"face":{"font-family":"TitilliumText14L"
,"font-weight":400,"font-stretch":"normal","units-per-em":"360","panos
e-1":"0 0 0 0 0 0 0 0 0 0","ascent":"270","descent":"-90","x-height":"
4","bbox":"-14 -342 336 88","underline-thickness":"18","underline-posi
tion":"-18","unicode-range":"U 0020-U 2122"},"glyphs":{" ":{"w":84},"C
":{"d":"177,-30r1,25v0,0,-41,9,-69,9v-75,0,-91,-47,-91,-129v0,-85,18,-
129,91,-129v33,0,69,8,69,8r-1,25v0,0,-40,-6,-65,-6v-56,0,-65,33,-65,10
2v0,68,9,102,66,102v22,0,64,-7,64,-7","w":192},"c":{"d":"93,-184v17,0,
48,6,48,6r0,23v0,0,-29,-3,-43,-3v-41,0,-52,17,-52,65v0,53,8,71,52,71v1
4,0,43,-3,43,-3r1,24v0,0,-34,5,-50,5v-58,0,-74,-26,-74,-97v0,-65,21,-9
1,75,-91","w":157},"d":{"d":"164,-252r0,252r-27,0r0,-12v0,0,-28,16,-55
,16v-35,0,-64,-15,-64,-93v0,-83,49,-107,119,-90r0,-73r27,0xm45,-89v0,9
3,61,67,92,54r0,-120v-5,-1,-28,-4,-42,-4v-38,0,-50,23,-50,70","w":195}
,"e":{"d":"93,-21v27,0,66,-3,66,-3r0,22v0,0,-40,6,-69,6v-54,0,-72,-32,
-72,-93v0,-68,30,-95,76,-95v55,0,78,41,71,106r-120,0v0,38,12,57,48,57x
m45,-100r94,0v0,-43,-14,-59,-45,-59v-31,0,-49,17,-49,59","w":182},"f":
{"d":"59,-156r0,156r-26,0r0,-156r-23,0r0,-24r23,0v-2,-53,7,-82,48,-82v
13,0,36,3,36,3r0,22v-29,-1,-65,-9,-58,41r0,16r53,0r0,24r-53,0","w":120
},"g":{"d":"94,86v-85,0,-99,-68,-49,-100v-17,-9,-4,-47,3,-54v-15,-

<<< skipped >>>

GET /images/free-media-player.png HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:17 GMT

Server: Apache/2.2.29

Last-Modified: Sat, 07 Apr 2012 03:52:14 GMT

Accept-Ranges: bytes

Content-Length: 15157

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR.......-.....a.(.....tEXtSoftware.Adobe ImageReadyq.e&
lt;..:.IDATx..}.|.E..lK.IH.%.F.*=........T...?.E9=..N.....{..6...Ai*..
wH.P.....u.I6[.....f..}......g....;....}.gf.Q......~....`..........L..
............b....\E............>..o..o..o...j....V.\.Q.g(..`...P4Wt
y%...o!.......,....Zm..C...}..uy...b=.m/X{.7x.7x...P.].vQ``._...B.j..^
. W.t......W..^z..........g..L.~...j.6..aaa9../.B....<k..~..&...W.T
*..~.....?..$MgWH. G*t..=m..E.h-.:....q..#..W.q^W...w.q*.oG.._..&...a.
:T..k..........OM9x.Q..|..E.N..Gz.g.....W(TM........|]..,..:..........
u.3...|5.....y)....!O....7........V...*.R.....h.6o.O...j.M.8k..i..X...
..........j#O..R....Q.W.U8J[.9...W.....x>.X."U<........J..U...\.
.........T.J/[.............V.Z..<..:.....g.T=.Ic..<.g....*_....h
(....ZS[[;}..10I.....Q.v....W....{.....UTT4... ..73.K....u.)..2....E./
.c..k.k........Z..Y......<.G.y.(...%K.`}j.&..r..:.i......m.N.{.. y]
.FS.f...W...T..}........|>c.....D.R.._........h.......1.b..@NT~.a..
I....mM.i..y..I..l..Wj.."@5.t;..:....d.y.......y.dn...b.S&.......W....
..!.>H..u.<......__.....Z...K.<...c...#.F....-4..X..|.O......
.!`n5g......4.M.3.....0.&.|...xsf..........>-0........../....k.....
.{s.A...*//'.322F...#..U...... . ..{..."............'L.. n...A9..|....
....V.....\Dy......%Ls.....}...B..B?....e.._....*.g>..........h....
g.yf.;.....WI.1.4..h|.. .......R.Q.}*E.."..R...De(%....T..H4.f5.:$....
|...eg.JBl@.#.m...]..(. /.$....a.jjjF.:th.......{;..>.:@.....c....C
...6........^^W.O31...a,..<..c.!..*q. .}C[..........M....'-1|..<<< skipped >>>

POST /updatecheck/updcheck.php?v=20130408&p=pmoiafgsf HTTP/1.0

Host: file.org

User-Agent: InnoTools_Downloader

Content-Type: Application/octet-stream

Content-Length: 51

NEWPC2|6.1.7601|48|1|0|1|0409|0409|1|64|pmoiafgsf


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:08 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Length: 63

Connection: close

Content-Type: text/html; charset=utf-8
PCID|16696878|9600c9de-ba93f2b5-bddd7810-69819463|.TIMERS|4|2|...

GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG+EAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQDEU71+eIGhmN3szB/EMtPt HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:38:00 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Fri, 12 Dec 2014 05:42:16 GMT

Expires: Tue, 16 Dec 2014 05:42:16 GMT

ETag: 172BF0EFB9C25DF0E168ED0B822B8CFB7897A204

Cache-Control: max-age=309255,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp4

Content-Length: 472

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........,}...h|%....?......2014121
2054216Z0t0r0J0... .........%.6..Ga....e............,}...h|%....?.....
...S.~x........2......20141212054216Z....20141216054216Z0...*.H.......
........*....n.ze.r....k.k...G.nM...l5 ...KX<....w~(..=.7VF7..`..[.
.....H._....V*.*>.......VjL..9....Q...q.)z......&.o........{.2.8.U.
c....h.T.P.Xr.K...y&...l.8G.tn.d....8.F>>.._...E.W..}D.n.o.....K
@........ ..I..R'-.`..dVs7..D...........i6.......H...w........>...

GET /_searchbar/api/report?r=api/report&action=4&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: zensearch.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:10 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 22

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
................X.....HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:10
 GMT..Server: Apache/2.2.29..Vary: Accept-Encoding..Content-Encoding: 
gzip..Content-Length: 22..Keep-Alive: timeout=5, max=100..Connection: 
Keep-Alive..Content-Type: text/html..................X.........


GET /_searchbar/api/report?r=api/report&action=7&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: zensearch.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:10 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 22

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/html

................X.....HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:10
 GMT..Server: Apache/2.2.29..Vary: Accept-Encoding..Content-Encoding: 
gzip..Content-Length: 22..Keep-Alive: timeout=5, max=99..Connection: K
eep-Alive..Content-Type: text/html..................X.......

GET /_searchbar/api/report?action=4&pid=1001&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: zensearch.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:12 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 22

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

................X.....HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:12
 GMT..Server: Apache/2.2.29..Vary: Accept-Encoding..Content-Encoding: 
gzip..Content-Length: 22..Keep-Alive: timeout=5, max=100..Connection: 
Keep-Alive..Content-Type: text/html..................X.......

GET /installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419 HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1341

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
...........Wmo.6..<...W.X: ........:i.,M..].O.-....TI........Gr..m.
..xw..w..1.........Hl*......)./....Ap<;..Og..a...G.yd.....I..^.AQ.~
q. }.........5...l...$.y0.v.O.4.............8..Sf)8U.}..rB.JZ&.7 3F ..
&..{.8.7.%T.f'.]x........).......).1.....B.N..m...}.i..H..Lz..y.X.)\.Z
2.\.K.`.C...T...b.Ix4W..j...8.......4..b..m.....$.-..).a&X..[.....U...
..[....i...I...,...e...M.yf..[...*.....5.......5....~...<f)......f.
.W....p.R......r.}P.\F. i..<..Jze..swd..f.r!x..Po8:.2......@......k
.....;.p79.MF........d.5.X....~{..K..P..j...6...t|...0Wq.\..|.<..B.
,c...#A...H0..1q..:&Ve .M..r..u..J.......n."...]q.M ..M...B.......U%.g
....m..5.X.R(.=%a.&A.. ...m...{X...........d'....Z.9.\Tmc.iZ3...,v..T.
.r.dT.b..3.......pb..q.....h.7.[ ..Gw`U.o.....6.U{..h..`@.._]..Q.8...`
.g..%.T.%......(7I...\{..-.;z......W..._x.82.......qw.Z..k...uu..`D..8
9..&$l..X..=...C.1[2.2......G...&..k.g>\3(...%!....j.&.b...........
M..t...i..K.v.;../..........5..*... R!$]"Y`.sa=......\(...l.h....Sw..m
J.F.dZ..5......v...]...-...U.......4..............ZV.m........l.u.#..d
...9T.....O..v.......i..?..M4t...-kN...#...0..t.:.....i..v.^..{..'.|..
..f. .GX..y.|..x..RRw...N.......M......q...Z...>..;8..8.... <WH&
gt;.'........>..........j/.L.....~.S...M.g.}6....e.R....q....X.l...
..d..=1.V...../?a.eH=g.q.=g....Y.S..HW.Z.}_# ..[....[~..{.!x.g...n.H.J
..j.uI?...c...p...NV..T....../...d..u........
<<< skipped >>>

GET /css/style.css HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/css,*/*;q=0.1

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Thu, 20 Feb 2014 14:38:46 GMT

Accept-Ranges: bytes

Content-Length: 32990

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/css
/*.Title:..AVANIX CSS File .Author:..imediapixel@gmail.com.*/../* ----
------------------- SUMMARY -----------------------..- GENERAL LAYOUT.
  - BODY..- HEADINGS..- PARAGRAPH,BLOCKQUOTE,CODE, .  - ORDER LIST.  -
 ARROW LIST.  - CHECK LIST.  - BULLET LIST.  - DROPCAPS, PULLQUOTE..- 
CLEAR FLOAT ELEMENTS..- IMAGE ALIGNMENT & STYLING;.  - CUSTOM MESS
AGE STYLING.  - BUTTON..- WRAPPER.  - TOP WRAPPER.  - MAIN WRAPPER.  -
 BOTTOM WRAPPER .  - CENTER .  .- HEADER.  - HEADER WRAPPER..- LOGO.  
- SEARCH BOX....- SLIDESHOW..- FEATURES BOX...- HOMEPAGE CONTENT..- PA
GE HEADING  ..- PRODUCTS PAGE / TABLE PRICING..- PORTFOLIO PAGE.  - PO
RTFOLIO LIST.  - FILTER PORTFOLIO.    .- BLOG PAGE.  - BLOG LIST ITEMS
.  - POST META BOX.  - AUTHOR BOX.  - COMMENTS LIST.  - COMMENT FORM .
  .- CONTACT PAGE.  - CONTACT FORM.  - CONTACT ADDRESS..- FAQ PAGE..- 
SIDEBAR.  - NEWS LIST.  - ITEM LIST.  - TWITTER WIDGET.  .- FOOTER..- 
FOOTER BOX.  - ADDRESS LIST.  - COPYRIGHT.  .*/../* Import CSS Reset F
ile */.@import url("reset.css");./* Import Drop down Menu Styling File
 */.@import url("jqueryslidemenu.css"); ../* ----------------------- G
ENERAL LAYOUT -----------------------*/.body {.  background-color: #cc
cccc;./*  background-image: url(../images/pattern/minimalist11.png);. 
 background-repeat: repeat;*/.  font-family: "Helvetica Neue",Helvetic
a,Arial,sans-serif;.  font-size: 12px;.  line-height: 21px;.  color: #
787878;.}../* Heading */.h1, h2, h3, h4, h5, h6{..font-weight: 400;..c
olor:#555555;..font-family: "Helvetica Neue", Helvetica, Arial, sa<<< skipped >>>

GET /css/reset.css HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/css,*/*;q=0.1

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/css/style.css

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Mon, 13 Dec 2010 22:22:20 GMT

Accept-Ranges: bytes

Content-Length: 1014

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Content-Type: text/css
/* hXXp://meyerweb.com/eric/tools/css/reset/ */./* v1.0 | 20080212 */.
.html, body, div, span, applet, object, iframe,.h1, h2, h3, h4, h5, h6
, p, blockquote, pre,.a, abbr, acronym, address, big, cite, code,.del,
 dfn, em, font, img, ins, kbd, q, s, samp,.small, strike, strong, sub,
 sup, tt, var,.b, u, i, center,.dl, dt, dd, ol, ul, li,.fieldset, form
, label, legend,.table, caption, tbody, tfoot, thead, tr, th, td {..ma
rgin: 0;..padding: 0;..border: 0;..outline: 0;..font-size: 100%;..vert
ical-align: baseline;..background: transparent;.}.body {..line-height:
 1;.}.ol, ul {..list-style: none;.}.blockquote, q {..quotes: none;.}.b
lockquote:before, blockquote:after,.q:before, q:after {..content: '';.
.content: none;.}../* remember to define focus styles! */.:focus {..ou
tline: 0;.}../* remember to highlight inserts somehow! */.ins {..text-
decoration: none;.}.del {..text-decoration: line-through;.}../* tables
 still need 'cellspacing="0"' in the markup */.table {..border-collaps
e: collapse;..border-spacing: 0;.}HTTP/1.1 200 OK..Date: Fri, 12 Dec 2
014 15:34:16 GMT..Server: Apache/2.2.29..Last-Modified: Mon, 13 Dec 20
10 22:22:20 GMT..Accept-Ranges: bytes..Content-Length: 1014..Keep-Aliv
e: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/css..
/* hXXp://meyerweb.com/eric/tools/css/reset/ */./* v1.0 | 20080212 */.
.html, body, div, span, applet, object, iframe,.h1, h2, h3, h4, h5, h6
, p, blockquote, pre,.a, abbr, acronym, address, big, cite, code,.del,
 dfn, em, font, img, ins, kbd, q, s, samp,.small, strike, strong, <<< skipped >>>

GET /images/mainwrapper.png HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/css/style.css

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:17 GMT

Server: Apache/2.2.29

Last-Modified: Fri, 18 Nov 2011 19:14:58 GMT

Accept-Ranges: bytes

Content-Length: 209

Keep-Alive: timeout=5, max=97

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR.....................pHYs................ cHRM..z%....
..........u0...`..:....o._.F...WIDATx......@...=..O..D..L.&....6.9.T53
..V..9..w....w....G....I......9....r.............H1..........IEND.B`.H
TTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:17 GMT..Server: Apache/2.
2.29..Last-Modified: Fri, 18 Nov 2011 19:14:58 GMT..Accept-Ranges: byt
es..Content-Length: 209..Keep-Alive: timeout=5, max=97..Connection: Ke
ep-Alive..Content-Type: image/png...PNG........IHDR...................
..pHYs................ cHRM..z%..............u0...`..:....o._.F...WIDA
Tx......@...=..O..D..L.&....6.9.T53..V..9..w....w....G....I......9....
r.............H1..........IEND.B`...

GET /js/jquery.tools.tabs.min.js HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Tue, 20 Sep 2011 19:44:58 GMT

Accept-Ranges: bytes

Content-Length: 2968

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/javascript
/*. . jQuery Tools 1.2.5 Tabs- The basics of UI design... NO COPYRIGHT
S OR LICENSES. DO WHAT YOU LIKE... hXXp://flowplayer.org/tools/tabs/..
 Since: November 2008. Date:    Wed Sep 22 06:02:10 2010  0000 .*/.(fu
nction(c){function p(d,b,a){var e=this,l=d.add(this),h=d.find(a.tabs),
i=b.jquery?b:d.children(b),j;h.length||(h=d.children());i.length||(i=d
.parent().find(b));i.length||(i=c(b));c.extend(this,{click:function(f,
g){var k=h.eq(f);if(typeof f=="string"&&f.replace("#","")){k=h.filter(
"[href*=" f.replace("#","") "]");f=Math.max(h.index(k),0)}if(a.rotate)
{var n=h.length-1;if(f<0)return e.click(n,g);if(f>n)return e.cli
ck(0,g)}if(!k.length){if(j>=0)return e;f=a.initialIndex;k=h.eq(f)}i
f(f===j)return e;.g=g||c.Event();g.type="onBeforeClick";l.trigger(g,[f
]);if(!g.isDefaultPrevented()){o[a.effect].call(e,f,function(){g.type=
"onClick";l.trigger(g,[f])});j=f;h.removeClass(a.current);k.addClass(a
.current);return e}},getConf:function(){return a},getTabs:function(){r
eturn h},getPanes:function(){return i},getCurrentPane:function(){retur
n i.eq(j)},getCurrentTab:function(){return h.eq(j)},getIndex:function(
){return j},next:function(){return e.click(j 1)},prev:function(){retur
n e.click(j-1)},destroy:function(){h.unbind(a.event).removeClass(a.cur
rent);.i.find("a[href^=#]").unbind("click.T");return e}});c.each("onBe
foreClick,onClick".split(","),function(f,g){c.isFunction(a[g])&&c(e).b
ind(g,a[g]);e[g]=function(k){k&&c(e).bind(g,k);return e}});if(a.histor
y&&c.fn.history){c.tools.history.init(h);a.event="history"}h.each(<<< skipped >>>

GET /images/favicon.ico HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive


HTTP/1.1 404 Not Found

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 188

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1
..........M....@..{.b..ECy.B~"."1Ga....p........Mfw..a....{..Y\...S..`
...PD......q......u.rVSQ......\.R.!.S_2.............y....EM0.{"......6
].".U17O.;f..P...ZX.=..Q.h.it..K..b.................


GET /images/favicon.ico HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive


HTTP/1.1 404 Not Found

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 188

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1
..........M....@..{.b..ECy.B~"."1Ga....p........Mfw..a....{..Y\...S..`
...PD......q......u.rVSQ......\.R.!.S_2.............y....EM0.{"......6
].".U17O.;f..P...ZX.=..Q.h.it..K..b.............HTTP/1.1 404 Not Found
..Date: Fri, 12 Dec 2014 15:34:16 GMT..Server: Apache/2.2.29..Vary: Ac
cept-Encoding..Content-Encoding: gzip..Content-Length: 188..Keep-Alive
: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/html; 
charset=iso-8859-1............M....@..{.b..ECy.B~"."1Ga....p........Mf
w..a....{..Y\...S..`...PD......q......u.rVSQ......\.R.!.S_2...........
..y....EM0.{"......6].".U17O.;f..P...ZX.=..Q.h.it..K..b.............font>....

GET /images/bottomwrapper.png HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/css/style.css

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:17 GMT

Server: Apache/2.2.29

Last-Modified: Fri, 02 Dec 2011 23:33:04 GMT

Accept-Ranges: bytes

Content-Length: 5170

Keep-Alive: timeout=5, max=97

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR............. .......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;.
.m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
.b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32c8ac288c5b764f HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT

If-None-Match: "0af536cf2ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

Accept-Ranges: bytes

ETag: "0b2464b1797cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6408

Date: Fri, 12 Dec 2014 15:34:22 GMT

Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowed
cert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J.
.......z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.
0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m..
. ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g
..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......
r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....G
B..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;
xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...Ujr
Zs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<......
...-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5
.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.
6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.
].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW..
.F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4...
....hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....
?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.
4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q..
...p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<
;..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x 
B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>
;.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.<<< skipped >>>

GET /aadebc4830c51c2794a960fe5a9e11df.php HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:15 GMT

Server: Apache

Set-Cookie: SESSID=ensl8htsj8k8l0miv5mhn2f063; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com

Content-Length: 8

Connection: close

Content-Type: text/html; charset=UTF-8

Set-Cookie: MPBWWW=3171957029.1.1047620528.117384224; path=/
Complete..

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT

If-None-Match: "87fbb3811f68cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT

Accept-Ranges: bytes

ETag: "58cddbea90dfcf1:0"

Server: Microsoft-IIS/8.5

VTag: 279619316300000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Fri, 12 Dec 2014 15:34:54 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141003211553Z..150102093553Z._0]0...U.#..0...#4..RFp..@.v.. .
.5..0... .....7.......0...U......00... .....7......150101212553Z0...*.
H.............:...h:O..9..a.M8.}*.........A....f......SG....(...g...&g
t;.!.4o7P....O...`x.h.W.F..x.9...1....C.......5..9..p ....1 ........$.
.P.......?.6...2.....(.."C1aF..B....I.V.u.4=Cs....~d5X..R...BRo.......
.....1Q-b.... ..P.M/SfvX..l..Mm.j9..A|.q.W=...Wy.Y]<....._!.../nt>....

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT

If-None-Match: "96bfbfb1d77cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

Accept-Ranges: bytes

ETag: "a2f3ff97eeecf1:0"

Server: Microsoft-IIS/8.5

VTag: 791939326400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Fri, 12 Dec 2014 15:34:54 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..
150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822
Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G....
....t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...O
W~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..
../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.
$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....d
I2.#...h.Y.._e........H.%2.r.w..M.(~...W.{?...@n0.X.v..Wa.^o]...K....f
[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@
.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)....


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT

If-None-Match: "a413fc3b169cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT

Accept-Ranges: bytes

ETag: "3e1c83923e1cf1:0"

Server: Microsoft-IIS/8.0

VTag: 438466244800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Fri, 12 Dec 2014 15:34:54 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141005213147Z..150104095147Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......20... .....7......15010
3214147Z0...*.H.................C>....... ..3yv..N...Q...&..U...u(.
.8.2.,.K.r.M..m0..BdE..(@.bu//J.......b...H.Z...B..7zS.>......G....
{..C..}p.......9d..Q.E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ
...'.0.6...o. ..(.......1..TU[..<..|F.>x..j.....xA2....b.'..{.t.
H......A...@.{{ip......


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT

If-None-Match: "924558f3e994cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.5

VTag: 791936916300000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Fri, 12 Dec 2014 15:34:54 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified:
 Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7f
fcf1:0"..Server: Microsoft-IIS/8.5..VTag: 791936916300000000..P3P: CP=
"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo
 CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-
Length: 554..Cache-Control: max-age=900..Date: Fri, 12 Dec 2014 15:34:
54 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U...
.US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corpora
tion1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206
Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W
0... .....7......150210174206Z0...*.H................].`...D..9.>LO
.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.....
....:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&.....
......<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\.

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com


HTTP/1.1 200 OK

Server: Apache

ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"

Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT

Date: Fri, 12 Dec 2014 15:37:52 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: A
pache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modif
ied: Wed, 24 Sep 2014 00:15:16 GMT..Date: Fri, 12 Dec 2014 15:37:52 GM
T..Content-Length: 933..Connection: keep-alive..Content-Type: applicat
ion/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSig
n, Inc.1705..U....Class 3 Public Primary Certification Authority..1409
22000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!..
...A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0
!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715

<<< skipped >>>

GET /MyPCBackup_Setup.exe HTTP/1.0

Host: cdn.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:14 GMT

Content-Type: application/octet-stream

Content-Length: 297672

Connection: close

x-amz-id-2: ITSfTeTXt7nuSaLoUJg24XmzZcO6StHVwLM5wJapi75duw8Sx8YDdBsZh0xfQyneSKJD7WgytLk=

x-amz-request-id: 3805B55A5D27E049

Last-Modified: Mon, 24 Nov 2014 22:28:10 GMT

ETag: "bcba8747ab53932f8613c006444078e9"

Server: NetDNA-cache/2.2

X-Cache: HIT

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.........c..................................................(m........
..hx..`...............................................................
.............................text....a.......b.................. ..`.r
data...............f..............@..@.data................x..........
....@....ndata.......p...........................rsrc...(m.......n....
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@
..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u
....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..
T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /mypcbackup.1.5.0.2.101.7z HTTP/1.0

Host: cdn.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:21 GMT

Content-Type: application/octet-stream

Content-Length: 4072385

Connection: close

x-amz-id-2: HzXvZ4/bLHecjygMyom4QXZKoRhUh gVTkEqw5S6J oE4njKp9Y6eyveAzc2F5Ay

x-amz-request-id: A1B26A84E547586F

Last-Modified: Tue, 25 Nov 2014 19:49:29 GMT

ETag: "dea41132628ea08c816693a67102fd48"

Server: NetDNA-cache/2.2

X-Cache: HIT
7z..'.....p.|#>.....%........8l...`...\..I.})R...M.....f=o}.hcJ..7.
/.3..._....A.._-.PJE$..Y[f.j/..S.o;.r7J........E..."..j.....nb....I...
:....bal...?.....[.....S}....[. -...jG..U..y....8.....Q..,l........r..
.........W2]o.f....2..6.B....~.....#-..U)a.\.....q..!.../...A..6.A.p..
..P..7Vf....zki..Tx.h.B.6.u..x.txXD.)..k..U....Co...B..........q......
..C.\........j.1.q......4....@k....k.r*6...L.mni...dj....t.(..!.....'.
....Q.Q.|Rx............A...D......$....~...';.bU...\.<?#.X.....yu$.
...Y..t..BBh...M.........p...{_c..$Z.I..#b..Hd-6.....#&4=..v...5..i...
.........ouZ]K.^D.UK...b...Gu\.........i....f..I.w.....V.H.V.J&....W.h
O.......F..{S...W.(.....f..<.......Dg.d....{..$zkV..X...oc..... .!.
k.i..b. .Q(..p..w......&C.X..D.M.Y...PI...Ol.C ...M.wO...K.......lk...
.w..O.)...a`2.H..b:....w 7.WU@(8-....V....G.;......|.....q?|4.j....%..
.......Rg;.ZgN..~.............w*3...0.^.IySd...F_..6.".!..c.3...N:.kc.
._.R...[....o^..\..FmH....Q...T..T.O8....x\.>k'......<.^.\3NL1..
...v.n~O.=.F....Hp...,-GhuA..L.?......-.w.........J.R...<.......y.g
.......&.....J}..W...4...r..A...............R.R.m...yB....47.....5.!..
.....3.v.q.9]....S...(.3.!.iX........)...v...!G.#.]4....w..I4.?...`..E
..._.An.0........._..H... .q......h...W!....|..(...G[@.[..5Te..l..~.&g
t; ...|v..\.......K..........7ho..v4.ZHn. .. @.#.I. C`E.5....jx.....o.
).'{._.J.....t.c..........H,.7..d....`..J...........(..Q.5.)....8.).m.
N...;.......S."....a..:........?..~.....So(=....?5o.=...s<....6..&.
B......zD...%...'Pg7....'.>.~...h...2....S..".2......L..|r"?...<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=576514, public, no-transform, must-revalidate

Last-Modified: Fri, 12 Dec 2014 07:43:05 GMT

Expires: Fri, 19 Dec 2014 07:43:05 GMT

Date: Fri, 12 Dec 2014 15:37:52 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20141212074305Z0s0q0I0... ........
?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....201412
12074305Z....20141219074305Z0...*.H.............0...2T...h........Q...
.L..... D......PrHYs..t.GB..Mi{W....E.!p.:.N:1...v.&3....5i.......A...
.(o2]V=..X..j.O....n.w..yE.. ..&/../Z.....hS.................<r.8' 
.`9......=...1..>..1E..s2.U...-~. .YY.hpX.a..G.*..........,.....f..
..H. .F.5.0II.M.H.d.,0...%.b......0...0...0..{.........[..I|.....Zm..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000
000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA 
OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.
-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f
..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*
..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.
....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... 
.......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#
.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com
/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o
...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo.....
.E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........<<< skipped >>>

GET /download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe HTTP/1.0

Host: download.microsoft.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.0 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 08 Aug 2008 21:48:10 GMT

Accept-Ranges: bytes

ETag: "df115773a0f9c81:0"

Server: Microsoft-IIS/8.0

Content-Disposition: attachment

Content-Length: 4961800

Date: Fri, 12 Dec 2014 15:34:15 GMT

Connection: close

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........K...K...
K.......D...K... ......._.......J.......J...RichK...........PE..L...{.
.B.................z..........rY... ........... ......................
........9.L.......... ..........................@...........t.........
....K..$...........!............................................... ..
.............................text....x... ...z.................. ..`.d
ata................~..............@....rsrc...t.........K.............
....@..@..............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................t...Z.............
......&...<...L............................................... ...:
...J...V...^...x.......................................&...<...J...
^...t.......................................(...:...R...b...p.........
..........................&...N...b...|...............r.......\...L...
:...,...........................................~...f.................
......z...............................&...0...D...:...............:...
........$...................{..B.............&..................Z.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=513594

Content-Type: application/ocsp-response

Date: Fri, 12 Dec 2014 15:34:36 GMT

Etag: "548ae9a7-1d7"

Expires: Fri, 19 Dec 2014 03:34:36 GMT

Last-Modified: Fri, 12 Dec 2014 13:12:07 GMT

Server: ECS (ams/D1BF)

X-Cache: HIT

Content-Length: 471

0..........0..... .....0......0...0......E.......1-Q...!..m....2014121
1200000Z0s0q0I0... ............@..D3=?..Mn8...Q..E.......1-Q...!..m...
....._..fuSC.o.P.....20141211200000Z....20141218200000Z0...*.H........
.....=2.VR..[...6P>Fb.o .."....%.f..E|. .Gm.d....U?1...6.Xb.....5.!
..%@.B...Q.tM..u...`.....>p.)G.g.{...../..l....].Ov...1g2.:.Y.m.p..
H.d6.....s7.&Z?>....P..-..N....z..2-.u.\..?Rp.v......\..e...!..CPs.
... .......g@.........8.....Z.Y..2.../......k.g....2...6.......
.

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=515208

Content-Type: application/ocsp-response

Date: Fri, 12 Dec 2014 15:34:36 GMT

Etag: "548af15f-1d7"

Expires: Fri, 19 Dec 2014 03:34:36 GMT

Last-Modified: Fri, 12 Dec 2014 13:45:03 GMT

Server: ECS (ams/D1C4)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......Z..{*....q..`.-.eu.X..2014121
2133000Z0s0q0I0... .........G.h...#......Vm.Q....Z..{*....q..`.-.eu.X.
.....2hT........\....20141212133000Z....20141219134500Z0...*.H........
.....{....gM.n^P...qkw.><6c?q.....E.V..O..... #_-.q.*M.y...l....
.....(.....?..O....vP..7.@.)....Q5%."..L@.x.Y/"CPpJ.q..N.!.....p.s....
mS..YbR}..c.is.O.|....m..l.(..6n\f.c.T.B#.}..9.....h.......T..zti.U.b.
....'~xS..`.t.`....*v.)x........n....d..l3..s..LXg...W...HTTP/1.1 200 
OK..Accept-Ranges: bytes..Cache-Control: max-age=515208..Content-Type:
 application/ocsp-response..Date: Fri, 12 Dec 2014 15:34:36 GMT..Etag:
 "548af15f-1d7"..Expires: Fri, 19 Dec 2014 03:34:36 GMT..Last-Modified
: Fri, 12 Dec 2014 13:45:03 GMT..Server: ECS (ams/D1C4)..X-Cache: HIT.
.Content-Length: 471..0..........0..... .....0......0...0......Z..{*..
..q..`.-.eu.X..20141212133000Z0s0q0I0... .........G.h...#......Vm.Q...
.Z..{*....q..`.-.eu.X......2hT........\....20141212133000Z....20141219
134500Z0...*.H.............{....gM.n^P...qkw.><6c?q.....E.V..O..
... #_-.q.*M.y...l.........(.....?..O....vP..7.@.)....Q5%."..L@.x.Y/"C
PpJ.q..N.!.....p.s....mS..YbR}..c.is.O.|....m..l.(..6n\f.c.T.B#.}..9..
...h.......T..zti.U.b.....'~xS..`.t.`....*v.)x........n....d..l3..s..L
Xg...W.....<<< skipped >>>

GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1

Host: download.cdn.mozilla.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=0-299999

Connection: keep-alive


HTTP/1.1 206 Partial Content

Server: Apache

X-Backend-Server: ftp3.dmz.scl3.mozilla.com

Content-Type: application/octet-stream

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

ETag: "4b1e700-2dc5623-508c5f506dac8"

Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT

X-Cache-Info: cached

Cache-Control: max-age=298443

Expires: Tue, 16 Dec 2014 02:28:20 GMT

Date: Fri, 12 Dec 2014 15:34:17 GMT

Content-Range: bytes 0-299999/47994403

Content-Length: 300000

Connection: keep-alive
MAR1..M.......V#............^^...{...6.N[.>7F...#...].[..N..K.^i._.
.AP..z.|....~/G6..:.....A....G..hio.j.66\..*.7..(g!W6Pj..X.\.....s....
.Z.A....&..A.f.-...?&.m...%..)z5^.N&.W......7..b.j..y_O.p.....7HN..-.?
......S.%$N..,...$.Og.v...?3xv"{.c6G....`|?,?(....R....g."%F.x\.9.~{I.
.}\\..........h....firefox-mozilla-release.34.0.5.....................
.............................................BZh91AY&SYs.-........P...
~.......P.............%4....ML....h.h....H&L..@&.z.h..0H.D.OP......4.0
..@..h4.@...&MMO).i.5$......$u.6z..bi...m6..6.kn,..c.}@..j._*..J..Qn.\
..J..b".-.,D$u..;T6...p..........$..ou...d...p."...j...........t.8....
.{I........w."..g:.P..8..pq...@a..ng..j.m.....=!..B...v..XCxp.a...j...
G5....~...,..P........P.........9....D.jHb....B..}_.........^..~f.EU..
fA.....g......r.n......X|.....h.hE?.....qt.H3g...n..k). ..o.....L...&l
t;...i...~/..M. .3.*.....M.X.).I....f..^......yH.... ...~9`.P.&w5...B.
.:.v=..e.h..#.d....e.....i..]o1b../U.......D....R%v.>y..U...")n.W..
".'....((..r).Z..U_...)E.&....Z!V.#...w.Y..mG....).....F..G...]...*L..
...D..!.Q.~*,(..jE.Ub%.c.....$f... ..r...$...-.. .P..T...E...a,.G&..&d
r...T#. ....F."1B{...ehdo...$..H.a.e.....9...X...FP...h.!.$Q...G99M...
{.w..V<.Ae.....I.E............f.e.......`.....(....m..4O.h.B..'....
....../....[..#.U.l9.;.b.a....=_K..G[;.h..O..CdlH..Z..!....t...".?....
.N.$..KA.BZh91AY&SY.t....._...P...~.......P.8..V.M2TP.$..Sz.$0.4..FM2h
`4...4.h..4.....@#.Q...........4.....I.j.....F...M.@.I....G..n..HD.Q..
.l..mR......n<<>5....|k..P4.........L.....4.....9...]....<<< skipped >>>

GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1

Host: download.cdn.mozilla.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=300000-599999

If-Range: "4b1e700-2dc5623-508c5f506dac8"

Connection: keep-alive


HTTP/1.1 206 Partial Content

Server: Apache

X-Backend-Server: ftp3.dmz.scl3.mozilla.com

Content-Type: application/octet-stream

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

ETag: "4b1e700-2dc5623-508c5f506dac8"

Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT

X-Cache-Info: cached

Cache-Control: max-age=298381

Expires: Tue, 16 Dec 2014 02:28:20 GMT

Date: Fri, 12 Dec 2014 15:35:19 GMT

Content-Range: bytes 300000-599999/47994403

Content-Length: 300000

Connection: keep-alive
.]..a.....E.9H......M...nX...~:\...}..|9}R.;S/."....)G..tQ.y*">s...
..6l.k.6..d.w...../.....u.........h../...3}...]8..OB.~.*a....p.lc.....
$.D..<l..r9}..Pp....\..4I$.1. w.Q.^..I....'s.=.....$.7../....~ S..o
.g$.&.Jv.......'F..,......a.g.d..c.....fm..eH.P].E.~../I...ywy...:....
S./.uj.z..ej..>.:.......t}.....'(...i..,($.............[.u96.T....u
'8...Mh..:q.F&. ...c...@..h...]."6.;qJ!......:......A..#Sf..&.....LW.U
<3DU9.....zY......F...d6r.......\...{|cvc...z.=......R.G.6.;.......
...'F...^..F........O..........n.....3J^....7...{.]...../.n&...|...;.2
.0.U;..J5...F.7..E..@...el.).Z.;...Y..8..O.)Y?..{\.....m.U....K[d...pw
\_.j..b..e$....)3...gj.JJ.-.0JIH.^%7..!..2X.q}..ffmv....&z.'..........
...=.|..[9........@.]..b.....z._..F.}...xb...e....t.*.....$...I.Zfc!..
R....8..}F...K.S).[&!7.q.!y..(.....8..1..:G...vk..Oj....".O.........r.
$9v.B.B.......f......~V....&.....ZIQ1....#7/.......c.K.z..M.J.=._...4[
.x.ty?..iD.bt]}...*8.t.m9..NjJ.l..:,J.5...C.r.n..c..T.D....s.*..w...h.
.#..2......X)....7....a..h<5...^.{*6....N.....qO...[c..1U.....6....
tc\.g.G.K..b.. .@....!..M8$.........=....T_..........N%....j..m..Dd.'O
.....^'..o.'!..{.#/}.p..;.uQ..q..:..po[.n..1e.............xn?UU;}dL..Y
.R....#].p. .[.>e.8..Y..3..,....z.9..n._......}.nL.n......A.......t
.g1.jJ..Y.=y...$....T..T.....]...evi.3.a.j.9...D-J'.0..IGc5Y.g...fW.Q.
C.DM..r.w...l.........R>.a.P.iA.......*{dk,...5.u=.....e..3Bl..dv..
5.v.Hm..">....ow..w.............C...m..hC....kc#s...a.....t.cc)..(.
.._.....z.......<@." .R%S.s......|.1A..}X...Y*'O....3*Y}.G....~<<< skipped >>>

GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1

Host: download.cdn.mozilla.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=600000-899999

If-Range: "4b1e700-2dc5623-508c5f506dac8"

Connection: keep-alive


HTTP/1.1 206 Partial Content

Server: Apache

X-Backend-Server: ftp3.dmz.scl3.mozilla.com

Content-Type: application/octet-stream

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

ETag: "4b1e700-2dc5623-508c5f506dac8"

Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT

X-Cache-Info: cached

Cache-Control: max-age=298321

Expires: Tue, 16 Dec 2014 02:28:20 GMT

Date: Fri, 12 Dec 2014 15:36:19 GMT

Content-Range: bytes 600000-899999/47994403

Content-Length: 300000

Connection: keep-alive
.b.w..&35....b....c..U.....-.l.6..a......$6.Y.?~.6.-......2.Kt.Y...@zP
...#.8s..Z;.........W3......~c6J.=WWy.Mqh...";..........E.&H.v......).
.*...K..9.....r>..>..6ze...6..........K...$..*K...3......K...2..
!k.|%..5.....j...Hc..5......a.#<....dVN.p..."...u.Jjzm.j....4.o...o
.]....4..>.........nM.....hX..[....D..v......G..E....0.}...$(.i....
...bu(..H#.U.t....#.M....H.9h.=..".P. .c.....l.nq]u...$....0.....,..-.
...x.6-....]..rj5M..*..U.#.ippF....s.q..l.3.B...........e~.DT....w.K..
.m....e..4.W.....m[.U.....Ms.G. ...~x..i...;.z....un}c..<i.k.~...D.
.\...#.~....x|..\e.6..#V.a.&..c<k..l.W....?...7..}.<...9......d.
.....3.x.y....t.J9.qV.q............Lb`.....b......L.m.....p. ;.<..l
...."mZ....[.7.w..D0.....4y.\...5n.i.....Lw...~.G?8........IU.....%.!7
...|.....rG.}S...y.V.[...Kf.....!}..Ll....k.8C.%./..>..r......f....
V.6..ks......5...1.>......F........XE.nqN...N.AU..}..z...E...B.6. .
.@(.. P.GQp6{;.Q..........F,Qliqes.y2.....S5O.:`0.g..a.]F..t....;.;.pk
...0.....*...M._1 ^.7>|...3.X>J.........!.............'.r..<.
3......te...U.ap..~.*}.u.....X.....s...?.8.".......s...JFP.....}gl.7.(
.....eN...w.pYm%.Re.....Y..%..k........i....D.......S....:.;i.y...p.H:
.i:.U.o..m..;....L.2......;.y.&@.j...=..j...v..E.....@Adk|.A.T...5....
k4.....;.|.&.2.t...I.....C...........v>..-./.X.....u......l).l..0fn
..'.7....A...^..j....0.... ......5..J>.B=0...R!z..jI.......gg.n..r6
".)Rc..D.Y.....-.......6..5... ..}/[......7=..-....X^.5(..'.-....5..!.
)..$..U....?........^^...E...:..X..m..K...1uQw<....\o...p.s.V..<<< skipped >>>

GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1

Host: download.cdn.mozilla.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=900000-1199999

If-Range: "4b1e700-2dc5623-508c5f506dac8"

Connection: keep-alive


HTTP/1.1 206 Partial Content

Server: Apache

X-Backend-Server: ftp3.dmz.scl3.mozilla.com

Content-Type: application/octet-stream

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

ETag: "4b1e700-2dc5623-508c5f506dac8"

Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT

X-Cache-Info: cached

Cache-Control: max-age=298260

Expires: Tue, 16 Dec 2014 02:28:20 GMT

Date: Fri, 12 Dec 2014 15:37:20 GMT

Content-Range: bytes 900000-1199999/47994403

Content-Length: 300000

Connection: keep-alive
d,.f.\s..H.vB9..b.I`.b..8%..g..m....x..*.....{....?..u;f....._nU._....
..y q....].~..N...=....c.:..wuz. g...O?....*-..U..,..]u.iE...9..s.gN..
5.A.v....;BK..H.....>.J..T.n.#. .......^:...9.giR..h.s..dX[:..D..3.
..I.`.5..pb.s.-..........P...M.3.,.Z.....t.&Z$nJ."o'.\..O.h.B,Y.......
W.........!<.eu.BWsJ.=...Z.l....~..l'...l..9l|....d.x....Fw.B.Gv8..
..2.XJ.Ed..r...V.J.%.$.~^..N..b.....!..w h-..3.......C[m......R.*/.@.m
Jg..L.......t.#A....X......D.B.....w.d...$6....8.I....GP..e...o\.UJ.u.
.yX.I....c..<KG..T......L..mT..,7rA..g..".?....../.&...dI......&.. 
.k..p.....s..J\..J..p....!.1(...U...A=.......D.....{.H.....v..5!..w...
....&.s|......=...V...Ig..Dp..@k..*...o".......Q..r..l]u.u/...(.i.....
.(..j........1.g7..f._N..eVm..~...)%.hX0Zm............z.w...R.".^.hI.Q
..nZ@..|....@l4....z...f..ll..._.....(!$....gR..;O.$$#...w.{.k.hB.4.?.
....u.$...&}.......Od.. ....".......;[.7@.......n....h$.n.[...B?n.....
.$.\%2........!S...l.(.k...:......c...h.f/...x..VZ..A..R*~....dHh.....
9...I.m IW..a1.$u8..o..@........h<...i.v./-.\-......d..~h..H. ..6.M
..0....Z.A.T....N..K @....j%....U:.^..z...~.I.....F"..J...`.......1F$.
..s.D......x$O6....;r.P./.es4.*......n.{g._.U..R?(......|.....B.......
m.N....p&.Z......*..ZQ..VR..[..8@".1xy.P..........z.n^.<....^...n3.
..1...'Ki../...n.A.........cs...0n@Zh.W....B..<.M$..2..|.v.n/6...V.
.......lE/......w8-........-R..\e...WA...756.H.]/d.....-......'.......
.. ..4J@.<.S.4....Fu6%...du.iP.....*>........%/..>#..}....._.
..c.b.f..!...D%L...../.......,...o&u...#..1...Ex.k.P.. .S.J/......<<< skipped >>>

GET /js/jqueryslidemenu.js HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Wed, 23 Feb 2011 06:28:48 GMT

Accept-Ranges: bytes

Content-Length: 2511

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/javascript
/*********************.//* jQuery Multi Level CSS Menu #2- By Dynamic 
Drive: hXXp://VVV.dynamicdrive.com/.//* Last update: Nov 7th, 08': Lim
it # of queued animations to minmize animation stuttering.//* Menu ava
iable at DD CSS Library: hXXp://VVV.dynamicdrive.com/style/.**********
***********/..//Update: April 12th, 10: Fixed compat issue with jquery
 1.4x..//Specify full URL to down and right arrow images (23 is paddin
g-right to add to top level LIs with drop downs):.var arrowimages={dow
n:['downarrowclass', '', 23], right:['rightarrowclass', '']}..var jque
ryslidemenu={..animateduration: {over: 200, out: 100}, //duration of s
lide in/ out animation, in milliseconds..buildmenu:function(menuid, ar
rowsvar){..jQuery(document).ready(function($){...var $mainmenu=$("#" m
enuid ">ul")...var $headers=$mainmenu.find("ul").parent()...$header
s.each(function(i){....var $curobj=$(this)....var $subul=$(this).find(
'ul:eq(0)')....this._dimensions={w:this.offsetWidth, h:this.offsetHeig
ht, subulw:$subul.outerWidth(), subulh:$subul.outerHeight()}....this.i
stopheader=$curobj.parents("ul").length==1? true : false....$subul.css
({top:this.istopheader? this._dimensions.h "px" : 0})....$curobj.child
ren("a:eq(0)").css(this.istopheader? {paddingRight: arrowsvar.down[2]}
 : {}).append(.....'<img src="'  (this.istopheader? arrowsvar.down[
1] : arrowsvar.right[1])..... '" class="'   (this.istopheader? arrowsv
ar.down[0] : arrowsvar.right[0]).....  '" style="border:0;" />'....
)....$curobj.hover(.....function(e){......var $targetul=$(this).ch<<< skipped >>>

GET /js/cufon-yui.js HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Sun, 04 Dec 2011 00:11:18 GMT

Accept-Ranges: bytes

Content-Length: 18258

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: application/javascript
/*. * Copyright (c) 2009 Simo Kinnunen.. * Licensed under the MIT lice
nse.. *. * @version 1.09i. */.var Cufon=(function(){var m=function(){r
eturn m.replace.apply(null,arguments)};var x=m.DOM={ready:(function(){
var C=false,E={loaded:1,complete:1};var B=[],D=function(){if(C){return
}C=true;for(var F;F=B.shift();F()){}};if(document.addEventListener){do
cument.addEventListener("DOMContentLoaded",D,false);window.addEventLis
tener("pageshow",D,false)}if(!window.opera&&document.readyState){(func
tion(){E[document.readyState]?D():setTimeout(arguments.callee,10)})()}
if(document.readyState&&document.createStyleSheet){(function(){try{doc
ument.body.doScroll("left");D()}catch(F){setTimeout(arguments.callee,1
)}})()}q(window,"load",D);return function(F){if(!arguments.length){D()
}else{C?F():B.push(F)}}})(),root:function(){return document.documentEl
ement||document.body}};var n=m.CSS={Size:function(C,B){this.value=pars
eFloat(C);this.unit=String(C).match(/[a-z%]*$/)[0]||"px";this.convert=
function(D){return D/B*this.value};this.convertFrom=function(D){return
 D/this.value*B};this.toString=function(){return this.value this.unit}
},addClass:function(C,B){var D=C.className;C.className=D (D&&" ") B;re
turn C},color:j(function(C){var B={};B.color=C.replace(/^rgba\((.*?),\
s*([\d.] )\)/,function(E,D,F){B.opacity=parseFloat(F);return"rgb(" D "
)"});return B}),fontStretch:j(function(B){if(typeof B=="number"){retur
n B}if(/%$/.test(B)){return parseFloat(B)/100}return{"ultra-condensed"
:0.5,"extra-condensed":0.625,condensed:0.75,"semi-condensed":0.875<<< skipped >>>

GET /css/jqueryslidemenu.css HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/css,*/*;q=0.1

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/css/style.css

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Mon, 05 Dec 2011 01:41:00 GMT

Accept-Ranges: bytes

Content-Length: 2387

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Content-Type: text/css
#myslidemenu {.  width: 100%;.}..jqueryslidemenu{.}...jqueryslidemenu 
ul{.  margin: 0 ;.  padding: 0;.  list-style-type: none;.}../*Top leve
l list items*/..jqueryslidemenu ul li {.  position: relative;.  displa
y: inline;.  float: left;.  z-index:999;.  margin: 0 15px 5px 0;.  pad
ding-right: 10px;.  /*background: url(../images/menudivider.png) top r
ight no-repeat;*/.}./*Top level menu link items style*/..jqueryslideme
nu ul li a {.  font-size: 15px;.  color: #2a92bd;.  text-shadow: #ffff
ff 1px 1px;.  font-family: "Lucida Grande", "Lucida Sans Unicode", Ari
al, Verdana, sans-serif;.}..jqueryslidemenu ul li.last {.  margin-righ
t: 0;.  padding-right: 15px; .  background: none;.}.* html .jqueryslid
emenu ul li a{ /*IE6 hack to get sub menu links to behave correctly*/.
display: inline-block;.}...jqueryslidemenu ul li a:link, .jqueryslidem
enu ul li a:visited{  .  color: #2a92bd;.}..jqueryslidemenu ul li a.se
lected {.  color: #555555;.}..jqueryslidemenu ul li a:hover{.  color: 
#555555;.  text-decoration: none;.}.../*1st sub level menu*/..jquerysl
idemenu ul li ul{.  position: absolute;.  left: 0;.  display: block;. 
 visibility: hidden;.  padding-top: 13px;.  z-index: 99999;.  backgrou
nd: url(../images/topmenu.png) top left no-repeat;.}../*Sub level menu
 list items (undo style from Top level List Items)*/..jqueryslidemenu 
ul li ul li{.  margin: 0;.  padding: 0;.  border: none;.  z-index: 999
99;.  background-color: #fafafa;.}../*All subsequent sub menu levels v
ertical offset after 1st level sub menu */..jqueryslidemenu ul li <<< skipped >>>

GET /images/sidebar-line.jpg HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/css/style.css

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:17 GMT

Server: Apache/2.2.29

Last-Modified: Tue, 02 Sep 2014 20:07:00 GMT

Accept-Ranges: bytes

Content-Length: 531

Keep-Alive: timeout=5, max=97

Connection: Keep-Alive

Content-Type: image/jpeg

......JFIF.....H.H.....C..............................................
......................C...............................................
............................."........................................
...............................................................O......
........................?................................?............
.............1........?...................................?!..........
.....................................?................................
?..................................?..G..HTTP/1.1 200 OK..Date: Fri, 1
2 Dec 2014 15:34:17 GMT..Server: Apache/2.2.29..Last-Modified: Tue, 02
 Sep 2014 20:07:00 GMT..Accept-Ranges: bytes..Content-Length: 531..Kee
p-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: imag
e/jpeg........JFIF.....H.H.....C......................................
..............................C.......................................
....................................."................................
......................................................................
.O..............................?................................?....
.....................1........?...................................?!..
.............................................?........................
........?..................................?..G....

<<< skipped >>>

GET /js/jquery.prettyPhoto.js HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Thu, 25 Nov 2010 09:19:24 GMT

Accept-Ranges: bytes

Content-Length: 21810

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/javascript
/* -------------------------------------------------------------------
-----. * Class: prettyPhoto. * Use: Lightbox clone for jQuery. * Autho
r: Stephane Caron (hXXp://VVV.no-margin-for-errors.com). * Version: 3.
0.1. * ---------------------------------------------------------------
---------- */..(function($){$.prettyPhoto={version:'3.0'};$.fn.prettyP
hoto=function(pp_settings){pp_settings=jQuery.extend({animation_speed:
'fast',slideshow:false,autoplay_slideshow:false,opacity:0.80,show_titl
e:true,allow_resize:true,default_width:500,default_height:344,counter_
separator_label:'/',theme:'facebook',hideflash:false,wmode:'opaque',au
toplay:true,modal:false,overlay_gallery:true,keyboard_shortcuts:true,c
hangepicturecallback:function(){},callback:function(){},markup:'<di
v class="pp_pic_holder"> \.      <div class="ppt"> </
div> \.      <div class="pp_top"> \.       <div class="pp_
left"></div> \.       <div class="pp_middle"></div&g
t; \.       <div class="pp_right"></div> \.      </div&
gt; \.      <div class="pp_content_container"> \.       <div 
class="pp_left"> \.       <div class="pp_right"> \.        &l
t;div class="pp_content"> \.         <div class="pp_loaderIcon"&
gt;</div> \.         <div class="pp_fade"> \.          <
;a href="#" class="pp_expand" title="Expand the image">Expand</a
> \.          <div class="pp_hoverContainer"> \.           &l
t;a class="pp_next" href="#">next</a> \.           <a <<< skipped >>>

GET /images/bg-header.png HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/css/style.css

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:17 GMT

Server: Apache/2.2.29

Last-Modified: Thu, 01 Dec 2011 09:34:00 GMT

Accept-Ranges: bytes

Content-Length: 2818

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR.......?......R.W....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;.
.m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
.b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......<<< skipped >>>

GET /js/jquery.js HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:16 GMT

Server: Apache/2.2.29

Last-Modified: Thu, 25 Nov 2010 09:17:04 GMT

Accept-Ranges: bytes

Content-Length: 78600

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/javascript
/*!. * jQuery JavaScript Library v1.4.4. * hXXp://jquery.com/. *. * Co
pyright 2010, John Resig. * Dual licensed under the MIT or GPL Version
 2 licenses.. * hXXp://jquery.org/license. *. * Includes Sizzle.js. * 
hXXp://sizzlejs.com/. * Copyright 2010, The Dojo Foundation. * Release
d under the MIT, BSD, and GPL Licenses.. *. * Date: Thu Nov 11 19:04:5
3 2010 -0500. */.(function(E,B){function ka(a,b,d){if(d===B&&a.nodeTyp
e===1){d=a.getAttribute("data-" b);if(typeof d==="string"){try{d=d==="
true"?true:d==="false"?false:d==="null"?null:!c.isNaN(d)?parseFloat(d)
:Ja.test(d)?c.parseJSON(d):d}catch(e){}c.data(a,b,d)}else d=B}return d
}function U(){return false}function ca(){return true}function la(a,b,d
){d[0].type=a;return c.event.handle.apply(b,d)}function Ka(a){var b,d,
e,f,h,l,k,o,x,r,A,C=[];f=[];h=c.data(this,this.nodeType?"events":"__ev
ents__");if(typeof h==="function")h=.h.events;if(!(a.liveFired===this|
|!h||!h.live||a.button&&a.type==="click")){if(a.namespace)A=RegExp("(^
|\\.)" a.namespace.split(".").join("\\.(?:.*\\.)?") "(\\.|$)");a.liveF
ired=this;var J=h.live.slice(0);for(k=0;k<J.length;k  ){h=J[k];h.or
igType.replace(X,"")===a.type?f.push(h.selector):J.splice(k--,1)}f=c(a
.target).closest(f,a.currentTarget);o=0;for(x=f.length;o<x;o  ){r=f
[o];for(k=0;k<J.length;k  ){h=J[k];if(r.selector===h.selector&&(!A|
|A.test(h.namespace))){l=r.elem;e=null;if(h.preType==="mouseenter"||.h
.preType==="mouseleave"){a.type=h.preType;e=c(a.relatedTarget).closest
(h.selector)[0]}if(!e||e!==l)C.push({elem:l,handleObj:h,level:r.le<<< skipped >>>

GET /images/topwrapper.png HTTP/1.1

Host: VVV.freemediaplayer.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: hXXp://VVV.freemediaplayer.net/css/style.css

Connection: keep-alive


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:34:17 GMT

Server: Apache/2.2.29

Last-Modified: Thu, 01 Dec 2011 09:34:34 GMT

Accept-Ranges: bytes

Content-Length: 5057

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR............. .......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;.
.m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
.b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......<<< skipped >>>

GET /?product=firefox-34.0.5-complete&os=win&lang=en-US HTTP/1.1

Host: download.mozilla.org

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=0-299999

Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1

Connection: keep-alive


HTTP/1.1 302 Found

Server: Apache

X-Backend-Server: bouncer2.webapp.phx1.mozilla.com

Cache-Control: max-age=60

Content-Type: text/html; charset=UTF-8

Date: Fri, 12 Dec 2014 15:34:16 GMT

Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar

Keep-Alive: timeout=3, max=500

Content-Length: 0

Connection: Keep-Alive

X-Cache-Info: cached

HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer2.webapp.
phx1.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; 
charset=UTF-8..Date: Fri, 12 Dec 2014 15:34:16 GMT..Location: hXXp://d
ownload.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US
/firefox-34.0.5.complete.mar..Keep-Alive: timeout=3, max=500..Content-
Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..

GET /install/win/1/live/net2 HTTP/1.0

Host: ep.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 302 Found

Date: Fri, 12 Dec 2014 15:34:21 GMT

Server: Apache

Set-Cookie: SESSID=5o7r34ot62bc5ipac9our9i7g7; path=/; domain=.backupgrid.net

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

Set-Cookie: BGWWW=3171957029.1.1047655536.117394240; path=/

GET /0ebf8ab7/D0wnloads/MyPCBackup_Setup.exe HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 301 Moved Permanently

Date: Fri, 12 Dec 2014 15:34:13 GMT

Server: Apache

Set-Cookie: SESSID=u3vvf9pcicbte3vpudglsa67u0; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: 748a7624422584634822bd3a2bf604ae=6ed4d5c319bd2bb2f73b6f2aadac5196; expires=Sat, 11-Apr-2015 15:34:13 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: intc=1; expires=Sat, 13-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com

P3P: CP="We do not have a P3P policy"

location: hXXp://cdn.mypcbackup.com/MyPCBackup_Setup.exe

Set-Cookie: aff_id=62639; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_name=62639; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_id=88621; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hash=8bc87423cceb4e406cf46fbe94f33f2c; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: tid=D0wnloads; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: 0ebf8ab7unique=true; expires=Thu, 12-Mar-2015 15:34:13 GMT; path=/; domain=mypcbackup.com

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

Set-Cookie: MPBWWW=3171957029.1.1047620528.117384224; path=/
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRtl6lMY2+iPob4twryIF+FfgUdvwQUK8NGq7oOyWUqRtF5R8Ri4uHa/LgCEBBwnU/1VAjXMGAB2OqRdbs= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com


HTTP/1.1 200 OK

Date: Fri, 12 Dec 2014 15:38:00 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Fri, 12 Dec 2014 03:13:37 GMT

Expires: Tue, 16 Dec 2014 03:13:37 GMT

ETag: 88AA22A36C9E9428A79B665B930D01ADC1CB423E

Cache-Control: max-age=300336,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp4

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0...... .F....e*F.yG.b.......2014121
2031337Z0s0q0I0... ........m..Lco.>..... _.~..... .F....e*F.yG.b...
.....p.O.T..0`....u.....20141212031337Z....20141216031337Z0...*.H.....
.........u..zA.E....N.<....<.y..!5\.(;..D......9|.j....^N..m.E..
b...j..3{.....X6..4.%....%...AK,b._....9...*.N...1%^^.Y....R.I3.q#55..
..QX.y....6.'~...R...3AU.U%.z.p..1.v..=....4L..{.`..u...E.D":.59..W}(.
.W.o.....Zwwg...).........a.....;&...;j.=..O"-.~..M...n.H.....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=445778, public, no-transform, must-revalidate

Last-Modified: Wed, 10 Dec 2014 19:23:09 GMT

Expires: Wed, 17 Dec 2014 19:23:09 GMT

Date: Fri, 12 Dec 2014 15:37:51 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2014121
0192309Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20141210192309Z....20141217192309Z0...*.H........
......uL..c..`*..T.&-.62..y.Zk.&.....^.......Y...`j,... \...D.*.(...%~
.8.^...kE}.E.......A.;....M..E....h..xJ..lM...(J4R|xQ..u.'W$.qM.......
8J........$.Y...@)..b.Q..^... P{...A...!.&...3..&!io> .... ...0....
.h.i2..<).mrl....C.....Mas..Z.WN^.j....B ......^d|..6.....0...0...0
..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....Ver
iSign, Inc.1705..U....Class 3 Public Primary Certification Authority0.
..141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corp
oration1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PC
A - G1 OCSP Responder Certificate 30.."0...*.H.............0..........
'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-;
 ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS
.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=.
_...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..
U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .
......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........
0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H...........
..$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..
D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=405531, public, no-transform, must-revalidate

Last-Modified: Wed, 10 Dec 2014 08:12:45 GMT

Expires: Wed, 17 Dec 2014 08:12:45 GMT

Date: Fri, 12 Dec 2014 15:37:51 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
0081245Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20141210081245Z....20141217081245Z0...*.H........
...../2.7jy.wVv.....8.....t7.[..O...C._..{...Ch.}...!...<..t..z.n..
..%...-S0..Nq..-.._`.....v.s. m..[1?LX...Y..?{.m.y.......W.lX..<Kg8
^).p/...-...E. ....../..:(..H..X@....iZ?.6.o....Rx.%..OU..5..$.d..,...
...7e....R.F.s.f..\.SR$.MR..;%.....g.Sh.....)..;h....[L.X...#0...0...0
..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.....{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(.
.........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG
.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l.
...(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H<<< skipped >>>

POST /ocsp HTTP/1.1

Host: clients1.google.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Length: 107

Content-Type: application/ocsp-request

Connection: keep-alive

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..&...m..U..0.0... .....0...
0... .....0..
HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Fri, 12 Dec 2014 15:36:39 GMT

Expires: Tue, 16 Dec 2014 15:36:39 GMT

Cache-Control: public, max-age=345600

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.002
0..........0..... .....0......0...0......J......h.v....b..Z./..2014121
2130314Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.&...m..U....20141212130314Z....20141219130314Z0...*.H.............z..
.S.....YH9. ../...*Os......#.....^g......k..<.^c.N.[P..:D6M.n._....
.........L...;.og.......?..ZH...X(.&$.m..t.TDv.6..w..TJ_...>.$RQ.`l
.&.&u.^6............  ..7.......xm@.:....~iy.k#v).E".&'Y..i;..Do.Ry..9
.\q....5......?.......\...!...(0...h...]. ".....RHTTP/1.1 200 OK..Cont
ent-Type: application/ocsp-response..Date: Fri, 12 Dec 2014 15:36:39 G
MT..Expires: Tue, 16 Dec 2014 15:36:39 GMT..Cache-Control: public, max
-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protec
tion: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 
80:quic,p=0.002..0..........0..... .....0......0...0......J......h.v..
..b..Z./..20141212130314Z0k0i0A0... ..........j.....p.I.#z...(~d..J...
...h.v....b..Z./..&...m..U....20141212130314Z....20141219130314Z0...*.
H.............z...S.....YH9. ../...*Os......#.....^g......k..<.^c.N
.[P..:D6M.n._.............L...;.og.......?..ZH...X(.&$.m..t.TDv.6..w..
TJ_...>.$RQ.`l.&.&u.^6............  ..7.......xm@.:....~iy.k#v).E".
&'Y..i;..Do.Ry..9.\q....5......?.......\...!...(0...h...]. ".....R..<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=450202, public, no-transform, must-revalidate

Last-Modified: Wed, 10 Dec 2014 20:37:53 GMT

Expires: Wed, 17 Dec 2014 20:37:53 GMT

Date: Fri, 12 Dec 2014 15:37:54 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
0203753Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20141210203753Z....20141217203753Z0...*.H........
.....8.Y.....a.al..aR........zdZ..v.P..\W.5..e.<...@V.q.....{]..-..
.g}J.F......1....7r..z...._xK...,.H.JD..._...r3S.ua0...a A.1.xg.G.s.-.
..b....F..Tw....11U.....#....<.4".....@..'._)_.......A..(...`."...E
Xo.)} .........F...?....q.(....?3..3.R./z..M..Q.1.&...B.....#0...0...0
..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.....{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(.
.........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG
.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l.
...(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

singleZenSearch.exe_928:

.text

`.rdata

@.data

.rsrc

@.reloc

D$@j.Xf

j.Xf9

<:%u4

t8Ht.HHt#

#t.Ht

.RRhH

 2 34 567

SSShe

u.WWS

[j.XPV

j.Yf;

</tq<\tm<.um

t>j.Xf9

_tcPVj@

.PjRW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GetProcessWindowStation

operator

' or keyword='

delete from keywords where short_name='

insert into keywords (short_name, keyword, favicon_url, url, show_in_default_list, safe_for_autoreplace, input_encodings) values("

insert into meta(key,value) values('Default Search Provider ID',

SELECT id FROM keywords where short_name='

delete from keywords where id=

SELECT min(id) id FROM keywords

where key='Default Search Provider ID'

chrome_url_overrides

SELECT k.id, k.short_name, k.keyword, k.url, k.favicon_url FROM keywords k INNER JOIN meta m ON m.value=k.id WHERE m.key='Default Search Provider ID' LIMIT 1

webRequest

webRequestInternal

extensions.known_disabled

from_webstore

insert into locale(name,description,creator,homepageURL) values('

select seq from SQLITE_SEQUENCE where name='locale'

insert into addon (pendingUninstall,type,visible,active,userDisabled,appDisabled,installDate,updateDate,applyBackgroundUpdates,softDisabled,id,location,descriptor,defaultLocale) values ('0','extension','1','1','0','0',strftime('%s'), strftime('%s'),'1','0','

{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

.addons

extensions.installCache

updateURL

updateKey

optionsURL

aboutURL

iconURL

icon64URL

homepageURL

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

user_pref("browser.search.selectedEngine", "

Line %d, Column %d

-echo print commands before execution

-version show SQLite version

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

CREATE TABLE sqlite_master(

sql text

3.7.8

CREATE TEMP TABLE sqlite_temp_master(

inflate 1.1.3 Copyright 1995-1998 Mark Adler

sqlite_sequence

sqlite_stat1

sqlite_

sqlite_master

sqlite_temp_master

iskeyword

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

RowKey

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjX

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_parent

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

sqlite_detach

sqlite_attach

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat2

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

sqlite_version

sqlite_source_id

sqlite_log

sqlite_compileoption_used

sqlite_compileoption_get

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_keys

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s TABLE %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid<?)

%s (rowid>?)

%s (rowid<?)

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

at most %d tables in a join

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

SQL logic error or missing database

unknown operation

large file support is disabled

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

C:\projects\git\git.zensearch\ZenSearch.20131230\installers\_ZenSearch\single_installer\Release\singleZenSearch.pdb

KERNEL32.dll

USER32.dll

RegOpenKeyW

RegDeleteKeyW

RegCloseKey

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHCopyKeyW

SHDeleteKeyW

SHLWAPI.dll

URLDownloadToCacheFileW

urlmon.dll

PSAPI.DLL

GetProcessHeap

GetCPInfo

zcÁ

.?AVCChromeExtension@@

.timer ON|OFF Turn the CPU timer measurement on or off

.backup ?DB? FILE Backup DB (default "main") to FILE

.bail ON|OFF Stop after hitting an error. Default OFF

.databases List names and files of attached databases

.dump ?TABLE? ... Dump the database in an SQL text format

.echo ON|OFF Turn command echo on or off

.exit Exit this program

.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.

.header(s) ON|OFF Turn display of headers on or off

.help Show this message

.import FILE TABLE Import data from FILE into TABLE

.indices ?TABLE? Show names of all indices

.load FILE ?ENTRY? Load an extension library

.log FILE|off Turn logging on or off. FILE can be stderr/stdout

.mode MODE ?TABLE? Set output mode where MODE is one of:

column Left-aligned columns. (See .width)

insert SQL insert statements for TABLE

list Values delimited by .separator string

.nullvalue STRING Print STRING in place of NULL values

.output FILENAME Send output to FILENAME

.output stdout Send output to the screen

.prompt MAIN CONTINUE Replace the standard prompts

.quit Exit this program

.read FILENAME Execute SQL in FILENAME

.restore ?DB? FILE Restore content of DB (default "main") from FILE

.schema ?TABLE? Show the CREATE statements

.separator STRING Change separator used by output mode and .import

.show Show the current values for various settings

.stats ON|OFF Turn stats on or off

.tables ?TABLE? List names of tables

.timeout MS Try opening locked tables for MS milliseconds

.width NUM1 NUM2 ... Set column widths for "column" mode

IEStart.exe

ZyrL*%U

j.KL9

"%s}M

1.QJp

}(..fs

.tYsx

d^6.PZ

IEStart_x64.exe

&.JlvuP

rZ%XN

TH%Ck

.Alzs

>u.IMS

IEWrap.dll

ü/A

\H%umgC

.Mr-Y

'k.gx3j.O

_.aiGO

IEWrap_x64.dll

n.umk[q

<.NX0

.HbG2v

<.qR6

.Hk^W

QjG%f`

r.BN?

IeZenSearch.dll

\=?.IR

].VQ9-

Et.bz

.KokFhE

1.Wj\

7.oV(

i.dA4w

(5.QL

$uDJ.IV

.sI*QV

F.NfI

dK%DjAf

/9(%c

O;.Uml

-[<2*<-1

BG%c#

"?%x(9

\.Tz3

ooo.fl

%9Xy"

.Yb/s

3]%xH

\I"{ .wo

W1X.UK

/.hB3

"!.AxK

Ip%c"U

|iy.Yp

l3lm>\.ze

{8#'/%7u

5.VMm

IeZenSearch_x64.dll

.aj[qI

)0T.Iq

YL%FO

*|l%d

%X X/

%F]Pj

%U@R2

!q_M7.nCvP"O

.Ys$'^

?t.Ok

..kQE

-X.WJ

C8.BH

48.uO

%u? K

@s<.Qh

%cLd ;

BM.es

:S%SKt

>%dJ:

5},.Kh

,..Nsp

u9.fO

%3U[\J

/O!.Qm

n%6UCU

bS.Hjew

$&%UWW

ZenSearch.xml

ZenSearch@ZenSearch.com/PK

ZenSearch@ZenSearch.com/chrome.manifest

ZenSearch@ZenSearch.com/content/PK

ZenSearch@ZenSearch.com/content/browserOverlay.xul

t:A.Sy

ZenSearch@ZenSearch.com/content/browserUtil.js

ZenSearch@ZenSearch.com/content/jquery-1.9.1.min.js

r8}.Pc

.zI89

ZenSearch@ZenSearch.com/content/locale.js

ZenSearch@ZenSearch.com/content/log.js

ZenSearch@ZenSearch.com/content/main.js

ZenSearch@ZenSearch.com/content/newTab/PK

ZenSearch@ZenSearch.com/content/newTab/images/PK

ZenSearch@ZenSearch.com/content/newTab/images/btn-search2.png

.]q.Iq

ZenSearch@ZenSearch.com/content/newTab/images/input-430.png

ZenSearch@ZenSearch.com/content/newTab/images/sprs.png$

yd.BK

h$.Oi

ZenSearch@ZenSearch.com/content/newTab/images/zensearch.png

ZenSearch@ZenSearch.com/content/newTab/newTab.html

ZenSearch@ZenSearch.com/content/newTab/newTab.js

ZenSearch@ZenSearch.com/content/newTab/newTab.xulM

ZenSearch@ZenSearch.com/content/searchControl/PK

ZenSearch@ZenSearch.com/content/searchControl/css/PK

ZenSearch@ZenSearch.com/content/searchControl/css/searchControl.css

ZenSearch@ZenSearch.com/content/searchControl/images/PK

ZenSearch@ZenSearch.com/content/searchControl/images/small_arrow.png

ZenSearch@ZenSearch.com/content/searchControl/images/zenSearch.ico

ZenSearch@ZenSearch.com/content/searchControl/searchControl.js

ZenSearch@ZenSearch.com/content/searchControl/searchControl.xul

ZenSearch@ZenSearch.com/content/settings.js

ZenSearch@ZenSearch.com/content/_prsys/PK

ZenSearch@ZenSearch.com/content/_prsys/activity.js

ZenSearch@ZenSearch.com/content/_prsys/product.js

ZenSearch@ZenSearch.com/content/_prsys/prsys.xulm

ZenSearch@ZenSearch.com/content/_prsys/testPrsys.js

ZenSearch@ZenSearch.com/install.rdfu

ZenSearch@ZenSearch.com/locale/PK

ZenSearch@ZenSearch.com/locale/en-US/PK

ZenSearch@ZenSearch.com/locale/en-US/searchbar.dtd]

ZenSearch@ZenSearch.com/locale/en-US/zensearch.propertiesnewtabLabel=ZenSearchPK

ZenSearch@ZenSearch.com/locale/ru/PK

ZenSearch@ZenSearch.com/locale/ru/searchbar.dtd]

ZenSearch@ZenSearch.com/locale/ru/zensearch.propertiesnewtabLabel=ZenSearchPK

ZenSearch/css/readme.txtDirectory for the extension css filesPK

ZenSearch/html/background.html

ZenSearch/html/newTab.html

ZenSearch/images/icons/readme.txtDirectory for the extension iconsPK

ZenSearch/images/newtab_icons/btn-search2.png

ZenSearch/images/newtab_icons/input-430.png

ZenSearch/images/newtab_icons/sprs.png$

ZenSearch/images/newtab_icons/zensearch.png

ZenSearch/js/browser_util.js

ZenSearch/js/jquery-1.9.1.min.js

ZenSearch/js/jquery.min.map

e%C,pi

.Mm<pg

ZenSearch/js/log.js

ZenSearch/js/main.jsuRMo

ZenSearch/js/_prsys/activity.js

ZenSearch/js/_prsys/product.js

ZenSearch/js/_prsys/testPrsys.js

ZenSearch/manifest.jsoneP]o

ZenSearch/settings/settings.js

ZenSearch@ZenSearch.com/

ZenSearch@ZenSearch.com/content/

ZenSearch@ZenSearch.com/content/newTab/

ZenSearch@ZenSearch.com/content/newTab/images/

ZenSearch@ZenSearch.com/content/newTab/images/sprs.png

ZenSearch@ZenSearch.com/content/newTab/newTab.xul

ZenSearch@ZenSearch.com/content/searchControl/

ZenSearch@ZenSearch.com/content/searchControl/css/

ZenSearch@ZenSearch.com/content/searchControl/images/

ZenSearch@ZenSearch.com/content/_prsys/

ZenSearch@ZenSearch.com/content/_prsys/prsys.xul

ZenSearch@ZenSearch.com/install.rdf

ZenSearch@ZenSearch.com/locale/

ZenSearch@ZenSearch.com/locale/en-US/

ZenSearch@ZenSearch.com/locale/en-US/searchbar.dtd

ZenSearch@ZenSearch.com/locale/en-US/zensearch.properties

ZenSearch@ZenSearch.com/locale/ru/

ZenSearch@ZenSearch.com/locale/ru/searchbar.dtd

ZenSearch@ZenSearch.com/locale/ru/zensearch.properties

ZenSearch/css/readme.txt

ZenSearch/images/icons/readme.txt

ZenSearch/images/newtab_icons/sprs.png

ZenSearch/js/main.js

ZenSearch/manifest.json

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></application></compatibility></assembly>

6%7/7 ;/;=;

9‘9U9v9

1"2d2|2

< <$<(<,<0<4<8<

>$>(>,>0>

7 7$7(7,70747~7

="=1=8=_=

9%9s:

< <1<6<1=8="?)?

8 8$8(8,808

; ;$;(;,;0;4;8;<;

4585<5@5

; ;@;`;|;

mscoree.dll

kernel32.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

portuguese-brazilian

Google\Chrome\User Data\Local State

dchrome://newtab

Web Data

nmanifest.json

Software\Google\Chrome\Extensions

em:homepageURL

install.rdf

extensions.sqlite

extensions.ini

q\extensions.json

sSoftware\Mozilla\Firefox

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

regsvr32.exe

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Firefox

Mozilla

profiles.ini

prefs.js

%s\%s\%s%s

search.json

%s\%s\%s

user_pref("%s", "%s");

user_pref("%s", %u);

user_pref("%s", %s);

SOFTWARE\Mozilla\Mozilla Firefox

%s\%s

FaviconURLFallback

SuggestionsURLFallback

TopResultURLFallback

777705555443332

5555443332

5555443332

Chrome

WebData

%s%s%i

http\shell\open\command

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\%s

%s%s%s

{EC740D8D-BAA6-4BAF-9183-2406AB943D3A}

\content\_prsys\product.js

\content\settings.js

browser.newtab.url

browser.startup.page

browser.startup.homepage

\js\_prsys\product.js

chrome://newtab/

.extensions.chrome_url_overrides.newtab

ZenSearch@ZenSearch.com

browser.search.selectedEngine

browser.search.defaultenginename

firefox.exe

chrome.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch

hXXp://zensearch.com/

URLInfoAbout

URLUpdateInfo

uninstall000.exe

firefox

chrome

{0001612C-7A4C-413E-AE24-A0533160057F}

hXXp://VVV.zensearch.com/?q={searchTerms}

{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

hXXp://VVV.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR

hXXp://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}

hXXp://VVV.bing.com/favicon.ico

hXXp://VVV.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

hXXp://zensearch.com/_searchbar/api/report?

iexplore.exe

{E34DF4AF-06FF-46E9-9183-865A9B4466E9}

\resources.zip

resources.zip

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

singleZenSearchUpdater.exe

singleZenSearch.exe

ZenSearch.bat

ping 1.1.1.1 -n 1 -w 1500 > nul

del "%s"

rmdir "%s"

%s_%i

%u|%s|%s|%u

.homepage

.homepage_is_newtabpage

.session.restore_on_startup

.session.restore_on_startup_migrated

UPDATE meta SET value=%s where key='Default Search Provider ID'

%s%s\%s\%s

%u|%[^|]|%[^|]|%u

\uninstall.exe

npapi.dll

Uninstall requires closing all browser windows.

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe

firefox.exe_1752:

.text

`.rdata

@.data

.rsrc

@.reloc

hXXps://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=29.0.1&buildid=20140506152807

{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

20140506152807

29.0.1

Firefox

Mozilla

Couldn't read application.ini

Couldn't set %s.

XUL_APP_FILE=%s

application.ini path not recognized: '%s'

Incorrect number of arguments passed to -app

Invalid path found: '%s'

Could not find the Mozilla runtime.

xul.dll

.gtest

dependentlibs.list

\dependentlibs.list

c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\obj-firefox\browser\app\firefox.pdb

KERNEL32.dll

_amsg_exit

MSVCR100.dll

mozglue.dll

_crt_debugger_hook

version="1.0.0.0"

name="Firefox"

<description>Firefox</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<ms_asmv3:requestedExecutionLevel level="asInvoker" uiAccess="false" />

<ms_asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</ms_asmv3:windowsSettings>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

f^.mHuQ8

.KscP

yy.QG

c"=Ýp

.CE&I8

%d>ZZ

\LMQ!)%C

Wuser32.dll

kernel32.dll

Firefox and Mozilla Developers; available under the MPL 2 license.

Mozilla Corporation

Firefox is a Trademark of The Mozilla Foundation.

firefox.exe

firefox.exe_1752_rwx_24090000_00010000:

cRtL

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

FreeMediaPlayer.exe:720
tsassist.exe:3364
tsassist.exe:2836
_silent_full_bundleZenSearch_prod.exe:3052
SetupFileTypes.exe:3008
tsasetup.exe:1992
tsasetup.exe:3208
tsasetup.tmp:3180
tsasetup.tmp:1380
netsh.exe:1256
prepare.exe:1480
makecab.exe:3856
singleZenSearchUpdater.exe:3040
install.exe:3552
TPAutoConnSvc.exe:1844
%original file name%.exe:1660
855ff7095b49e99e27b8ff3145da74d5.tmp:2224
TrustedInstaller.exe:3828
Cloud_Backup_Setup.exe:2672
singleZenSearch.exe:928
zensearchsetup.exe:720
vcredist_x64.exe:3528
MyPC Backup.exe:3888
updater.exe:1952
BackupSetup.exe:3224
helper.exe:3476
zensearchsetup.tmp:2652
taskeng.exe:2836
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:

%Program Files% (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe (274 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\FileTypeAssistant\log.txt (564 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.pci (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\log.txt (1655 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\prefs.dat (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\req.dat (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\rsp.dat (65 bytes)
%Program Files% (x86)\File Type Assistant\itdownload.dll (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearchUpdater.exe (36747 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe (63999 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\resources.zip (966 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-JUP7C.tmp\tsasetup.tmp (1416 bytes)
C:\Windows\Temp\is-OJD5P.tmp\tsasetup.tmp (1416 bytes)
%Program Files% (x86)\File Type Assistant\unins000.msg (771 bytes)
%Program Files% (x86)\File Type Assistant\unins000.ref (34 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_RegDLL.tmp (4 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\is-P1HEA.tmp (4549 bytes)
C:\Windows\Temp\is-6TP9C.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\unins000.dat (12497 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\File Type Assistant\is-KHAIO.tmp (9098 bytes)
%Program Files% (x86)\File Type Assistant\is-V741D.tmp (8281 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\is-7J4AT.tmp (1281 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.id (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\File Type Assistant\is-9QDMO.tmp (4549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\File Type Assistant\is-R5A85.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\ftacfg.exe (49 bytes)
C:\Windows\Logs\CBS\CbsPersist_20141212153428.cab (11744 bytes)
C:\Windows\Temp\cab_3856_4 (564989 bytes)
C:\Windows\Temp\cab_3856_5 (76 bytes)
C:\Windows\Temp\cab_3856_6 (8 bytes)
C:\Windows\Temp\cab_3856_2 (564989 bytes)
C:\Windows\Temp\cab_3856_3 (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch Updater\updater.exe (28535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\ZenSearch Updater.bat (215 bytes)
%Program Files% (x86)\ZenSearch Updater\uninstall.exe (8281 bytes)
%Program Files% (x86)\ZenSearch Updater\resources.zip (2472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\report[1].htm (2 bytes)
C:\29b8fe1277d49fe83693\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI1267.txt (205235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWL930C.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI1267.txt (132562 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-FJGAI.tmp\855ff7095b49e99e27b8ff3145da74d5.tmp (1429 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-I0L4E.tmp (783 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-E95GE.tmp (55 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9JB09.tmp (22284 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe (716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\tsasetup.exe (9147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-OTDJ8.tmp (10 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VLNPC.tmp (7385 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-D425V.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-0BOH6.tmp (14 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VQSHR.tmp (2321 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-BFFP6.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-U6OIC.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-N04MB.tmp (6841 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-173KK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zen.txt (18 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-JJ202.tmp (25 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9PGPG.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-C166H.tmp (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.msg (363 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-3PRFD.tmp (1281 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-H7OJQ.tmp (26 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free All-In-One Media Player.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Uninstall.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-6DUV3.tmp (1425 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-LKF4U.tmp (54589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\Cloud_Backup_Setup.exe (678 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.dat (9740 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-DDS08.tmp (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zensearchsetup.exe (20650 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-78P5N.tmp (24 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00110000000f40efc0e_manifest (5 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d0012a000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00147000000f40efc0e_vcomp90.dll (120 bytes)
C:\Windows\System32\config\SOFTWARE (46584 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (21016 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00114000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00124000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014d000000f40efc0e_manifest (676 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\ab90c6212116d00105000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00138000000f40efc0e_mfc90jpn.dll (95 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00132000000f40efc0e_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00130000000f40efc0e_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00113000000f40efc0e_msvcm90.dll (1526 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00135000000f40efc0e_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014e000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00146000000f40efc0e_manifest (864 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00104000000f40efc0e_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00103000000f40efc0e_manifest (859 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00148000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00141000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00111000000f40efc0e_msvcr90.dll (4811 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\d5e473262116d0011a000000f40efc0e_catalog (21 bytes)
C:\Windows\Logs\CBS\CBS.log (84188 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00122000000f40efc0e_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\b02b5d272116d00120000000f40efc0e_mfcm90.dll (670 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00137000000f40efc0e_mfc90ita.dll (129 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (80713 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00140000000f40efc0e_manifest (766 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00131000000f40efc0e_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00139000000f40efc0e_mfc90kor.dll (95 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d00129000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4395 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\566caa282116d0013b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00123000000f40efc0e_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00133000000f40efc0e_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0012f000000f40efc0e_manifest (13 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (43534 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (14760 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0013a000000f40efc0e_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\50ca5a272116d0011f000000f40efc0e_manifest (6 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010a000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00136000000f40efc0e_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00121000000f40efc0e_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00134000000f40efc0e_mfc90deu.dll (670 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\758371262116d00119000000f40efc0e_manifest (760 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00112000000f40efc0e_msvcp90.dll (7701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse281.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BackupSetup.exe (25515 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\settings\settings.js (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\btn-search2.png (918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (18978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\input-430.png (480 bytes)
%Program Files% (x86)\ZenSearch\resources.zip (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\icons\readme.txt (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\testPrsys.js (2 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\sprs.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery-1.9.1.min.js (601 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\background.html (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery.min.map (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\browser_util.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery-1.9.1.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\product.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\sprs.png (56 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\testPrsys.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\settings\settings.js (502 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery.min.map (2392 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\browser_util.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\input-430.png (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WDUL1PG1\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch\uninstall000.exe (14988 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\background.html (509 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\zensearch.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\product.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\zensearch.png (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\icons\readme.txt (33 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\btn-search2.png (918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-ME10U.tmp\zensearchsetup.tmp (1408 bytes)
C:\29b8fe1277d49fe83693\install.res.1036.dll (1355 bytes)
C:\29b8fe1277d49fe83693\eula.1033.txt (10 bytes)
C:\29b8fe1277d49fe83693\install.res.1040.dll (2110 bytes)
C:\29b8fe1277d49fe83693\install.res.3082.dll (989 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\29b8fe1277d49fe83693\eula.1031.txt (229 bytes)
C:\29b8fe1277d49fe83693\eula.1040.txt (657 bytes)
C:\29b8fe1277d49fe83693\install.res.2052.dll (1632 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1042.txt (650 bytes)
C:\29b8fe1277d49fe83693\eula.1028.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.res.1041.dll (1126 bytes)
C:\29b8fe1277d49fe83693\eula.1041.txt (5 bytes)
C:\29b8fe1277d49fe83693\eula.1049.txt (13 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.3082.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\29b8fe1277d49fe83693\globdata.ini (1 bytes)
C:\29b8fe1277d49fe83693\install.exe (13918 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\$shtdwn$.req (788 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\29b8fe1277d49fe83693\vc_red.cab (65618 bytes)
C:\29b8fe1277d49fe83693\install.res.1042.dll (1988 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1036.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\29b8fe1277d49fe83693\install.res.1049.dll (1720 bytes)
C:\29b8fe1277d49fe83693\install.res.1031.dll (1160 bytes)
C:\29b8fe1277d49fe83693\eula.2052.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.ini (844 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\install.res.1028.dll (1130 bytes)
C:\29b8fe1277d49fe83693\vc_red.msi (3176 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\29b8fe1277d49fe83693\vcredist.bmp (5 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5F7E.tmp (56 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5F7F.tmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\UpdaterTimeOut[1] (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuC03.tmp (16365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (385701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (320115 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\AppAssocReg.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\CityHash.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_silent_full_bundleZenSearch_prod.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.dat (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.exe (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\InstallerScreen2d.bmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\is-FLUOA.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_RegDLL.tmp (4 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZS_cleanup1" = "C:\Windows\system32\cmd.exe /c rmdir /q /s C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Worm.Win32.AutoItGen_855ff7095b

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Worm.Win32.AutoItGen_855ff7095b

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet