MD5: 25e5072d45ce19565f08f909f07489af
SHA1: 35ab84e0b623a3d0ecd7b9e9bb248cfaa7d2789e
SHA256: 32c4887f5ed7c0e6d117fa19a230397e413f0ae459391e88739654d233a16b33
SSDeep: 24576: F 1jFd9JI2z0gaBuV5UlMzhZjZwcph2SSjT3dgOXLS/sulIBja: y7z0gdUlMzhZjRKNTKkulA
Size: 1126816 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:3588
GoogleUpdate.exe:4020
GoogleUpdate.exe:2184
bytefence-installer-3.18.0.0.exe:2020
%original file name%.exe:1908
GoogleUpdateSetup_1.3.21.169.exe:672

The Trojan injects its code into the following process(es):

GoogleUpdate.exe:3560
ccleaner.exe.EXE:3592
PF-Toolbar-W78.exe:3136
ByteFence.exe:2188
googletoolbarinstaller_en_signed.exe:3984

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUMCCE.tmp\goopdate.dll (872 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_en.dll (864 bytes)

The process GoogleUpdate.exe:2184 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)

The process ccleaner.exe.EXE:3592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtapi_signed.dll (2465 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtb\toolbar-screenshot.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\ButtonEvent.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtb\toolbar.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjDA5A.tmp (517686 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\PF-Toolbar-W78.exe (28539 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\modern-header.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\pfWWW.dll (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsProcess.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gcapi_dll.dll (8401 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsAED.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\modern-wizard.bmp (18 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoD9DC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsAED.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp (0 bytes)

The process bytefence-installer-3.18.0.0.exe:2020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsE6BE.tmp (14 bytes)
%Program Files%\ByteFence\ByteFenceService.exe.config (383 bytes)
%Program Files%\ByteFence\rsEngineHelper.exe (6573 bytes)
%Program Files%\ByteFence\ByteFenceScan.exe.config (147 bytes)
%Program Files%\ByteFence\rsEngineHelper.exe.config (383 bytes)
%Program Files%\ByteFence\websocket-sharp.dll (10676 bytes)
%Program Files%\ByteFence\Signatures.dat (22262 bytes)
%Program Files%\ByteFence\RsMessages.dll (8157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsisdl.dll (30 bytes)
%Program Files%\ByteFence\rsLggr.dll (3498 bytes)
%Program Files%\ByteFence\x86\lz4_x86.dll (3629 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsE47B.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsD6B5.tmp (14 bytes)
%Program Files%\ByteFence\ByteFence.exe.config (147 bytes)
%Program Files%\ByteFence\EULA.txt (28 bytes)
%Program Files%\ByteFence\ByteFence.exe (108206 bytes)
%Program Files%\ByteFence\ByteFenceGUI.dll (18782 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsC989.tmp (14 bytes)
%Program Files%\ByteFence\ByteFenceService.exe (5549 bytes)
%Program Files%\ByteFence\Uninstall.exe (1867 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsD34A.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsExec.dll (14 bytes)
%Program Files%\ByteFence\rsEngine.dll (104521 bytes)
%Program Files%\ByteFence\x86\System.Data.SQLite.dll (22599 bytes)
%Program Files%\ByteFence\x64\System.Data.SQLite.dll (30244 bytes)
%Program Files%\ByteFence\x64\lz4_x64.dll (5223 bytes)
%Program Files%\ByteFence\Microsoft.Win32.TaskScheduler.dll (5936 bytes)
%Program Files%\ByteFence\rsUtils.dll (8332 bytes)
%Program Files%\ByteFence\ByteFenceScan.exe (6226 bytes)
%Program Files%\ByteFence\WhiteList.dat (11709 bytes)
%Program Files%\ByteFence\rsMessages-license.txt (13 bytes)
%Program Files%\ByteFence\rsLggr.exe (9075 bytes)
%Program Files%\ByteFence\protobuf-net.dll (6755 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsE6BE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoC65C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsC989.tmp (0 bytes)
%Program Files%\ByteFence\dummy.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsD34A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsisdl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsE47B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsD6B5.tmp (0 bytes)

The process PF-Toolbar-W78.exe:3136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoC23.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_1.3.21.169.exe (26262 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoC23.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoC22.tmp (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Grey_Button.png (698 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\EL.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006BD4FC.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CF6DE.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\BG.jpg (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Color_Button_Hover.png (818 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CBA5B.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\ID.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D61015565366021.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD682.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\6CD6BBF2_stp.EXE.part (534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Close.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp\bytefence-installer-3.18.0.0.exe (1746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp.CIS.part (795 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Lolosobeken[1].jpg (3254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp.CIS (82136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD6E0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\bootstrap_37575.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Continue CCleaner Installation.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\CS.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ccleaner[1].jpg (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Grey_Button_Hover.png (719 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp.CIS (2820 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\6CD6BBF2_stp.EXE (15278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\default_tb.png (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\default_wi.png (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD6FF.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Color_Button.png (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\text-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp.CIS.part (1648 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD663.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D61015565366022.dat (82061 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\NL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\Downloads\ccleaner.exe.EXE (51303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4A21WW8U.txt (123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006BCEC5.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_%original file name%.exe (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Resume_Button.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\button.css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Close_Hover.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\csshover3.htc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp.CIS.part (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006BD4FC.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\EL.locale (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CF6DE.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\BG.jpg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\EN.locale (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\ID.locale (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Progress.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CBA5B.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\form.bmp.Mask (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Grey_Button.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Pause_Button.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp.CIS (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\CS.locale (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD682.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\6CD6BBF2_stp.EXE.part (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp\asgnd.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Icon_Generic.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\progress-bar.css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\checkbox.css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD6E0.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\button-bg.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Loader.gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\JA.locale (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\bootstrap_37575.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Color_Button_Hover.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\ProgressBar.png (0 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Continue CCleaner Installation.lnk (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\sponsored.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Grey_Button_Hover.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp.CIS (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg2.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\browse.css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\default_tb.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\default_wi.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD6FF.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Color_Button.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\text-bg.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\6CD6BBF2_stp.EXE (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\1CCC57C3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Quick_Specs.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp.CIS.part (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD663.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\ie6_main.css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Close.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\NL.locale (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg-corner.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\main.css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006BCEC5.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_%original file name%.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images (0 bytes)

The process ByteFence.exe:2188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar233C.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_3FD623D81F01CC7158ABFAD4F5E4B368 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_3FD623D81F01CC7158ABFAD4F5E4B368 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab233B.tmp (53 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab233B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar233C.tmp (0 bytes)

The process GoogleUpdateSetup_1.3.21.169.exe:672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUMCCE.tmp\goopdateres_fi.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_en-GB.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_th.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ru.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_hr.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\GoogleUpdateHelper.msi (26 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_pt-PT.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ro.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_en.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_sr.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\psmachine.dll (163 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_el.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_fil.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ko.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_is.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdate.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_am.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_de.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_fr.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ml.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ta.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_uk.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_kn.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files%\GUMCCE.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_zh-CN.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_lt.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_te.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_sw.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_da.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_gu.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_cs.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ar.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_nl.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_vi.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_mr.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\GoogleCrashHandler.exe (237 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_sk.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_bn.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_fa.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_bg.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_it.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\GoogleUpdate.exe (234 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_pt-BR.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ms.dll (1702 bytes)
%Program Files%\GUTCCF.tmp (63108 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_sl.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ur.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_sv.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\GoogleUpdateSetup.exe (5873 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_es.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_id.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_lv.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\psuser.dll (163 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_es-419.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_pl.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_hu.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_zh-TW.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_hi.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_no.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ja.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_tr.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_iw.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_et.dll (1702 bytes)
%Program Files%\GUMCCE.tmp\goopdateres_ca.dll (1702 bytes)

The Trojan deletes the following file(s):

%Program Files%\GUMCCE.tmp (0 bytes)

Registry activity

The process GoogleUpdate.exe:3588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKCU\Software\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKCU\Software\Google\Update]
"uid"

The process GoogleUpdate.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
"eulaaccepted"

The process GoogleUpdate.exe:4020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"ping_freshness" = "{10AC5891-CC89-4100-AEDD-E18F8C982F62}"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{393DF1EF-7695-4742-9215-627A7C3B98BD}]
"PersistedPingTime" = "131623974660359438"
"PersistedPingString" = ""

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{573B8DBD-9FD5-48D0-8556-85A1CC737386}]
"PersistedPingTime" = "131623974629783384"

[HKLM\SOFTWARE\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadProgressPercent" = "0"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{573B8DBD-9FD5-48D0-8556-85A1CC737386}]
"PersistedPingString" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\PersistedPings\{573B8DBD-9FD5-48D0-8556-85A1CC737386}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"tttoken"

The process ccleaner.exe.EXE:3592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\No Toolbar Offer Until]
"Piriform Ltd" = "20180806"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Google\Google Toolbar]
"test" = "test"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Google Toolbar]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\No Toolbar Offer Until]
"Piriform Ltd"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Google Toolbar]
"test"

The process bytefence-installer-3.18.0.0.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence]
"NoRepair" = "1"
"NoModify" = "1"
"DisplayName" = "ByteFence Anti-Malware"
"InstallSource" = "%Program Files%\ByteFence\"
"Publisher" = "Byte Technologies LLC"
"URLInfoAbout" = "https://www.bytefence.com"
"UninstallString" = "%Program Files%\ByteFence\uninstall.exe"

[HKLM\SOFTWARE\ByteFence]
"PINSTP" = "/S /IU=tDtDyDtDyDyCtA0B0A0E0A0C0FyB0E0D /i_data=2StR1L1R1V2Y1L1QtRzxtRtDtDyDtDyDyCtA0B0A0E0A0C0FyB0E0DtRtHtR1T1O1I2ZtRzxtR0D1F2W1G1I1F1T1Q0A1B2Z1C1FtRtHtR1L1R1V1O1I1T2X1F2Y1CtRzxtR0B2U2Z1P0F1P1G1R1P1V1B1F1I1L1J1FtRtHtR1F1B2X1P1C1B1L1F1GtRzxtRyCtFtCtRtHtR1B1L1QtRzxtRtBtDtCzztDtBtDyCtCyDtBzytAyDyBzyyCtR2Q /LM=3 /DU=10 /TUNE /TFN /WICEA /INSTEX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence]
"DisplayVersion" = "3.18.0.0"
"DisplayIcon" = "%Program Files%\ByteFence\Uninstall.exe"

The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\csastats\ic\071171569dcc14827128034ef4d19231e5dcec9e2f5e6dce9337e5592a5ec24d]
"hmac_sha256_validation" = "a7e380b7cf4ea43ba644fe66e1afc2a9ee8b5d0cd2562c7e52f047976a064d79"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\csastats\ic\071171569dcc14827128034ef4d19231e5dcec9e2f5e6dce9337e5592a5ec24d]
"vendor_id" = "ic"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\csastats\ic\071171569dcc14827128034ef4d19231e5dcec9e2f5e6dce9337e5592a5ec24d]
"publisher_id" = "e2923bc74a"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "103"

[HKCU\Software\DownloadAstro]
"Ccleaner.exe" = "1517923830640,http://download.piriform.com/ccsetup516.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\csastats\ic\071171569dcc14827128034ef4d19231e5dcec9e2f5e6dce9337e5592a5ec24d]
"advertisers_ids" = "b4ff530f28"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\csastats\ic\071171569dcc14827128034ef4d19231e5dcec9e2f5e6dce9337e5592a5ec24d]
"install_time_client" = "20180206152935796"
"install_id" = "071171569dcc14827128034ef4d19231e5dcec9e2f5e6dce9337e5592a5ec24d"
"channel" = ""

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKCU\Software\csastats\ic\071171569dcc14827128034ef4d19231e5dcec9e2f5e6dce9337e5592a5ec24d]
"install_time_server" = "20180206082943375"

[HKLM\SOFTWARE\Microsoft\Tracing\25e5072d45ce19565f08f909f07489af_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process ByteFence.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Posocokofe
Product Version: 3.7
Legal Copyright: Lite
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.6.3.2
File Description: Posocokofe Setup
Comments: This installation was built with Inno Setup.
Language: Korean (Korea)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://rp.downloadastrocdn.com/?v=2.0&subver=6.21&pcrc=328237267	52.30.206.141
hxxp://info.downloadastrocdn.com/?v=1.03&c=866d968a&at=1301533066&cntr=0	54.77.123.135
hxxp://rp.downloadastrocdn.com/?v=2.0&subver=6.21&pcrc=136108574	52.30.206.141
hxxp://os.downloadastrocdn.com/DownloadAstro/?v=6.0&c=1317968989&t=7068405	52.19.172.87
hxxp://images.downloadastro.com/downloader/nl/ccleaner.jpeg	104.25.53.103
hxxp://cdneu.downloadastrocdn.com/ofr/Solululadul/asgnd.cis	146.185.27.45
hxxp://cdnus.downloadastrocdn.com/ofr/Solululadul/asgnd.cis	199.58.87.110
hxxp://d1k4dgg08m176h.cloudfront.net/ccsetup516.exe
hxxp://rp.downloadastrocdn.com/?v=2.0&subver=6.21&pcrc=1738505676	52.30.206.141
hxxp://img.downloadastrocdn.com/img/Lolosobeken/Lolosobeken.jpg	50.115.122.45
hxxp://rp.downloadastrocdn.com/?v=2.0&subver=6.21&pcrc=541176657	52.30.206.141
hxxp://rp.downloadastrocdn.com/?v=2.0&subver=6.21&pcrc=255158247	52.30.206.141
hxxp://cdneu.downloadastrocdn.com/ofr/Tefenece/Tefenece_3_18_0_080118.cis	146.185.27.45
hxxp://cdnus.downloadastrocdn.com/ofr/Tefenece/Tefenece_3_18_0_080118.cis	199.58.87.110
hxxp://rp.downloadastrocdn.com/?v=2.0&subver=6.21&pcrc=1887738617	52.30.206.141
hxxp://logs-bytefence-com-1135692724.us-east-1.elb.amazonaws.com/event?Eventname=Installer&status=ICStart&Product=ByteFence&i_data=2StR1L1R1V2Y1L1QtRzxtRtDtDyDtDyDyCtA0B0A0E0A0C0FyB0E0DtRtHtR1T1O1I2ZtRzxtR0D1F2W1G1I1F1T1Q0A1B2Z1C1FtRtHtR1L1R1V1O1I1T2X1F2Y1CtRzxtR0B2U2Z1P0F1P1G1R1P1V1B1F1I1L1J1FtRtHtR1F1B2X1P1C1B1L1F1GtRzxtRyCtFtCtRtHtR1B1L1QtRzxtRtBtDtCzztDtBtDyCtCyDtBzytAyDyBzyyCtR2Q&ruserid=&tag=2.0.50727&OSVersion=6.1.0.0&version=3.18.0.0
logs.bytefence.com	35.168.219.122
ccleaner.nl.downloadastro.com	108.163.213.235
download.piriform.com	52.85.184.22

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY Executable served from Amazon S3
ET MALWARE Win32/InstallCore Initial Install Activity 1

Traffic

HEAD /ccsetup516.exe HTTP/1.1

Accept: */*

Host: download.piriform.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 6868672

Connection: keep-alive

Date: Sun, 19 Nov 2017 04:56:53 GMT

Last-Modified: Tue, 22 Mar 2016 11:20:08 GMT

ETag: "e679fcf33ffb57bcabbc598ab5c18be8"

x-amz-meta-cb-modifiedtime: Fri, 11 Mar 2016 20:52:26 GMT

x-amz-version-id: RcUwGR2OGzvBu6usZs9_eajaDeObhdf.

Accept-Ranges: bytes

Server: AmazonS3

Age: 78311

X-Cache: Hit from cloudfront

Via: 1.1 bc4389d82338e569938d96a220607237.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kX-RDk-YoKPCxMdje3l_ehr-3AU1vQHzc6pHnAfAXb4OLBCjXYDwCg==
....


GET /ccsetup516.exe HTTP/1.1

Range: bytes=0-6868671

Accept: */*

Host: download.piriform.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 6868672

Connection: keep-alive

Date: Sun, 19 Nov 2017 04:56:53 GMT

Last-Modified: Tue, 22 Mar 2016 11:20:08 GMT

ETag: "e679fcf33ffb57bcabbc598ab5c18be8"

x-amz-meta-cb-modifiedtime: Fri, 11 Mar 2016 20:52:26 GMT

x-amz-version-id: RcUwGR2OGzvBu6usZs9_eajaDeObhdf.

Accept-Ranges: bytes

Server: AmazonS3

Age: 78311

Content-Range: bytes 0-6868671/6868672

X-Cache: Hit from cloudfront

Via: 1.1 bc4389d82338e569938d96a220607237.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Ni3wiYWDzfjQlfXIzJdHM4Ke9VSxJvUDMgQ_0x599t4wZe656bd2Ew==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........h..........
........................E....q.......[.......q......Rich..............
......PE..L...y..V.................t.......B...:............@.........
.................0=.....I.i.....................................|.....
....<...............h..2...........................................
................................................text...Pr.......t.....
............. ..`.rdata..8 .......,...x..............@..@.data....~...
.......................@....ndata...P5..@...........................rs
rc.........<.....................@..@..............................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U....\.}..t .}.F.E.u
..H.....=G..H.P.u..u..u.....@..K...SV.5.=G.W.E.P.u.....@..e...E..E.P.u
.....@..}..e....H.@........FR..VV..U... M..........M........E...FQ....
.NU..M.......M...VT..U........FP..E...............E.P.M...L.@..E..P.E.
.E.P.u.....@..u....E..9}...n....~X.te.v4..P.@..E...tU.}.j.W.E......E..
.....T.@..vXW..X.@..u..5\.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E
.P.u.....@._^3.[.....L$...>G...i. @...T.....tUVW.q.3.;5.>G.sD..i
. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.>G.r
<<< skipped >>>

POST /DownloadAstro/?v=6.0&c=1317968989&t=7068405 HTTP/1.1

Accept: */*

Host: os.downloadastrocdn.com

User-Agent: ICAS

Content-Length: 1392

Cache-Control: no-cache

.I..~...$$......xh....).}........@89?`...(.r..Uh...v.:..

.......y..^...8.L.3m....s....H..=....c...F. s....Dx.Akkd...o.|..K..z.pW.?...... m.Y..Y.f...a
.&j}.R............S2.`....6.].......zn9...9..G...k.4.....^.....-....7xw..._.Q.,......'.j.}.T..qf.h1..=.L.}.~c.4...<.....i..4../..G
...c...~.U.s..9...[.N..T1.Z.%. .....j.
vm.%v{.....?.Q..^....X.. ...4..(......Q|Jl1..!..^..t.....r................]...Fn...M.VG.{....E.;......Bv`
.. ..p..f..._#Er.."..f..~....KBma@.....~....2.{..)_?..-.f.Q8..E.....I

6&UqF....k..q.qN......o..>.E(....I@.u..{B.DW...a...h.C.,.K..%/v>.......\B....
...</W.>.{......%q.8q......2.#}.,.......gG.Kt...sep....yJ.N.........
....!.K.o{..l.f...z...
gb.!..0x...*....3...[...V?...R......C..J...,....

..
.6.7..WL......5.........c%.W%... Ba8&..........g]..S..5{...7`..EF.Q...,Oz....(H....>I_.:,.._.e...$`E;. .Mx...R.}.....-...U...v...0...Wi..*...4..8.5..^c...5..o#.....El]&. . ...%T.xq......=f.i....H...!..#....bf.....fVM...I...].Q_.0.!........(..N.M..\.....(.!.i..4.R2........]..].....).a.?"..rmu3t....5....#y.....o.ctYfL.[@qTcf...Y
k.OD.J.....].l.
.m[....\....^.........P....l.."oV6..~2......eN.....Z#.{A..).].C.}..L....,.$...^..3..Th=t..7.....G....;....<.G...n.&.9o2 ...l..#...KQwQ..,.....9...EX.....?........K.d_..:...Vs.c..j.XA...U..1..%a...._...G.*H..$...g..."..'3w"..{_...x.H..!....,.YV.-f..Y3.Y.....K....Q|..j8..R.a
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Tue, 06 Feb 2018 13:29:43 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-GICSET: 310458

X-ICSCT-IP: 194.242.96.226

X-ICSCT-ISP: Pitline Ltd

X-ICSCT-ORGANIZATION: Pitline Ltd

X-ICSCT-SERVER-NAME: ads-slave-1111-production-eu-west-1-i-04457c698ea5e263f

X-ICSCT-TIMESTAMP: 20180206082943375

X-ICSCT-VERSION: 1.11.1

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-ICSCT-XS: 4eb2a71f144207bedf4780e5a4e4f0d4c17ad472

X-Powered-By: PHP/5.5.38

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
8cb..._.W...W....I.....u..{....3;0..G......=}`E.L..GL......F.0......2'
#..&.(.}..<......I-..........Q..-..7......d7k....3.C.2.6..k(..k(..k
Ji%..cf.Z#I'.....,...S2..m..?....t-.J.....T...37.8K.L../..b.z.....d...
.`.'4,.)..r.Y.......J......#M....V..:..y?..b..k.......N....q......V...
9...b.O........[.....S^..-. e.!:..P......A...igW.A...~N7QZ.,zM.N_...R.
Iq../p."..v1.$|.........i=.;.R.').U...a.JQM.............7......Z..N.s.
c.....S..m.......BS:.c..P..M^....|..f.|by;;.......zy.Yl..njM.>.W...
.....-.....-d..N....~0.2...1R../.TS.n<.`.8c.....qt|..^.b.8Ef.......
 ..Og...4.....X....a......8.P.....X....BHg.......i?..8-%.@.....&..4..C
E....tL.N.>C.R....\.V....Y.......M....F..-..XX.|......:.......a.u..
98....;.k.z....[o.. 0......qd....1b%...B.#Y..."..../.n.6...t....,.....
.2T.....TH.]...\.......7.W8.u..&..7.......h.0.......|e.q..r@..\....c..
......^..fy.UJ.....eK.....k..[.*.U.{U...k.!r..... *.......=..g,.h..B..
.oW....[............,R....w....#....-...;\..e.. *.(....{DC.........kM.
..nBy....f4`<. .h9..).!..xp1 s.u....x.5..; .(.....*n(.o.o."... V(..
...>.....8.w...).(.....)>...... .H.*B..YRQ.-.Y. ....}..,..C ....
.@.\..k,..  V(.T..U...'.6..9...pe. ..V.w...!..c..c-........*...W...l..
N.Ff....$.`.X n..5..T....k..\T....._.....e...e.k.....*...%...J....... 
&h.)...Dp.......x......f..I.=bL..GKm.S.F....%G.>pZ..%..d.....-./J`.
...1..!*....t......q........?.,e..GD.KI\^.5...(...)....K...9.k.m.^..%,
.|.....\.....z...!|...`.A. .8...}af.2.rY[..(............Z....f8AE..j .
.jh....^Q......d.L7...5..]r...#........0.$...x5..h...i..F.e|p]T.:.
<<< skipped >>>

POST /?v=2.0&subver=6.21&pcrc=255158247 HTTP/1.1

Accept: */*

Host: rp.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 3536

Cache-Control: no-cache

I'.........a.o.~.u...T.!XvT.6...}?{.f;.K.ll...g.............4...?....CVSo.qa...v.b..z.D.P..Y2@.t.._...".u\.....[..\.3...[jw.}.S..."..\'.,l....t.u..B.....j.[.F....FK....._.^J{...2.<F.......Qec._'.....*Rc;%<ql."..YFfu.... e.U.E.@......D..x...fh.U...S...]m.q4...P..t?.@o.(....,x.z..Z.Z.3GlX...x.y.....,.4z...1.$.. . .:..I..M.
.#\.s......sLR.0p%.....c........B_.......}...N.k.k.*m..".P.-D*

. I......]=
..}..... .q.Q...n.j.T.^.R}Z?..|....kf.......,....`S............].2.].Y.0-$d...1...vE..4P..a..(... ..z..d.89..d.%.....9...5.....c.%~.......s..)e.S...T...<5?...u........[&iQ.....v.z..B..'.b:..JQ....&,s......1w.t.f./.....vX....^.Y.;7.....9.p...&..0.wv.@..[u......fB.u......X.&...........QM5...wuDS.J..8".} }X..\..[5c.....Vm..l!.....c....sgy..5FXR$;....{...1C}BT\.....I..).....:..;...;.S"0...n...........>..........q3I.`......`{.....5f....62r.m.T....8...1n. \...<.Z...D.(.2.....*........$..#.......@..1....Z...'..!.f.hs...2z..;..../.b.OF..E.2.k./..F.9...;d........F.sdW.lg(.r...'..F.a.nb.\..4....Y._D..\&.2.S...Y4l..&...x.A....>x^.....N...X....%.\\...
=P..j.}x.DO/V...f..@..1T).(../..:.

g8. .$.H

.....S....y....9...#..9..,.B....).KY........P.....}..B1^*....8h).c...p...S<w.3bL..4O/......b.2...Pz n$g|.7S6P....7Ji..&Pf....
....e..i.{[..'k.7..@2I...,2.....s
...~J...~=M.brdi...K.{.1..ZA.....
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Feb 2018 13:30:30 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Feb 2018 13:30:30 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

GET /ofr/Tefenece/Tefenece_3_18_0_080118.cis HTTP/1.1

Range: bytes=4710400-9322221

Accept: */*

Host: cdnus.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Tue, 06 Feb 2018 13:30:32 GMT

Content-Type: application/octet-stream

Content-Length: 4611822

Connection: keep-alive

x-amz-id-2: IBjhAmcCPAXYVPbsneVaKi4I0Quhk6Zv7RW0KILE1W 8iOLTDzcov05YghngI1AlPuV4KZ9fVl8=

x-amz-request-id: 660B6420EDFE1258

Last-Modified: Mon, 08 Jan 2018 15:22:04 GMT

ETag: "0b8bb38d4b4285ff492687db18d9233e"

x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT

x-amz-version-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W

Content-Range: bytes 4710400-9322221/9322222
.i)....zmz7..M.d.KX5.,%...]..X.Mu........C. .\v....q...(V!...|.r.J.!..
.S%.|.]sl3... o....%,:..<.,..F.p~..|....6.3%... .... .b.... .,(...'
.X..e.&4..Wq.sg.._C.)..D.J../.. ..v.....Kw..5y...:.....4..M(80z.i...3.
#..h.^.M........o...;.*.......n.Y................._P/'AM...c0E..e...B.
.a1.......?R|..`a..`GJ$..Ew8..^.i...)y...%x....`......*.Q...>S.{..$
...a....N.3...p...R.C:.........R..h.&.b........d.X...As.p,...Js.....j.
i.7.......)/.Z....&....y..m..A9..{.'\P..!......&1{c.Nh9.....m.M..8.,..
.;.F............D2I.6f9...f.......A...X.0=...1J....Vs."..W^..`hh..C.J.
....>f....H'..4.....F...m..sP..K\..h....!T...Fj.........tsS.@$ ._.c
.E....._...7Zj..$R.A._(.1..s.ac..XOW..SNv./...r....O.." .m..%.Id...j..
...VQ.e.4@......W.9R..W.k.J.....w....l.w...7....%........r..n...l...W4
...%>..b....GX:....V.JV...b!&....^P.....H.{a..~.o.O......a..M'.?Z.%
.%..O..m.v....IFo.H..3&.P..... ..`..<H.*F(.>:.....7..cS.#..Zz. .
Gm.......9.[R..q3..`.OK.g...m..m..j....fyVN..$....g@..;..EL.}...,.x..4
.P.......i.....$..#.2u...r?...t..".....'..c..=....<jt.Yie..:...}.2o
.9...S.;.T.H.x.m....Mu7......u.n.1.. .>.M.l6...lP..WE..<g".%.[.=
L.AX{.!:..mi.=ks.........Luq.z.H...!k^a.~..0....i................@...y
V..3d.R..67..#s...uy Vl.HQ.]F{..X.J..#..[.............KO..f.."H....w..
...Z....y2...T..v..@.h_.N..L.~Pv..U.V.)...VM.c...`9 .7l..G.2G.G9hq....
...4W#v....j.f^..{...t....{....6..6.JH.....&........Bg...?.>.F.G...
.........w..."fl......$...O|...#...0e...F.....3....V...7...%u.D..ui..k
..}y....4.......0t..f.Q.M.a.........~.....<.qu.M....?u&..a\.M.n
<<< skipped >>>

GET /ofr/Tefenece/Tefenece_3_18_0_080118.cis HTTP/1.1

Range: bytes=2867200-4710399

Accept: */*

Host: cdneu.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 06 Feb 2018 13:30:34 GMT

Content-Type: application/octet-stream

Content-Length: 1843200

Connection: keep-alive

x-amz-id-2: e9igoX8mQWpKqGGCg4tvhEQ7CUFrJj0SiUVZ0bIfb DQ8s9oDzQFIRhMjR9o7P0l 8j33MAigdU=

x-amz-request-id: D4528B33F40741D5

Last-Modified: Mon, 08 Jan 2018 15:22:04 GMT

ETag: "0b8bb38d4b4285ff492687db18d9233e"

x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT

x-amz-version-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W

Content-Range: bytes 2867200-4710399/9322222
E=.....,..V.. P.yac.5D`....[_........6H.R....F4)..f.gg@.(.. ..'O.....R
?p6.0...1...kL....#|....g.#.Fr..8.s..=Z...<%.....T...-L^vg.U..>=
.35...L...H..'v%_.OD......bV...."e[E....y.e.L.....d..I3..R..Ay...u..y.
.......7Z.....T.n7.U.,..F......'.....fvK.....o...\H.....e.xR...Wz_..Fi
.V".......W.~..I..\d0.. ]..&ï.'......V....^.......L...z.?.`>...1j
...0....).ui%.%MZ......f.p.=J bC...yw.i.g\......@O}....@.Pj....*......
i.*.=.>{..!.".......Nz.`1}/..=.....SM.mt....:`'u.f..'|~.)?.........
^.......Lz.. ............CagD;.\.).V...........b........B.)...........
j.S.....z.....7.E.m...tuH.y..O<..RG&... ......m......<X...^.C...
.o.%Mh....._..ye.Zz=.o4..).........i=.=.n>..%..!...}..._{.xM8.[/s.F
m..-.y.../....:.bn..L...a...t......yn...wb..9ApXJP.$....F....[....Ua.]
.-4..S&...*...b.........:g.?s........'a.B....N....!.gC2..o..c<..A9r
T.H...Q.o..s[6[W...lb....x.*'.#..),..jo.;.3.o....J..`R..-O*.\...fe.r.`
q...r;&l(uQ)........\..u......y..o.{{.F...}.^&..F..S...........0^^u.N.
...X..Pe......=zV.j..,..G....R...'...,..f.....".Q..@%.J..Sr..1V..J..`.
9`...k.r.n..8....*...$t..k...V[.....G....c.M..}.O..J....-.=.^.t8)..5..
.._.V.J...@..s.I....?...b......S..,.l.6...=.5...v.H.cqE.c.<..s_KV6q
....!..~.a.H..:#.{.*R%[.........o..I.H.EQO.@............k....bm."...-.
.......\\'.....`p.TZ..vp~Bv^R.b.B. .X,./.r..#........~av.=..v.5...."5.
n.B....emP5.^..y....Ww}0..n.................|..^o...luz..B....v.......
....N...U{(..5..V...=j...(....f.N.......4...a....n*.s=.....)L.....z...
.r...}..*..@.6..\.<.Luv......P....v.GZ......%S.p......m)...o..a
<<< skipped >>>

GET /ofr/Tefenece/Tefenece_3_18_0_080118.cis HTTP/1.1

Range: bytes=2764800-2867199

Accept: */*

Host: cdneu.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 06 Feb 2018 13:30:37 GMT

Content-Type: application/octet-stream

Content-Length: 102400

Connection: keep-alive

x-amz-id-2: e9igoX8mQWpKqGGCg4tvhEQ7CUFrJj0SiUVZ0bIfb DQ8s9oDzQFIRhMjR9o7P0l 8j33MAigdU=

x-amz-request-id: D4528B33F40741D5

Last-Modified: Mon, 08 Jan 2018 15:22:04 GMT

ETag: "0b8bb38d4b4285ff492687db18d9233e"

x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT

x-amz-version-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W

Content-Range: bytes 2764800-2867199/9322222
>...yt.F........>=......r..$X....p.....y'.F5...d....O....@...@..
..M.G...S..e .b....3k~}..'.y!.n.....w..taT...C.U.......]...t.....pn...
..,...l.....n.5...%'....#. .....k.CM...]~....)....c..X.....#..Z.W...._
 H.F.O.....=..p..L.....B.....P:...W.y...._..Z..B"kZ.y...lC......{o.\.%
...[..9..7......I .......W.;QZ.......uW.......*..E!4..I.G.....7...\...
3..(...O.d.#S...*..[g.?......H. .lu..n\W=...T.m.I.8hb\..6W....O......&
gt;...h..yL6$Rm6..v|.3..m.j.Q...;...a,.C.t.I..K~.a.!HG<N...w$..iR.K
.....m......4....!...\w.4..A..............Z...n,.L.........gi{...I./{.
..?.b..A.>...?....{....._.a........A...f.....;z....{..6.......B|...
.V._T]]. ...y.x...G..\"B.;....f4.twL-....{.Z.....E.N.C..]E..E......m *
}......;.{.sX.I.T.......$"..M.|..x. ...=K.......*.a.K......x.J"yN..X/.
f....i./...h.... .}[|...9u^..R......Oyw.2.......|[.....H].rW6.'}J..9j.
..g#...i.,......6.gg5R8M)..Nq:...e........]5..dDm....]5........Q...q..
.%......X.V7.'!..T..]l7.J'.fp.x\.:...p.H.!X.D.V*!.._..Kz`h.......k.I..
.5e.=lVJk.. P.Z....=..I.#&..Bd`..Y .x=......>..g-W.V,.....T^Y....1d
....[.F%,..f.......e`|..0..9...H.........T.....}.@.........s.......cm/
0F..#..$...Qe.Z..0......i3B.Q...B.)..M...|*..Qs>.h..C|#..i.s.&.e..X
.k.....f.....pD..)..a,..M..o..>......<K.....6.\.....^.I.....PP.:
].&.!E....@~;.>h....lT..."..]B%...........Q..i....... .ys....H..R..
......W/...k....G.w.,...2.q .*./P.....~J.:Ra....HSQX.M_.5s.6..B.L....\
.&..].&h.i...]c...F..N`......VI...$.....]N........}._?..w..>..._...
..<...<qV.T..&.O...T CG.X......$.>9..f....D.....1...C.;5.
<<< skipped >>>

POST /?v=1.03&c=866d968a&at=1301533066&cntr=0 HTTP/1.1

Accept: */*

Host: info.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 172

Cache-Control: no-cache

6l7GU7LYt04pVHc/00d7Jq3echfF9QCpjdqI9kfl18w8NearSg/WflBLKjG6UswRoW4I9AG2jsz7ZdS2F4Y8iIROBe0x1CuSOSzmhRx8KxvCpz9WdmS03vWlMsN/rkbWKUo4jzauJZ4 wz07LoWELPAFmcCv8rkFXqmJKkBmFGE=
HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: text/plain; charset=utf-8

Date: Tue, 06 Feb 2018 13:29:42 GMT

Content-Length: 984

Connection: keep-alive
ae5gvwKEnIF68k97PL15Pun9ZgfjWsAZRBnRC6FvpujkJMzNiR1DaeILr8GvpD59TcGg9c
RrwO8mX mVoHoFm4tJhaCLOP2T2 TTmOtmXJ5B7qmf2HPqosnb0XmmxwzLRnlF6mytV H9
lo0UVtvGTl05drZ2t2ANjRSMtbC6cbQwF4cNzIRoO1GtfhtudkBYxi2C0Y4ipjz5d7GYLX
vtnuH7S73t9GjHZdoQ6PzRfrwCZBr6hEvFlJEIIaWv/arYEBjOnoakMsmINtf1PAT7ZU8G
bqlriBq4E3nkqHHQsmeHYXjedU2bf UdXuiyFqPpI41nxo6k8Pskk8aH/IJRjQsoom09a6
UThekCVyBpiDO2xtzGFeprOaDtaKWNbqyoK7I3i81Uw3naXSM9Vc5tAy1wY MJSkEf44gV
JhLobcoNGhMHq7pCOxGHz4U5UgrWBniozvmOPhDD/3RyTlzfuicAoh0Q3nxWB4FO7IQTF/
cye R QUsm5pZ3082aOsTWwIF0bFMUN8FLKQPzZx/RJ9AL2aVVc7BWLG2Ju5I M2K2lOGe
iMhBqQ E9Nx8Zd/UpmyJexYowfLYWyUVoF1  HQnA0Rp3ZBvm/hHSP8dGZwH1Yv fJ9eiL
QXHRNbETnDC 4Mg7vvDr/hhuURLN3EjubF/ZTZ485VDk3g8fq1bOQLZz2GRRbzjphXr80Y
K6CswAG62NmqlSjAdNM3hw8CKGaaQF053Xxi 80V1 GOfox09U mCy0yrtGjRJiRRKbzaC
Wc /rIIwr0etPpCoOKvEHJhe/B GzSvF2cTk4QVhuvRgbJFQG8jAByhGhI2BrEXn/w14xu
zqEw4MhpkGZhfnZsIPhd9SoPySp8I cGuTzKQwAenpPkM5u/tjaTOREuWHidcz1/z/P1 i
yxrWq0ms1G83gQAfD5/qtIyIJq3yZ914oshfdGlhdT SaDx4f1PR36D9MFVUpOH5NX3oKL
Uw==HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: tex
t/plain; charset=utf-8..Date: Tue, 06 Feb 2018 13:29:42 GMT..Content-L
ength: 984..Connection: keep-alive..ae5gvwKEnIF68k97PL15Pun9ZgfjWsAZRB
nRC6FvpujkJMzNiR1DaeILr8GvpD59TcGg9cRrwO8mX mVoHoFm4tJhaCLOP2T2 TTmOtm
XJ5B7qmf2HPqosnb0XmmxwzLRnlF6mytV H9lo0UVtvGTl05drZ2t2ANjRSMtbC6cbQwF4
cNzIRoO1GtfhtudkBYxi2C0Y4ipjz5d7GYLXvtnuH7S73t9GjHZdoQ6PzRfrwCZBr6hEvF
lJEIIaWv/arYEBjOnoakMsmINtf1PAT7ZU8GbqlriBq4E3nkqHHQsmeHYXjedU2bf UdXu
iyFqPpI41nxo6k8Pskk8aH/IJRjQsoom09a6UThekCVyBpiDO2xtzGFeprOaDtaKWN
<<< skipped >>>

HEAD /ofr/Solululadul/asgnd.cis HTTP/1.1

Accept: */*

Host: cdneu.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 06 Feb 2018 13:29:46 GMT

Content-Type: application/octet-stream

Connection: keep-alive

x-amz-id-2: r0l wRO3VrTWMxpyy7K5DFJkIylKkOdGcoDsxp3z9PRxUp3SCwQ8ILxvKXjBn/ql

x-amz-request-id: 31DA117E04BA7725

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

Content-Length: 101029

Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.0.10..Date: Tue, 06 Feb 2018 13:29:46
 GMT..Content-Type: application/octet-stream..Connection: keep-alive..
x-amz-id-2: r0l wRO3VrTWMxpyy7K5DFJkIylKkOdGcoDsxp3z9PRxUp3SCwQ8ILxvKX
jBn/ql..x-amz-request-id: 31DA117E04BA7725..x-amz-version-id: ak82ScyX
tEXeOWL8crBo3MgwwdwO6r.3..x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016
 14:37:36 GMT..Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT..ETag: "63
8ebcd93f900c3908f5dde6d8bc2d9f"..Content-Length: 101029..Accept-Ranges
: bytes......


HEAD /ofr/Tefenece/Tefenece_3_18_0_080118.cis HTTP/1.1

Accept: */*

Host: cdneu.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 06 Feb 2018 13:30:30 GMT

Content-Type: application/octet-stream

Connection: keep-alive

x-amz-id-2: e9igoX8mQWpKqGGCg4tvhEQ7CUFrJj0SiUVZ0bIfb DQ8s9oDzQFIRhMjR9o7P0l 8j33MAigdU=

x-amz-request-id: D4528B33F40741D5

Last-Modified: Mon, 08 Jan 2018 15:22:04 GMT

ETag: "0b8bb38d4b4285ff492687db18d9233e"

x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT

x-amz-version-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W

Content-Length: 9322222

Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.0.10..Date: Tue, 06 Feb 2018 13:30:30
 GMT..Content-Type: application/octet-stream..Connection: keep-alive..
x-amz-id-2: e9igoX8mQWpKqGGCg4tvhEQ7CUFrJj0SiUVZ0bIfb DQ8s9oDzQFIRhMjR
9o7P0l 8j33MAigdU=..x-amz-request-id: D4528B33F40741D5..Last-Modified:
 Mon, 08 Jan 2018 15:22:04 GMT..ETag: "0b8bb38d4b4285ff492687db18d9233
e"..x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT..x-amz-v
ersion-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W..Content-Length: 9322222..
Accept-Ranges: bytes......


GET /ofr/Tefenece/Tefenece_3_18_0_080118.cis HTTP/1.1

Range: bytes=7065600-9322221

Accept: */*

Host: cdneu.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 06 Feb 2018 13:30:33 GMT

Content-Type: application/octet-stream

Content-Length: 2256622

Connection: keep-alive

x-amz-id-2: e9igoX8mQWpKqGGCg4tvhEQ7CUFrJj0SiUVZ0bIfb DQ8s9oDzQFIRhMjR9o7P0l 8j33MAigdU=

x-amz-request-id: D4528B33F40741D5

Last-Modified: Mon, 08 Jan 2018 15:22:04 GMT

ETag: "0b8bb38d4b4285ff492687db18d9233e"

x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT

x-amz-version-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W

Content-Range: bytes 7065600-9322221/9322222
......`.D.......o....dr....].cLR..;..Q....n.G.i....... ..P.<.eO]...
~.. '.c......$.....k..2.n6s....H@}..s..{N....?=TzZ^.......V....aso..i.
,#G.Q...1......w ..0m..Y.E.:.B....Su...n.v.o.s?-.....aJd..I....4.Y....
EfZgX.......2q...4a..j...PP%..'..OY.}.....A.............I......U!.....
..]E....B..-..}.....]sd.m..O.....1....JbA.xX....f..*V.*..?..6........L
....} S.../.vb)x....%5..zx......W....lv...18..j3z....]aUm.B.4...-8.O..
K...D....J.G0.V Q.Y.0....r.....l.7.. ...FC..y............u......s.z.=.
.....3...... 1.?.....p.....p.W%..._v...).$..wK.z.*..Z..2.)..aP.|bK0Rx8
7....x.jz..F.......v>.C (p@^$PZe..z.o./?.S5UW.J.a.{b......#.9../..A
0n...y..{]}.U2..H..K......dM.D...........j.%.0.:F....I...q...KD......O
H..i........w......Q....C.A0 ..y....{te.....?... ...XU.M...8....O.e%..
..C..~...D.y..S...@..9kcX {.- ....,.72Z..X..w].O..S..2Y.&.2{..1-".k.?.
....^.G.8.V.....D...............f.$._../.....z.....KR-.2...7.t@.kc.e..
,=@...9g...c.h......EwK...E....(.e.2]....*o.ym6...3.D%.l.d.#......s...
.[.?..D..Cd.u........H?Kv4.C.V......"....s.F....B....a..H... .&z-.s..7
.....6f...6Z...R...z...u...H....j'....ILFO............HQ./..|.~2fa.gY/
.......P.........z0...i.s-.Q;..!0...........<.....o09g....9@.`.^).c
$....g......d...4....5.......;.......A..%S...OKy.o..`...m.o.M..^.4..|[
=0.<v....v..._c..).e..Cz...;...^....#GqV...l. }..#.ce.....\#.._p.W:
...R..H]x...B.7n..!...K........o]../Q(#~.8..E>.....hOeIh.)..\.q5...
t.C.g.....D.|...7.M.......^`B......H......h.C=..;.Sh......x....z....pG
.....(.....3.QQ.a..y.......0......u...|y.&.hs.u...j...|....m{..<
<<< skipped >>>

GET /ofr/Tefenece/Tefenece_3_18_0_080118.cis HTTP/1.1

Range: bytes=6758400-7065599

Accept: */*

Host: cdneu.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 06 Feb 2018 13:30:36 GMT

Content-Type: application/octet-stream

Content-Length: 307200

Connection: keep-alive

x-amz-id-2: e9igoX8mQWpKqGGCg4tvhEQ7CUFrJj0SiUVZ0bIfb DQ8s9oDzQFIRhMjR9o7P0l 8j33MAigdU=

x-amz-request-id: D4528B33F40741D5

Last-Modified: Mon, 08 Jan 2018 15:22:04 GMT

ETag: "0b8bb38d4b4285ff492687db18d9233e"

x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT

x-amz-version-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W

Content-Range: bytes 6758400-7065599/9322222
..1<4.^.").#.v.D.j.T.*.FKqF..th..)....,..a.7..s.0?..."....I..^.R.i.
.(J......c...8..\.2..M.;nK.e7.....2......h......D.........w....ne..._.
....i.|Qb.\6.}X..>...@\;. .kM...D.........,..n...k4.Q..Fk.I.h..v...
.-K..A.v........].........BdW.*]..T..q...)C...z.......QU..e.y...l...Y.
..d.F...?.j..otM.i .{F..ug..g&.zHH....}...........3...mQ.?"..[e.....g.
..=<.c.V<....E.O#=..Cq.2l#.C~.1.7.t.][...}.=..3/.<L..5.......
./H.....'?...oJ.....L...P......J.......5..#x"...:KO..z...AZ...d.....2~
.S$.....?H23.....p..hL..'.]..p.x..E.q..i..X!!.h..,....s3?.S..`...>.
.}..|V..G.<..)w........B...v_(....7.u......d..........l..........8X
b.C..Km..q2.K>...&..7....WQ....T...\..Bs..{S...W.9WB{c2.@.:U....E&g
t;..Q.x,..e....?..^......./..cFs....hP..]._t3..W.05..........5.\......
..<M.$d...g.u..z....7b.m...jF.R......8.#.w.........p.XZ..(..v_...g.
...)...q.g73..P.Kt..........W..x:.V.].2n.v..*...3q....Q..e(.....ED.{.Z
..|.;..s.?@I...../.[...U......LL'@..e&....2\8B....3..x]T,....|@.#..VH.
D.9K(.....".0...1.....M}Q.c...>.(?3b6.......O...5-.\...v.0....Jn...
....D..S)W.IWC(......H....D....... v*;....Yp...-R[......o.=.9j...pC<
;=......^'.q...mE.\m.%..nM.^iIf".n..F..$_...>......Q..'.'mm..}q{..o
(...W.....^.so..fQ.."e.z|r}c..gh...-.k.k.0...F..$...]...r*LN..U.ga3..C
.A.%..$...\.B...oo.;7.V=>..3y...z.._(u...r..k>......I...G.A..i(Z
.f...k.kr...:..$~o..h......]....) e..F. .,.V...M.....L0O.X..).....,...
n.....o.KV..s...t?..*A(..-W.].CM.k{....l-:..`....^..n....$n.g.........
..~.......Y..L....J..K.GOtS..uRq."@Y.....Y..NA#.7HQan..A.6og....X?
<<< skipped >>>

GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Range: bytes=0-101028

Accept: */*

Host: cdnus.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Tue, 06 Feb 2018 13:29:46 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: 5GQej9bBEF7b24C VwZwDWYjAPs6vTrk7CTD6I07eHOS7n1RAZKp1nJ9j rQKyXoCqFEf nc5V8=

x-amz-request-id: 7CDBFFC464708CB5

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h
<<< skipped >>>

GET /ofr/Tefenece/Tefenece_3_18_0_080118.cis HTTP/1.1

Range: bytes=0-9322221

Accept: */*

Host: cdnus.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Tue, 06 Feb 2018 13:30:31 GMT

Content-Type: application/octet-stream

Content-Length: 9322222

Connection: keep-alive

x-amz-id-2: IBjhAmcCPAXYVPbsneVaKi4I0Quhk6Zv7RW0KILE1W 8iOLTDzcov05YghngI1AlPuV4KZ9fVl8=

x-amz-request-id: 660B6420EDFE1258

Last-Modified: Mon, 08 Jan 2018 15:22:04 GMT

ETag: "0b8bb38d4b4285ff492687db18d9233e"

x-amz-meta-cb-modifiedtime: Mon, 08 Jan 2018 15:20:48 GMT

x-amz-version-id: bhLsPvSbAYFTzG4aBgEEAYda20ZQTI.W

Content-Range: bytes 0-9322221/9322222
CIS.........................>......P.......A..m.d...X.a.uE4H.5@.. &
....E..1<J.F.".S...,....-DQ..w....<{T..B...~.=.%k=. b..G..L(..V4
.K.v..q4g.eYUU.fb...J..f!{]..u6G.....9.?..yc...<.:ZC...(..........\
^S..A.$.;...Sg.AgH..Wy.bEe.........1,...[$..p...rZb1>...<.......
,..jp..X^*...uS/`(L.-.IyD.DA%...`O..n...$.~.P...a-..k...p.].X..o.>.
S8...yot.~.K51u..T...M.s.F.....G....: Y.<w...ji..=^q.3...`4A.s.'.5.
..i...v..dj.(KG.A.-4.i1..uK..h "..}....-...>D.>f0.'.......|...iX
>.-,...v.E/r..Dt|...$.A8^>W.]..d..).6.|.i'O.s...X.d.b%-..C{.'.!k
.q..?.f.p..Tzur.......Z.....3.td..a.d.....A.>.9.G.h-.knQ?.6.FT<.
sw.J..$......H@E..=O..K%V.rWm\.u.irr.>Q...ls.O....T...XW".n.~.5Y.qO
..@>...p..Hh.o...6.g=..[.......E...y...9N..35MFx.~cC|/Z:...q...=.d.
O...:...^....7.#g....'..O..I.C(2tj..U.5.Awn.Ec..E......OW:..Lp[.^.6.x$
8...m.j]....H...H....#a ........).;Z".!.R.Fc.ju.....A........S.s.)....
.............=.e.P...n.;F..[c)E..,^....6Y..;.[K..0#.J.y......J?5Mx...5
8s....R|;B..'.... f...4.!? ........i......y..z...(..!.7......^H..h.M.V
\..HB..e.<...LQ6e...c..g{_.] .nq.p..= ..|3*8.xf............Vg..^.M.
...&..u..[....8... ...x......\3...)m...@.F.A.L..7.c..1.3 ....,?1V.<
.^........OJ..>...B..M..;.-..p$'Q..,>.#.....bW.z;....~..?...xC..
...Jc,...1U..~ny..u.J.*....de.p...........~...XH..Z.A$|.....Yc...$T...
d...U....vO.4(...j..u.....M.1E..u....I;....wT.%.nQ..o.....u.*j....(...
r$..5X...........V...^.....;...Y.T.o.tF...3=$.b%.$.f.w. .s.6..B..Y....
.........H.Ct..$.[ZM..9.d.....2h.ec..f.h.:pG.......`.y...@..i...e.
<<< skipped >>>

GET /img/Lolosobeken/Lolosobeken.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.downloadastrocdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.10.2

Date: Tue, 06 Feb 2018 13:30:30 GMT

Content-Type: image/jpeg

Content-Length: 25636

Connection: keep-alive

x-amz-id-2: VL4dvNqajivxAAy2tjkhEquqS8 vR5LAoy/8oVA49/bcx/AGnCGjplZ1cjwW8LH8V8YeiuzlyPU=

x-amz-request-id: 1542DAF7A17C83D5

Last-Modified: Thu, 28 Jan 2016 09:19:56 GMT

ETag: "87b87af183af0346d6f690d90fcbfdde"

x-amz-meta-cb-modifiedtime: Thu, 28 Jan 2016 09:18:09 GMT

x-amz-version-id: fxDNg4A6sWDqFygBZH_0nM8zviOFIlmF

Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......d.....&Adobe.d....................
...E...d".............................................................
......................................................................
...........0.............>.........................................
........................................."...P1..56. #70`!.p.23@.A4'..
......................!.A2....1q."3...5u6PQa......4t...B#D. 0`..Rbr.Ss
$.....C..p.cd.%.'7.......................!..1AQq."24t.Pa.....3... 0`p.
.r....BR......b.#Cs..%.....................!1Qaq..A...... P0`.@p......
......................................................................
......................1...-\.7.PD...........................iigW.j.s..
.ao>...Gk...........................b.l....G.4.<..V..)..........
7....tG......=K.9-..n...2...Q..9bo.......................Rk.Z.k\......
...{..:_.c.p..7.-.x.........G.h..OYf....f.....................P...KE.l
=....._U.......................8..z.I.@...............................
.......................................f.M`C........F2.\....;..... ...
.................f[N^d)0.......... .-.Y..]b..O.C....................m9
y....>>....^....H.}..[.3$......X..gS)u..)<..................O
2ff...B.....WG.....3 Z*d1..C9....R........;=...m..,.]..z.'.!..........
........X.....R`...*...U.'"F..cO.<P.....$..kz..X.kX..gR.u...<...
...............O3fi...B...\.V./:.$^(..[*.(jW..`.7..#K... m...kX..gR.u.
..<..................O4.k...B...\.^..:.D'..%%?....W..IU..y51KC1l..-
.Y..]b..O.@..................).m9y.....6U.K........'.\[6..m.u".X.6
<<< skipped >>>

POST /?v=2.0&subver=6.21&pcrc=328237267 HTTP/1.1

Accept: */*

Host: rp.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1984

Cache-Control: no-cache

...3E.Q)_l.y...K.1>Q.9v"..0....AZ.g.....6.t=..h%(....r

.M....hxk...3g..>.....B h.........HH....d..g.4X.j...q......v>......$3.].<..F5....$ ,e..R..q....D..M....T....h......D.t...0. Q.V......b..{...tD..z...~..x#.,.../..U..
..Q..X.Q.\.}...8....7)..,.[..)..)-4..~.u|....5..............&...uz.;....4H,m.'.d.r....'.Ek.a2..N.......!.).s}.!h...#v...;

5...z$9i.XNf>^k.ZT[.vW..s..........-..L

...&3q7.....:..u..xp....5....J..a..=4O)...d9.N.5....%...3j......p...;..Y..:-G.7.A../..j...fwy.jV.$.
?I.X..g.V.....$0r..

.|.......6k.....z.... ........[.....4.F...#e.ml....$..4.....*.U.......Y.kbb~^C...(E"iQ..;.S)..@w,....!5r...R.Bh.........E.......?4..d....;m(.F.(..V'&.n.r._.....?....^..d...2.v.).p6H0EJ.....!.Aub.C. .u,|....N.....L...

.*pv........mi(..t(._..r_F6.(....=W.#Qq.......D.T8.cN"
..>..
...PN...|.J....;.K...1..'..wN.4*.

.KA;.....L...F.
}QCL>..p......MA.....bo.....:..i..;........4
........p.W...h.V\...g..L...?H..#.....^LKFL1-.
V.:....../w." ...j....a......F.......9WV....,..>q...:)..msq..SAp.|.E..Cl..K..m....=M..._6..t..yUv.0.,....~
....@.Ud...*....b<O.l.zJ^..q2.&.rV/..si.M`..rR<.....~..F^.D/...un.g.x..n....y..a. ......O..m.).4..q2m.d.#...B.r...Ocr.&.
...55@.qE!.i.
..v......k..5 :.l1.Q2 ....D....7...$.......G..E.
...n..Gp.M2l. ..\F........W.)B:...:.2.....BF.....#.%.Q.@q@
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Feb 2018 13:29:42 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Feb 2018 13:29:42 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=136108574 HTTP/1.1

Accept: */*

Host: rp.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2384

Cache-Control: no-cache

...4.....>.K..~..}...0..5..i..M.c...{..VM....T.c|.hrM...L ."v..S..)/.HL...!Z..c...$j..5.J.....x1...j@.. .?. ...B`.|.......\.3@.4c.........k!b....kA....q`.$..ad...B;Z......7c....;.....e..
v'!..x0.1.G.JZ.....8.,..\ve>..i...
.<pB.3W.P.........\..Z..v.E...... s.

.....u..&.....E4...N.(....L..k.:...q=.9..lI.n..C.g../....-.E..d..<H`....P.&...].u...<Y{..k@ys...\....{xc/Q...G.p.$.~..Q.A.x../;.WG............og..#.H.!*l.....QE...E..N..O...6O.9y.J.A

.j.,[.y.n.Y.l...r.

..x...U.8q......

.`.....or...r.......-_....8.......*.......-....q..:}...m.t..G.m.z.S..!...x..y.]*..//>;=W."..:....b2....jd..r...`...1a..n.b#2..'........6... ...${..-d.24..N........].yI...Fl.V...........S.(.y......,."@a..ax..!K)UUL'.9.'8.;..M.4..m.z
...X.Z.......s.s.M.H.S..'#........LW..,..8...K.#.....i..!J'.O."..

7!..'........V.v...F..w.......q.....@..............a.....DG~....B.D.......vF14...@}4F...........`o.7..^

d^2......x.eF.J"..O.._2.....]K..$|.(...$.9.U....3f......_....`..u.y....7..M.1....a.F......CH.. ...\7.........C...6^..lW......&..._.o. T.
.....

.. ).@.~..g7..8~.#.._b...a....n.n..4B.a. (.......:.

B/\...0..../...~...u..X....J..#D....a.i...a9...c.4.Jl*.5..i..T.I...0.k..."t8.................5 ...kY.Z.B*.C.%nE....4.../..t..T........j..H$.....k"P...?..f...e.2.?.W....|.u.~.....{W% {..r.5..#.l...]] .3....d..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Feb 2018 13:29:43 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Feb 2018 13:29:43 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=1738505676 HTTP/1.1

Accept: */*

Host: rp.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1552

Cache-Control: no-cache

....V.....2$....|................-f\.....OD..\..y.....S.$.. (......F0.QT'&........D.....!GV....

.......c..B...v.Q.....$.S.b.0. ..G.L...@.............V

rZ...^)..I........Q.P....ve......Td..]<

.....X....d\.m.A.A..{{....J*..]..*..'P..... ..x...,...0.PH?...[.J.../Xw....s.C...$..L..A.."fvc.............z...
....msvp.{....R...5..p.k.
..=.ZK.L..o.}...W..

............a.*..]A3..<s#$......3}.8..dz..n.1C.m..].Fc..e....rFH..A..w...".4.u0.b...g..<.l./ll8j...?2oRi.W ...._....y.a}4...`Hu..A.HG...q.VP......4..3...(#.#.VuX:;s`=JV.....<..Q
........-h(I$r....(.....X6..XLL......'.9........C... .3.JQJn....Z.....<.....'2V...<2W..2]...sj..........g.]. FW..5...N~..S{E..z...`....m B....!.8...;..i/.].roE.......}...,..s.8...c.?..U..o.=:..........>..q........s|.t..GJ;...Q..-....:N.y....:......1...x/i.......(..g..G.........
YHge.X}K.b....y.........q.<..9h....m.....a.....7._P.9.`.p#.It......2D.....h.=.y.".t.N>$..S.Gb.1..3.7.%<.?

..*.a......j.........7..`..N.j...@:..5.e...q..'.........8S#~.....8.S...I..~q..-...CZ.....8../ca...z.. ..(S#...y...b..K..F....23.L..0..?0N.-g....K:.F....tiB..0

H......e.^.M\....{~..

.?.d[.......s.|P...7.O*..N`KYuk...|..,.....p....
..'m.O.Z..w.....]..`..` ..sO.1......IZ.....8.H.d...> ..... Q......x..*...IO......E{pdF.....p...?....wh.r]Ja....

gy&....N.V...

.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Feb 2018 13:30:29 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Feb 2018 13:30:29 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=541176657 HTTP/1.1

Accept: */*

Host: rp.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1552

Cache-Control: no-cache

.I..G.)E..,(D-....O...I......nr.I[....!./-Y*..@.r..:.E."...Z.b:...u....c`.B......n(=....th..`......nhP..8. ...p.#

q.C..>...?]....\IsL..j.j...m..@.'&B.i>...W..q.a..6.P...a..]i\....ax..[..xz....?&F..l..Q....@x^......T.z...!......UIx5yy{...TytTv.......m.g.6....^.|]..r.0..........qEa...sroB..7QS.*I....0..-n..{.]"%.&..@Kz."0..<..{V".. ..$..aM.XS../ON.....t.0m.0..f..X...6

-6..w&..>...4."9...}&....VQ.2...L...(\U....I..<..h<.;.,>g..o...R3..tmP....]~.?.*.k.}v..... .?e.NK..............a...6..'fyU...XH......|}.d....z}j57.%...,\.^..\.e.:..#.T...rf.yum.i..W..es.*.FF...e....M.Oy....~.Qt~g
.?..h[(N..%N..)v.(AI..z..aZ.....l..O...5..>b.0.....I:.3..,...Y.ym.0.O/W..$...3.H^B.k.]..c.....L.....,Jr...jd"..N

E.....UR,.....8vW...._...d....E.F..H F...?..n....,:.^}.........O3..\v..... .....(@gm 
.C...J.d[Z..".dU.;.rF.O..qf.. ........qx:.d.\....Ja.......=.x~."..YVf..jj......8.$..P.hJ.H$hV.<.H..i..q.C].K..<..t{.c.....!M.l...Q`........i0./uP.....J/.%1.u..3.y..V..d.).Ph(...z.L......UMX.:.{SM..]...1%...v.

`..o....<R.I.vO...=..m.i......$P....UI.b..>i...B$..<:..S..M....IB..4....S~2*.....7W-<.......JC.A...<.i.F.b.......i...k.4..Z.........

....4.M3F....`.g.....t.-.awZ..Q...A..X[.tq..(.......# ...@.Q..(..R...Z..?<..Q=s.u...25.Y' .[.;....r.'..`...M...._;..1..P....*1.c...
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Feb 2018 13:30:30 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Feb 2018 13:30:30 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=1887738617 HTTP/1.1

Accept: */*

Host: rp.downloadastrocdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 4944

Cache-Control: no-cache

W..$...1.:.A].PP..../;B...|J..2.y@;........j@....h.J.FN.=Y...^8...[....v,....<.....I.o.5.m:...4..B.y..'....:tL.3>}la......9..?....h...Eb\..R.C>.I. ]..u6........
...........u..
.....Sv........Y.R....<

]...-UL...LNZA..2.rJ..!.G.u.x.kg..n...}..b..*"}......P2.....jkp..K,%.g...ae...3.{..i..d....D....Tu...l.k.iD;.K..OoPC.......r\z2..V.....]9SR..i.{...<.ac...c.%..L.pV.b..[K/,J...$.

...R..p.....S...#......%A[.C...f...T..Y1...$gN...g..........|U7GL......g.hN;.R...._.. ..h.MC.=.f.N..woh:)Qi.mV..h....).'..

.y......`/...Z"..
U&lu.)P....I...........w.6. ...g?..;.e...Wrdo...W......$=.K..^Uk.6.......v....p*...

 ..W-.l.q.....b@I!B...(...'.:.n..,......_
..T..d..q.g...y...Ujsx./..[ .. .H.-#,t...7....F"0....O...>.?`.....Dw.9..../.w.....[:
.V169...../Z....D_...\>on.W..k......mLo.,........d......-Y....U!#j.Pv..v=YT...../.....1.>.....b5..V.Y.>.~.....^.............sI...sO

Gm..K.w-.Y.C.......=..K..$e.8}.c.......
......^..v..Kt.V...V(..jN...d.%...d<.|...H.jG.D.t..<..\.W.f...NS>...^~.............6.5sU.mz....ui.0....<....[7(.*..L.PB;~...................L....7.V..o....4).....cv.{. ..F.eS..s...oSB.`.K....

.b.g/... #..... *..V..,0.R@.5=..........HH#(..........y.Iy5.....M...m.u9..$....852{.....p.?.j%i..)...!..$.=.$.|V..c'

.!bG....ok.;..|.a...{2.../e/\m.."<H..1..XtH.._......
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Feb 2018 13:30:43 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Feb 2018 13:30:43 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

GET /downloader/nl/ccleaner.jpeg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: images.downloadastro.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Feb 2018 13:29:43 GMT

Content-Type: image/jpeg

Content-Length: 2369

Connection: keep-alive

Set-Cookie: __cfduid=d4535149eda7d45c03f8001a96b812c901517923783; expires=Wed, 06-Feb-19 13:29:43 GMT; path=/; domain=.downloadastro.com; HttpOnly

Last-Modified: Wed, 09 Jul 2014 15:49:46 GMT

ETag: "4efab5f8ab8df3cfa96a3b8a6f37a8bf"

Cache-Control: public, max-age=432000

X-Cache: Miss from cloudfront

Via: 1.1 7907ada877f3f98933a06c5aef6c574b.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Y80AO17h-uuDSJ87SIwtZig0RlFFg45ehJix1kronG4sd3qdgBT8Fw==

CF-Cache-Status: MISS

Expires: Sun, 11 Feb 2018 13:29:43 GMT

Accept-Ranges: bytes

Server: cloudflare

CF-RAY: 3e8e75bea0978436-KBP
.PNG........IHDR... ..........V......IDATH...{p....?...G.KBB.....P....
,. P.VP.El...(.....t.:Lk;v..U.|..C[.G........!`..y].$!....r..._...Q...
........{.W...hE._.#...@..M.j....wY?.!.XK1.,CV.F.f@.....@.H..h..P.....
.-1p..&\$.~.>.y.....B...@.%.....M=.....P...-......./F..6....kK.2N..
J%J.J=.u...B......0...#...> ..C.3...p.G.....g.^...@9......l<....
.Qd...<..[....{<.../....3......\.......]q..u!..J....6...6...h.-.
'...;..k.,...pP.(}@/B.!4g...dDY....}...W'..'!......e..!.......}.>6Q
 ..kh.=.?>..n..U@...D...Tz...(.@.. ......u...MM.OC.8......mP>.i.
^dB...>...v.^.....o..K.#.....sa...o<..F..b'..K....?.~L....."..C.
?..h.0... ...b...d.a$^....X/.a..~.$u..".............0oh..S.... ....#".
F...;.....s-..5<l.^.7..b...........?..f........7..c...x1......O.]..
tem....^...<bA.0,...Z.P.&.....8....f.V.......P....u. ..0...W'--h...
5.h;yu...:.AH..&.g.._.....G.Y.=.....l.........3.7/......T.TLT....0.7..
.y.%p........4.3.....u...P~.......!.S.U.x.......1.c...:$.#....B..d.c1A
.K..K...v.2.....I...[.q...........O_...P.......v...}.%0G..F!#E]...HF6.
=..c..pp..!....!D....../]..1....5|]a._.*....7.. .q......r.;.....!....[
y.... .....h..K..M.X$.3..g.7..?.......$...RPh......$.g..t...a#g%..6%.O
7].@.B..@..."...~cX.R0..(7....b....U.....4........3c{..n.....086..V.U#
..?..o...Siv..SH..vuQ,........!.A...C..b..<....}4mJ4/F....7..s.....
?..AAN....(.....L:.<z.....n]QT..............P.pS..@cV..!W<..g...
.\2,..v...X..vv.I....-....$"...4w5q.d#.........x.n.[..e.E.&O.?~k......
...m....4....U......m.....Z[..V.p1r3.4...=...Uy..M..i..t.x.24...8.
<<< skipped >>>

GET /event?Eventname=Installer&status=ICStart&Product=ByteFence&i_data=2StR1L1R1V2Y1L1QtRzxtRtDtDyDtDyDyCtA0B0A0E0A0C0FyB0E0DtRtHtR1T1O1I2ZtRzxtR0D1F2W1G1I1F1T1Q0A1B2Z1C1FtRtHtR1L1R1V1O1I1T2X1F2Y1CtRzxtR0B2U2Z1P0F1P1G1R1P1V1B1F1I1L1J1FtRtHtR1F1B2X1P1C1B1L1F1GtRzxtRyCtFtCtRtHtR1B1L1QtRzxtRtBtDtCzztDtBtDyCtCyDtBzytAyDyBzyyCtR2Q&ruserid=&tag=2.0.50727&OSVersion=6.1.0.0&version=3.18.0.0 HTTP/1.0

Host: logs.bytefence.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

content-type: application/octet-stream

Date: Tue, 06 Feb 2018 13:30:44 GMT

Content-Length: 0

Connection: Close

GET /ccsetup516.exe HTTP/1.1

Range: bytes=4300800-6868671

Accept: */*

Host: download.piriform.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 2567872

Connection: keep-alive

Date: Sun, 19 Nov 2017 04:56:53 GMT

Last-Modified: Tue, 22 Mar 2016 11:20:08 GMT

ETag: "e679fcf33ffb57bcabbc598ab5c18be8"

x-amz-meta-cb-modifiedtime: Fri, 11 Mar 2016 20:52:26 GMT

x-amz-version-id: RcUwGR2OGzvBu6usZs9_eajaDeObhdf.

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 4300800-6868671/6868672

Age: 78313

X-Cache: Hit from cloudfront

Via: 1.1 1a483cde6df004748f3e5c80dc46df26.cloudfront.net (CloudFront)

X-Amz-Cf-Id: zxLlL0zKHBVrR5o4CFljQMFg-kYxL8sPnEPp309S8fQ-6WoXANy91g==
...S....f.R...8....! ....Wk...jztp.R.g..(..#.WE..EVr...$&........n....
....C7..B..I......f..bh..-.)qX....>!d....e& ...<x'...,X......d.M
I...D..p..W....E.?r...};(....Hx..2m..'.....Mo>.. ..?.$....K{.X%L...
T....6...1.!...(.....@H>>(m..7..9.E..E...k0.l......5.yP.m...*-S.
....A...j.....x.#..4....C......%.R..\4MO.s..../.lA.....s.......*Q.gT..
.T.&..M0<.}&'.\....Ou.....;..?.b.)...$....[..N...0..j..Z.2_..?,Dn..
... ^Ab.).<L...l..NA....D....s.J.)*]...^...(.....(g..-8....V..`.G..
./&[...)>...t..j/.1...=42...2u:.....w:......M..{i....q..t....O...)3
.M.9.....E..'Zb(.xTUz}BZ.( ..8....%..(.7..`.[.`!....z6...DI2C."!..A.w.
{..K;....FO....8.........{..._.kGP...zR....r..W...j#...n5.AO..EV..\q..
......Ey.E.3B.r._l..3.Hv.6B....D`.M2..Y[)........$.Z.P)...p.a...!AT..e
y....p\...........`......R.6k....].6.....u..1..........I..J.5.n..|{.G(
u..lw:g`..!...j.[..O..M......G...kd.6..>&B...{:zS.C.:.....9?.....!.
\...^i...Uu.......".I...J.g;...O._....ds.1Z'.`....'.......<.%.A....
......K........wk...Q.j..4I....3o.Ex.vZv|..i.!~,....C.....D..>`...V
a5..M..0...&". D4..6....`......$.e=jg....._...9..'.\o...w.....#..1..p*
..t/..dO.U7.....,?...L.H......3....jB..u1.^..Cl........1.....6 j.|"AZ.
-e.......}P.f..N.*:$z!f.N..g.\.;..0n....$B..7.f.<.|M....];.K......?
..1.(.#..U..?.RY.~....Bv......)..C8...u........"..G.C...v...........J.
t`........V....7.....!....V?jN7.....`..7....m..0P.k.N-...$.N9.....?...
!....?..[.}.>...C..Y"@8.............._......E.o.}N|.Y!..i..... ....
............xp..e....'`..s.!M...6..........O....C3.g.%.g.c>...e
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2400:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

iexplore.exe_3516:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

ccleaner.exe.EXE_3592:

.text

`.rdata

@.data

.ndata

.rsrc

Vj%UUU

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

<label for="install1" id="chromeOffer1">

<label for="install2" id="chromeOffer2">

4 4$4(4,4044484<4

> >@>\>`>

@.reloc

ButtonEvent.dll

.reloc

PeekNamedPipe

CreatePipe

execDos.dll

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

.uy}"

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.50.0-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

s\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll

-W78.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll

\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp

\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll

hot.jpg

1.0.0.8

kernel32.dll

Skipped: C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll

nsyDB06.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g

d: "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll" (overwriteflag=1)

tmp\execDos.dll"

W78.exe"

ot.jpg"

\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll

-W78.exe /r1:PRFD /r2:PRFF

ds\ccleaner.exe.EXE"

leaner.exe

leaner64.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtb\toolbar.html

1311414

1573478

"C:\Users\"%CurrentUserName%"\Downloads\ccleaner.exe.EXE"

%Program Files%\CCleaner

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtb

ccleaner.exe.EXE

ers\"%CurrentUserName%"\AppData\Local\Temp\nsoD9DC.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp

C:\Users\"%CurrentUserName%"\Downloads\ccleaner.exe.EXE

1507998

1208617550

3539610

1049356

7996042

3539516

3801624

2687616

1573716

-2147483648

-2046754816

-2147410511

1114886

1049350

Free! Google Chrome, a faster way to browse the web

1114428

1376870

-620427837

-1207303202

1245792

1442400

1376950

1179964

1114512

-1156971626

1507816

1180342

hXXp://VVV.piriform.com/go/app_license?p=1&l=1033&a=0

hXXp://VVV.piriform.com/go/app_privacy?p=1&l=1033&a=0

C:\Users\"%CurrentUserName%"\Desktop

1180048

1311328

1049324

1442406

1245878

1048892

2.0.0.0

iexplore.exe_3344:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchProtocolHost.exe_1892:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

PF-Toolbar-W78.exe_3136:

.text

`.rdata

@.data

.ndata

.rsrc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

Z".NK

W.Qfy

<requestedExecutionLevel level="asInvoker" />

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

Certification Services Division1!0

premium-server@thawte.com0

/hXXp://crl.thawte.com/ThawtePremiumServerCA.crl0

*hXXp://cs-g2-crl.thawte.com/ThawteCSG2.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

###7777_{

###____777

###````87{

RR%U=

o:Œ

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.42.4-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_1.3.21.169.exe /silent /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google Toolbar&needsadmin=True&brand=PRFD&usagestats=0" /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d=ask&h=ask2"

C:\Users\"%CurrentUserName%"\AppData\Local\Temp

nsoC23.tmp\System.dll

046754816

\AppData\Local\Temp\nsoC23.tmp

\g\PF-Toolbar-W78.exe /r1:PRFD /r2:PRFF

GoogleUpdateSetup_1.3.21.169.exe

soC23.tmp\System.dll

u Windows 2000 G

Windows 2000 Service Pack 4

Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.

Windows 2000

. Windows 2000

Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.

Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.

n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.

o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.

n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.

1.3.21.169

GoogleUpdateSetup.exe

lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi

m Windows 2000 Service Pack 4 nebo nov

ver Windows 2000 Service Pack 4 eller bedre.

r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h

Windows 2000 Service Pack 4:n tai uudemman.

cessite Windows

je Windows 2000 Service Pack 4-et vagy frissebb verzi

krefst Windows 2000

Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.

Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.

Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.

. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.

o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.

it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar

ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.

m Windows 2000 Service Pack 4 alebo nov

ver Windows 2000 Service Pack 4 eller b

kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras

Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej

uab rakendust Windows 2000 hoolduspakett 4 v

ama Windows

Windows 2000

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoC23.tmp

nsoC23.tmp

0663296

ers\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\PF-Toolbar-W78.exe /r1:PRFD /r2:PRFF

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\PF-Toolbar-W78.exe /r1:PRFD /r2:PRFF

c:\temp\Google

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g

PF-Toolbar-W78.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsoC22.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\PF-Toolbar-W78.exe

-2046754816

-2147410511

/silent /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google Toolbar&needsadmin=True&brand=PRFD&usagestats=0" /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d=ask&h=ask2"

CompanyWebsite

hXXp://VVV.google.com

1.0.0.4

GoogleUpdateSetup_1.3.21.169.exe_672:

.text

`.rdata

@.data

.rsrc

@.reloc

Invalid parameter passed to C runtime function.

mi_exe_stub.pdb

GetProcessHeap

KERNEL32.dll

msvcrt.dll

_acmdln

_amsg_exit

SHLWAPI.dll

ole32.dll

SHELL32.dll

USER32.dll

zcÁ

VUdp

.vQ*]

`.sJ:

% ]t.hT

d/:%D

.xF\`

T5.vm

Lwkk%SZPL

.izGR#hO

.RS!?

%j.UTR

en<.rv

[Q

.UGREY`

fN.Fz

%DJzG"

.iK&H

3qp.SD

.PyY;

.PT^\

|SSHkm

t[U,%c]

wf%9X

.tC>g

JjG%xw

y.MPM

.Sy=\

99%UM

p.tXP

.NgJXx

C:.Cj

kEyZ.

.Osk*

sE9.uN

.MgkW

.beXt

z.VU5

Gu.vY

UrlQ

0ÍN

.FZOg

`%.f1:

F.Hk*

N .Ia

_.Ye*

.dU( BH

.roK5

_%d!,

&dO.jf7g

\h.cLx?

pF%uD&N

xK.%sk

G.Ri`l

C=c.xXvH[5

/s.TK

"C%XF

H.SVC}

A%UiW

LjAc]

dòB

Df_%fG

oM!TxX.Qj

>OE.aT<

.sfPc

C7N%f

i^.iM

z.w%u

$].Io

`aMEüb< w h

E8{%C~

.eb= ~

.pr${lU

.CO4gQ

|:%Sk

j%FmO

fCJt*-RA}

='.NC%

RR%U=

o:Œ

###7777_{

###____777

###````87{

<requestedExecutionLevel level="asInvoker" />

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

GoogleUpdateSetup.exe

/%s %s /%s

Windows 2000 Service Pack 4

Windows 2000

lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi

m Windows 2000 Service Pack 4 nebo nov

ver Windows 2000 Service Pack 4 eller bedre.

r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h

Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.

Windows 2000 Service Pack 4:n tai uudemman.

cessite Windows

je Windows 2000 Service Pack 4-et vagy frissebb verzi

krefst Windows 2000

Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.

Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.

Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.

. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.

o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.

it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar

ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.

m Windows 2000 Service Pack 4 alebo nov

ver Windows 2000 Service Pack 4 eller b

kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras

Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej

uab rakendust Windows 2000 hoolduspakett 4 v

ama Windows

Windows 2000

u Windows 2000 G

Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.

. Windows 2000

Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.

n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.

o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.

n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.

1.3.21.169

GoogleUpdate.exe_3588:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

kernel32.dll

GetProcessWindowStation

USER32.DLL

GoogleUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

###7777_{

###____777

###````87{

%Program Files%\GUMCCE.tmp\GoogleUpdate.exe

goopdate.dll

GoogleUpdate.exe

Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}

1.3.21.103

2007-2010

2007-2010

GoogleUpdate.exe_3560:

.text

`.data

.idata

@.gfids

@.rsrc

@.reloc

operator

operator ""

%S#[k

GoogleUpdate_unsigned.pdb

.CRT$XCA

.CRT$XCAA

.CRT$XCL

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.text$di

.text$mn

.text$yd

.xdata$x

.data

.idata$5

.idata$2

.idata$3

.idata$4

.idata$6

.gfids$x

.gfids$y

.rsrc$01

.rsrc$02

RegOpenKeyExW

ADVAPI32.dll

GetProcessHeap

KERNEL32.dll

SHELL32.dll

USER32.dll

SHLWAPI.dll

GetCPInfo

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!-- Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!-- Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

###7777_{

###____777

###````87{

0 0$0004080

?&?2?@?}?

2 2$2(2,2|9

0	0D0

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

kernel32.dll

GoogleUpdate.exe

goopdate.dll

Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}

%Program Files%\Google\Update\GoogleUpdate.exe

1.3.31.5

2007-2010

2007-2010

GoogleUpdate.exe_2184:

.text

`.data

.idata

@.gfids

@.rsrc

@.reloc

operator

operator ""

%S#[k

GoogleUpdate_unsigned.pdb

.CRT$XCA

.CRT$XCAA

.CRT$XCL

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.text$di

.text$mn

.text$yd

.xdata$x

.data

.idata$5

.idata$2

.idata$3

.idata$4

.idata$6

.gfids$x

.gfids$y

.rsrc$01

.rsrc$02

RegOpenKeyExW

ADVAPI32.dll

GetProcessHeap

KERNEL32.dll

SHELL32.dll

USER32.dll

SHLWAPI.dll

GetCPInfo

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!-- Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!-- Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

###7777_{

###____777

###````87{

0 0$0004080

?&?2?@?}?

2 2$2(2,2|9

0	0D0

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

kernel32.dll

GoogleUpdate.exe

goopdate.dll

Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}

%Program Files%\Google\Update\GoogleUpdate.exe

1.3.31.5

2007-2010

2007-2010

googletoolbarinstaller_en_signed.exe_3984_rwx_003C0000_00002000:

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

googletoolbarinstaller_en_signed.exe_3984_rwx_016DE000_00002000:

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<asmv2:requestedExecutionLevel level="asInvoker" uiAccess="false" />

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

kernel32.dll

VERSION.dll

USER32.dll

ADVAPI32.dll

ole32.dll

SHELL32.dll

ShellExecuteW

OLEAUT32.dll

SHLWAPI.dll

GDI32.dll

urlmon.dll

CreateURLMonikerEx

USERENV.dll

PSAPI.DLL

WTSAPI32.dll

WINTRUST.dll

WININET.dll

CRYPT32.dll

CryptImportPublicKeyInfo

2000-2014

7, 5, 8231, 2252

GoogleToolbarInstaller.exe

GoogleToolbarManager_8B0481A9A34D47CD.exe_3180:

.text

`.rdata

@.data

.rsrc

@.reloc

8%utP

j.PQj.PV

tG<%u;

PSSSSSSh

tGHt.Ht&

Unicows.dll

Kernel32.dll

installer\tbinst.cc

installer\install.cc

installer\register.cc

toolbar\qsb_installer.cc

toolbar\userbrokerinstall.cc

application/x-www-form-urlencoded

hXXp://toolbar.google.com/custombuttons/

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

omaha\omaha.cc

.dydx

common\execute\executor.cc

common\execute\elevator.cc

common\execute\execute_utils.cc

common\componentmanager\product_manager.cc

common\componentmanager\product_version.cc

toolbar.google.com

common\componentmanager\action_executor.cc

common\componentmanager\product_component.cc

hXXp://VVV.google.com/schema/componentmanager/2008/06

hXXp://VVV.google.com/schema/componentmanager/2009/05

XXXXX

@{"method": "spelling.check","apiVersion": "v2","params": {"language": "%s","text": "%s","key":"AIzaSyCLlKc60a3z7lo8deV-hAyDU7rHYgL4HZg"}}

CREOLES_AND_PIDGINS_PORTUGUESE_BASED

PORTUGUESE_B

PORTUGUESE_P

PORTUGUESE

!"#$%&'()* ,-./012345

%&'--.-/0124

#3895555:;<=

11111111111111

4444444444444444

66666666

77777777

888888888

<Image height="16" width="16" type="image/icon">%S</Image>

<Url type="text/html" xmlns:referrer="hXXp://a9.com/-/opensearch/extensions/referrer/1.0/" template="%S" />

<Description>%S</Description>

<ShortName>%S</ShortName>

<?xml version="1.0" encoding="UTF-8"?><OpenSearchDescription xmlns="hXXp://a9.com/-/spec/opensearch/1.1/" xmlns:ie="hXXp://schemas.microsoft.com/Search/2008/">

' ).;<52

requested feature requires XML_DTD support in Expat

unexpected parser state - please send a bug report

xml=hXXp://VVV.w3.org/XML/1998/namespace

RegDeleteKeyExW

2001:10::

240.0.0.0

224.0.0.0

203.0.113.0

198.51.100.0

192.168.0.0

192.0.2.0

192.0.0.0

172.16.0.0

169.254.0.0

127.0.0.0

10.0.0.0

0.0.0.0

2404:6800::

2401:3800::

2001:4860::

216.239.32.0

209.85.128.0

173.194.0.0

74.125.0.0

72.14.192.0

66.249.64.0

66.102.0.0

64.233.160.0

common\result.cc

XXXXXXXXXXXX

common\file_lock.cc

certificate="

1.3.6.1.5.5.7.3.3

kernel32.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

%S#[k

operator

GetProcessWindowStation

USER32.DLL

.g.doubleclick.net

partner.googleadservices.com

pagead2.googlesyndication.com

.2mdn.net

.doubleclick.net

.google-analytics.com

build\win32_opt\obj\instrumentation\histogram_event.pb.cc

uma_metrics.HistogramEventProto.Bucket

uma_metrics.HistogramEventProto

build\win32_opt\obj\instrumentation\user_metrics_extension.pb.cc

uma_metrics.UserMetricsExtension

favicon_url

wininet.dll

ErrorMsg

T:\src\piper\branches\toolbar_b_p10_release_branch\googleclient\third_party\protobuf\files\src\google\protobuf\message_lite.cc

CHECK failed: !coded_out.HadError():

T:\src\piper\branches\toolbar_b_p10_release_branch\googleclient\third_party\protobuf\files\src\google\protobuf\io\coded_stream.cc

[libprotobuf %s %s:%d] %s

%d.%d.%d

T:\src\piper\branches\toolbar_b_p10_release_branch\googleclient\third_party\protobuf\files\src\google\protobuf\stubs\common.cc

T:\src\piper\branches\toolbar_b_p10_release_branch\googleclient\third_party\protobuf\files\src\google\protobuf\io\zero_copy_stream_impl_lite.cc

GoogleToolbarManager_unsigned.pdb

DeleteUrlCacheEntryW

HttpSendRequestW

HttpQueryInfoW

WININET.dll

RASAPI32.dll

CRYPT32.dll

msi.dll

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

EnumChildWindows

USER32.dll

RegDeleteKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

CryptDestroyKey

RegFlushKey

RegSetKeySecurity

RegGetKeySecurity

RegNotifyChangeKeyValue

ADVAPI32.dll

ole32.dll

SHELL32.dll

OLEAUT32.dll

SHCopyKeyW

SHDeleteKeyW

SHDeleteEmptyKeyW

SHLWAPI.dll

GdiplusShutdown

gdiplus.dll

USERENV.dll

VERSION.dll

WTSAPI32.dll

WINTRUST.dll

HttpOpenRequestW

HttpAddRequestHeadersW

CertFreeCertificateContext

CertNameToStrW

CertDuplicateCertificateContext

CertEnumCertificatesInStore

CertCreateContext

CertFreeCertificateChain

CertGetNameStringW

CertVerifyCertificateChainPolicy

CertGetCertificateChain

CryptImportPublicKeyInfo

GetCPInfo

GetConsoleOutputCP

.?AVActionExecutorInterface@@

.?AVIWebGetter@@

.?AVWebGetterBase@@

.?AVWebGetter@@

.?AVLocalExecutor@@

zcÁ

{4BE79484-F7CE-44F8-9071-DF4F2C610AF9}

Windows Installer XML (3.0.5419.0)

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sv.symcb.com/sv.crl0W

hXXp://sv.symcd.com0&

hXXp://sv.symcb.com/sv.crt0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXp://s2.symcb.com0

hXXp://VVV.symauth.com/cps0(

hXXp://VVV.symauth.com/rpa00

NameTableTypeColumn_ValidationIdentifierValueNPropertyId_SummaryInformationDescriptionSetCategoryKeyTableMaxValueNullableKeyColumnMinValueName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;KeyFormatted;CustomSource;Property;Cabinet;Shortcut;URLString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetFormattedExcecution parameter, depends on the type of custom actionExtendedTypeA numeric custom action type that extends code type or option flags of the Type column.Unique identifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.TitleShort text identifying a visible feature item.Longer descriptive text describing a visible feature item.DisplayNumeric sort order, used to force a specific display ordering.LevelThe install level at which record will be initially selected. An install level of 0 will disable an item and prevent its display.UpperCaseThe name of the Directory that can be configured by the UI. A non-null value will enable the browse button.0;1;2;4;5;6;8;9;10;16;17;18;20;21;22;24;25;26;32;33;34;36;37;38;48;49;50;52;53;54Feature attributesFeatureComponentsFeature_Foreign key into Feature table.Component_Foreign key into Component table.FilePrimary key, non-localized token, must match identifier in cabinet. For uncompressed files, this field is ignored.Foreign key referencing Component that controls the file.FileNameFilenameFile name used for installation, may be localized. This may contain a "short name|long name" pair.FileSizeSize of file in bytes (long integer).VersionVersion string for versioned files; Blank for unversioned files.LanguageList of decimal language Ids, comma-separated if more than one.Integer containing bit flags representing file attributes (with the decimal value of each bit position in parentheses)Sequence with respect to the media images; order must track cabinet order.InstallExecuteSequenceInstallUISequenceMediaDiskIdPrimary key, integer to determine sort order for table.LastSequenceFile sequence number for the last file for this media.DiskPromptDisk name: the visible text actually printed on the disk. This will be used to prompt the user when this disk needs to be inserted.CabinetIf some or all of the files stored on the media are compressed in a cabinet, the name of that cabinet.VolumeLabelThe label attributed to the volume.PropertyThe property defining the location of the cabinet file.MsiDigitalCertificateDigitalCertificateA unique identifier for the rowCertDataBinaryA certificate context blob for a signer certificateMsiPatchCertificatePatchCertificatePrimary key. A unique identifier for the row.DigitalCertificate_Foreign key to MsiDigitalCertificate table identifying the signer certificate.Name of property, uppercase if settable by launcher or loader.String value for property. Never null or empty.RegistryPrimary key, non-localized token.RootThe predefined root key for the registry value, one of rrkEnum.KeyRegPathThe key for the registry value.The registry value name.The registry value.Foreign key into the Component table referencing component that controls the installing of the registry value.CostInitializeFileCostCostFinalizeInstallValidateInstallInitializeInstallAdminPackageInstallFilesInstallFinalizeExecuteActionPublishFeaturesPublishProductMainComponent{5030BFB5-6F3F-40B8-AB8B-6C748D819B1C}INSTALLERSDIRNonEmptyComponentSAVELOCATIONARPINSTALLLOCATION[INSTALLERSDIR]GoogleProgramDirx79souhf|InstallersProgramFilesFolderGoogleTARGETDIR.SourceDirCompleteValidateProductIDProcessComponentsUnpublishFeaturesRemoveRegistryValuesWriteRegistryValuesRegisterUserRegisterProductCertificateForPatchingManufacturerGoogle Inc.ProductCode{18455581-E099-4BA8-BC6B-F34B2F06600C}ProductLanguage1033ProductNameGoogle Toolbar for Internet ExplorerProductVersion1.0.0UpgradeCode{37D80C9A-837A-464D-A519-F2E493BA6B75}ALLUSERS1ARPSYSTEMCOMPONENTDISABLEROLLBACKSOFTWARE\Google\InstallersMsiStubRun#0

hXXp://s1.symcb.com/pca3-g5.crl0

,hXXp://VVV.google.com/support/toolbar?v=5.0 0

hXXp://VVV.usertrust.com1

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

hXXp://ocsp.usertrust.com0

MsiPatchMetadataCompanyPropertyValuePatches Google Toolbar for Internet ExplorerDescription1AllowRemovalService PackClassificationGoogle Toolbar for Internet Explorer patchDisplayNameGoogle Inc.ManufacturerNamehXXp://toolbar.google.com/MoreInfoURLGoogle Toolbar for Internet ExplorerTargetProductName10-31-2016 23:01CreationTimeUTCMsiPatchSequencePatchFamilyProductCodeSequenceAttributes0.0.22551.5255718455581E0994BA8BC6BF34B2F06600C

{BFF70815-2349-409C-8B32-C18E8551B140}

{18455581-E099-4BA8-BC6B-F34B2F06600C}

{18455581-E099-4BA8-BC6B-F34B2F06600C}1.0.0;{18455581-E099-4BA8-BC6B-F34B2F06600C}1.0.0;{37D80C9A-837A-464D-A519-F2E493BA6B75}

PatchFilesRequiredFile#PCW_CAB_GoogleTBGoogleIEToolbarPatchSrcPropNamePATCHNEWSUMMARYCOMMENTSGoogle Toolbar is a trademark of Google Inc.PATCHNEWSUMMARYSUBJECTGoogle Toolbar for Internet ExplorerPATCHNEWPACKAGECODE{7D55ECD0-6D84-4187-9040-82CE3DD1F2F2}PatchFile_SequencePatchSizeAttributesHeaderStreamRef_PatchPackagePatchIdMedia_{BFF70815-2349-409C-8B32-C18E8551B140}MsiPatchHeadersStreamRef

.reloc

executecustomaction.pdb

executecustomaction.dll

VerifyFileAndExecute

9#9(979^9

BinaryNameNIdentifierUnique key identifying the binary data.DataThe unformatted binary data.MsiFileHashFile_FilePrimary key, foreign key into File table referencing file with this hashOptionsVarious options and attributes for this hash.HashPart1Size of file in bytes (long integer).HashPart2HashPart3HashPart4ExecuteLibraryMainComponentRequiredFileLaunchFile.PropertyAssignLaunchFile[EXECUTABLECOMMANDLINE]VerifyFileAndExecutecgqzixbw.txt|RequiredFile.txtInstallFilesNOT EXECUTABLECOMMANDLINE=""RemoveFilesSecureCustomPropertiesEXECUTABLECOMMANDLINE

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<asmv2:requestedExecutionLevel level="asInvoker" uiAccess="false" />

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<custombuttons xmlns="hXXp://toolbar.google.com/custombuttons/">

<site>hXXp://toolbar.google.{domain}/buttons/gallery?hl={locale}{sourceid}</site>

<search>hXXp://toolbar.google.{domain}/buttons/gallery?hl={locale}{aq}{sourceid}{rlz}&ie=UTF-8&q={query}</search>

<send>hXXp://toolbar.google.{domain}/buttons/gallery?hl={locale}{aq}{sourceid}{rlz}&ie=UTF-8&q={selection}</send>

<feed refresh-interval="86400" whole-dropdown="true">hXXp://toolbar.google.{domain}/buttons/feeds/topbuttons/?hl={locale}&sd={domain}{sourceid}</feed>

hXXp://toolbar.google.com/tbredir?r=cb_module

<update>hXXp://toolbar.google.com/buttons/defs/topbuttons.xml</update>

EP/yogv/7p8K/ mcCf/kmQf/3pUF/9qTCP/WlRL/0ZEQ/8 REP/TmCD/////AP wHv//rxz//64Y

HnL.Mn

>3>%?0?:?

3%4U4

=#=)=>=2>

; ;&;.;~;

4(5,5054585<5@5

:.;\;"<<<,=

3%3S3j3

8€8S8

0
0\0

2 2$2(2,2024282<2

X:\:`:d:h:l:p:t:x:|:

1 1<1@1\1`1|1

Global\{F302003D-E4EF-4c33-89C9-86B4F33D6F83}

GoogleToolbarDynamic_ext_%s_32.dll

GoogleToolbarDynamic_mui_%s.dll

GoogleToolbarUser_32.exe

GoogleToolbar_32.dll

GoogleToolbarDynamic_32.dll

GoogleToolbarUser_64.exe

GoogleToolbar_64.dll

7Kernel32.dll

Comctl32.dll

iexplore.exe

GoogleToobarUser.exe

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

res://%s/%s

uninstall_failed.html

/execute:

/execute

Run: %s

GoogleToolbarManager.exe

GoogleUpdaterService.exe

GoogleToolbarHelperPatch_signed.msp

GoogleToolbarHelper_signed.msi

Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

SetCurrentUserKey %s

{AA58ED58-01DD-4d91-8333-CF10577473F7}

{2318C2B1-4965-11d4-9B18-009027A5CD4F}

OEM %d

Google% Chrome% Frame

Toast delay %d

%s/%s?r=%s&l=%s&v=%d.%d&tbbrand=%s

hXXp://toolbar.google.com

Window %x

Install type %d, %d to %d.%d

Cleaning up Omaha key from 64-bit hive.

Cleaning up Omaha key from 32-bit hive.

SOFTWARE\Google\Update\Clients\{985BAF76-41FB-4BB4-95BA-68D1B7BA813C}

CleanupEmptyLeapfrogKeys

\googledict*.dat

Stub: %s

Msp %s

Msi %s

Brand: %s

brand.dll

Refreshing elevation policy for user %s succeeded

Refreshing elevation policy for user %s failed: 0x%.8x

0u

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

{DBEA1034-5882-4a88-8033-81C4EF0CFA29}

Installing GUS %s

Needs local %d

ReInstall returns %x

Installing notifier %s

MonitoredInstall returns %x

"%s" %s

fastsearch.dll

SearchWithGoogleUpdate.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

hXXp://VVV.google.com/images/toolbar_uninstall.gif

%s\Software\Google\Google Toolbar

%s\Software\Google\NavClient

5Set uninstalling %d

RegisterBrowserToolbar %s

RegisterToolbarKillbit %s

%s %s

RegisterUninstaller %s %s

UnregisterUninstaller %s

Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Failed SetAccessRights %s

{442ECDBB-D71B-11DA-8750-001185653D78}

DeleteOldBrokerKeys

RegisterCOMServer %s %s %s

UnregisterCOMServer %s

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

RegisterBHO %s

UnregisterBHO %s

Adding to user agent %s

%s%d.%d

0123456789

GoogleToolbar*user.exe

CleanupOldBrokerEXEs

{00EF2092-6AC5-47c0-BD25-CF2D5D657FEB}

{32004B8A-44A9-43e7-84E9-808838809519}

{E16DC1FE-7C34-43f2-B754-F3AD12DDF97C}

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}

VVV.google.com

/images/toolbar_uninstall.gif

GoogleToolbarUser.exe

GoogleToolbar.dll

GoogleToolbar*.dll

Component Categories\{00021492-0000-0000-C000-000000000046}\Enum

Google\Custom Buttons\TOOLBAR.GOOGLE.COM_O8Y91YHB24Z6SR0SGYSK.XML

Google\brand.dll

Uninstalling GUS: %s

{18455581-E099-4ba8-BC6B-F34B2F06600C}

{C76EF2E9-C733-4930-B213-63554054CD47}

%s\%s

{14C626CA-ACAB-46e5-8A99-53C9E11CCCA0}_enabled

GoogleQuickSearchBoxSetup.exe

{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}

{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}

7clients4.google.com

google.web

%s\*.a

%s\*.w

{74914BC3-D93B-4aa8-9C97-3151D7139606}

200806010000

hXXp://toolbar.google.com/buttons/defs/google.com_lucky.xml

hXXp://VVV.google.{domain}/search?{builtin}{rlz}{lucky}&q={selection}

hXXp://VVV.google.{domain}/search?{builtin}{rlz}{lucky}&q={query}

{B78DE3F9-009D-4176-8A23-912C6D5DE9E5}

hXXp://toolbar.google.com/buttons/add?

hXXps://

hXXp://

hXXp://toolbar.google.com/buttons/defs/youtube.com.xml

hXXp://VVV.google.com/ig/modules/youtube_igoogle/toolbar/youtube.xml

hXXp://VVV.youtube.com/results?utm_source=navclient{rlz}&search_query={selection}

hXXp://VVV.youtube.com/results?utm_source=navclient{rlz}&search_query={query}

hXXp://VVV.youtube.com/?utm_source=navclient

hXXp://toolbar.google.com/buttons/defs/google.com_scholar.xml

hXXp://scholar.google.{domain}/scholar?{builtin}{rlz}&q={selection}

hXXp://scholar.google.{domain}/scholar?{builtin}{rlz}&q={query}

hXXp://scholar.google.{domain}/schhp?{builtin}

hXXp://toolbar.google.com/buttons/defs/photos.google.com.xml

hXXp://picasaweb.google.{domain}/lh/searchbrowse?{builtin}{rlz}&psc=G&filter=1&q={selection}

hXXp://picasaweb.google.{domain}/lh/searchbrowse?{builtin}{rlz}&psc=G&filter=1&q={query}

hXXp://picasaweb.google.{domain}/?{builtin}

hXXp://toolbar.google.com/buttons/defs/google.com_patents.xml

hXXp://VVV.google.com/patents?{builtin}{rlz}&q={selection}

hXXp://VVV.google.com/patents?{builtin}{rlz}&q={query}

hXXp://VVV.google.com/ptshp?{builtin}

hXXp://toolbar.google.com/buttons/defs/orkut.com.xml

hXXp://VVV.orkut.com/UniversalSearch.aspx?{builtin}{rlz}&q={selection}

hXXp://VVV.orkut.com/UniversalSearch.aspx?{builtin}{rlz}&q={query}

hXXp://VVV.orkut.com/?{builtin}

hXXp://toolbar.google.com/buttons/defs/google.com_finance.xml

hXXp://VVV.google.{domain}/finance?{builtin}{rlz}&q={selection}

hXXp://VVV.google.{domain}/finance?{builtin}{rlz}&q={query}

hXXp://VVV.google.{domain}/finance?{builtin}

hXXp://toolbar.google.com/buttons/defs/docs.google.com.xml

hXXp://docs.google.com/?{builtin}{rlz}&q={selection}

hXXp://docs.google.com/?{builtin}{rlz}&q={query}

hXXp://docs.google.com/?{builtin}

hXXp://toolbar.google.com/buttons/defs/calendar.google.com.xml

hXXp://calendar.google.com/calendar?{builtin}{rlz}&q={selection}

hXXp://calendar.google.com/calendar?{builtin}{rlz}&q={query}

hXXp://calendar.google.com/calendar?{builtin}

hXXp://toolbar.google.com/buttons/defs/books.google.com.xml

hXXp://books.google.{domain}/books?{builtin}{rlz}&q={selection}

hXXp://books.google.{domain}/books?{builtin}{rlz}&q={query}

hXXp://books.google.{domain}/books?{builtin}

hXXp://toolbar.google.com/buttons/defs/google.com_blog_search.xml

hXXp://blogsearch.google.{domain}/blogsearch?{builtin}{rlz}&q={selection}

hXXp://blogsearch.google.{domain}/blogsearch?{builtin}{rlz}&q={query}

hXXp://blogsearch.google.{domain}/blogsearch?{builtin}

hXXp://toolbar.google.com/buttons/defs/google.com_products.xml

hXXp://VVV.google.{domain}/products?{builtin}{rlz}&q={selection}

hXXp://VVV.google.{domain}/products?{builtin}{rlz}&q={query}

hXXp://VVV.google.{domain}/products?{builtin}

hXXp://toolbar.google.com/buttons/defs/groups.google.com.xml

hXXp://groups.google.{domain}/groups?{builtin}{rlz}&q={selection}

hXXp://groups.google.{domain}/groups?{builtin}{rlz}&q={query}

hXXp://groups.google.{domain}/grphp?{builtin}

hXXp://toolbar.google.com/buttons/defs/maps.google.com.xml

hXXp://maps.google.{domain}/maps?{builtin}{rlz}&q={selection}

hXXp://maps.google.{domain}/maps?{builtin}{rlz}&q={query}

hXXp://maps.google.{domain}/maps?{builtin}

hXXp://toolbar.google.com/buttons/defs/news.google.com.xml

hXXp://VVV.google.com/ig/modules/tabnews.xml

hXXp://news.google.{domain}/news?{builtin}{rlz}&q={selection}

hXXp://news.google.{domain}/news?{builtin}{rlz}&q={query}

hXXp://news.google.{domain}/nwshp?{builtin}

hXXp://toolbar.google.com/buttons/defs/video.google.com.xml

hXXp://VVV.google.{domain}/search?{builtin}{rlz}&tbm=vid&q={selection}

hXXp://VVV.google.{domain}/search?{builtin}{rlz}&tbm=vid&q={query}

hXXp://VVV.google.{domain}/videohp?{builtin}

hXXp://toolbar.google.com/buttons/defs/google.com_images.xml

hXXp://images.google.{domain}/images?{builtin}{rlz}&q={selection}

hXXp://images.google.{domain}/images?{builtin}{rlz}&q={query}

hXXp://images.google.{domain}/imghp?{builtin}

hXXp://VVV.google.{domain}/search?{builtin}{rlz}&q={selection}{countries}

hXXp://VVV.google.{domain}/search?{builtin}{rlz}&q={query}{countries}

hXXp://toolbar.google.com/buttons/defs/google.com_site.xml

hXXp://VVV.google.{domain}/search?{builtin}{rlz}&q={selection} site:{url.host}

hXXp://VVV.google.{domain}/search?{builtin}{rlz}&q={query} site:{url.host}

hXXp://VVV.google.{domain}/search?{builtin}{rlz}&q=site:{url.host}

document.body.oncontextmenu = function(ev) {

if (ev == null) ev = window.event;

var t = ev.srcElement;

if (t.nodeType != 1 || t.nodeName.toUpperCase() != 'INPUT') {

if (t.type == null) return false;

var type = t.type.toUpperCase();

if (type != 'TEXT' && type != 'PASSWORD') return false;

var text = document.createElement('DIV');

text.innerHTML = %S;

document.body.appendChild(text);

1904061E-FFEC-4677-AB81-BC876845A826.html

gadget.html

hXXp://toolbar.google.com/buttons/gadget_settings

document.body.style.overflow = 'hidden';

http%s://clients1.google.com/tools/pso/ping?as=tbin

7%s\Clients\%s

{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}

{430FD4D0-B729-4F61-AA34-91526481799D}

%s\ClientState\%s

%s\ClientStateMedium\%s

/install "runtime=true&needsadmin=True&brand=%s" /installsource toolbar /silent

GoogleUpdateSetup.exe

{8BA986DA-5100-405E-AA35-86F34A02ACBF}

;execfail:0x%x

;0x%x

;waitfail:0x%x

%s%s_%u

/install "appguid=%s&needsadmin=true&appname=%s&brand=%s&usagestats=%s" /installsource toolbar /silent

1{03C5FCF4-9651-431e-A362-10976142062D}

/sid:%s

/execute:%u

ElevateCommand%d

%s /install /appid=tbie

%s /uninstall /appid=tbie

{BFF70815-2349-409c-8B32-C18E8551B140}

EXECUTABLECOMMANDLINE="%s %u %d ""%s"" %s" REINSTALL=ALL

_%s%s

.content

t\%s\%s

findy_in-search-results-tb_content_script.js

findy_in-document-tb_ltr_css.css

findy_in-document-start-tb_content_script.js

findy_in-document-tb_content_script.js

plusone_params.json

dnsprefetch_params.json

rebang_small.xml

rebang_big.xml

rebang_config.xml

dictionaries_config.json

promo_params.json

share_providers.json

suggest_window.html

*.exe

{C46BE1D7-1E14-45ef-B3B2-93088FD300E5}

.manifest.xml

hXXp://cache.pack.google.com/

hXXp://dl.google.com/

Added non_manifest file '%s'

Copy to safe '%s' to '%s'

Error: Cannot remove empty directory '%s'

Directory is not empty '%s'

Removed empty directory successfully '%s'

Deleted non_manifest file '%s'

Invalid '%s'

Uninstalling next version %s

Uninstalling current version %s

Major of %s

%*d.%d

Minor of %s

Deleted %x: '%s'

Protect %s

Install %s

7Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History

ieframe.dll

ASENSAPI.DLL

ieuser.exe

Deleted component %x '%s'

IsTriggered %d %p %s

2ShouldBeRun %d %p %s

2Execution completed

Executing '%s' '%s' for %d seconds

.bitstmp

https

advapi32.dll

"%s" %s %s

{1899E98D-80CA-4f46-B1C3-CA2E947E967D}

co.zm

co.za

com.vn

co.vi

co.ve

com.vc

co.uz

com.uy

co.ug

com.ua

com.tw

com.tr

com.tj

co.th

com.sv

com.sg

com.sa

com.qa

com.py

com.pr

com.pk

com.ph

com.pe

com.pa

com.om

co.nz

com.np

com.ni

com.nf

com.na

com.my

com.mx

com.mt

co.ma

com.ly

co.ls

co.kr

co.ke

co.jp

com.jm

co.je

co.in

co.im

co.il

co.id

com.hk

com.gt

com.gi

co.uk

com.fj

com.et

com.eg

com.ec

com.do

com.cu

co.cr

com.co

co.ck

com.bz

co.bw

com.br

com.bo

com.bh

com.bd

com.au

com.ar

com.ai

com.ag

com.af

hXXp://VVV.google.com/support

.google.

.com.edu.net.org.gov.mil.jp.de.au.in.uk.fr.ca.dk.it.cn.kr.int.arpa.nato.biz.name.museum.pro.aero.coop.info.ac.ad.ae.af.ag.ai.al.am.an.ao.aq.ar.as.at.au.aw.az.ba.bb.bd.be.bf.bg.bh.bi.bj.bm.bn.bo.br.bs.bt.bv.bw.by.bz.ca.cc.cd.cf.cg.ch.ci.ck.cl.cm.co.cr.cu.cv.cx.cy.cz.de.dj.dk.dm.do.dz.ec.ee.eg.eh.er.es.et.fi.fj.fk.fm.fo.fr.ga.gd.ge.gf.gg.gh.gi.gl.gm.gn.gp.gq.gr.gs.gt.gu.gw.gy.hk.hm.hn.hr.ht.hu.id.ie.il.im.in.io.iq.ir.is.it.je.jm.jo.jp.ke.kg.kh.ki.km.kn.kp.kr.kw.ky.kz.la.lb.lc.li.lk.lr.ls.lt.lu.lv.ly.ma.mc.md.mg.mh.mk.ml.mm.mn.mo.mp.mq.mr.ms.mt.mu.mv.mw.mx.my.mz.na.nc.ne.nf.ng.ni.nl.no.np.nr.nu.nz.om.pa.pe.pf.pg.ph.pk.pl.pm.pn.pr.ps.pt.pw.py.qa.re.ro.ru.rw.sa.sb.sc.sd.se.sg.sh.si.sj.sk.sl.sm.sn.so.sr.st.sv.sy.sz.tc.td.tf.tg.th.tj.tk.tm.tn.to.tp.tr.tt.tv.tw.tz.ua.ug.uk.um.us.uy.uz.va.vc.ve.vg.vi.vn.vu.wf.ws.ye.yt.yu.za.zm.zw.

cmsidewiki.html

cmnotethis.html

cmtrans.html

cmbacklinks.html

cmsimilar.html

cmcache.html

cmwordtrans.html

cmsearch.html

FAKE.html

Cannot open option key

UnregisterContextMenuItems %d

Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories%s\%s

{00021494-0000-0000-C000-000000000046}

{00021493-0000-0000-C000-000000000046}

FixPerUserSystemSettings %d

7%s&%u

&channel=%s

&browser=%s

&v=%s

&sd=%s

?hl=%s&sourceid=navclient&tbbrand=%s&session=%d&ex=%s

{8269CF0D-348A-464b-87A1-C6B259477DCC}.transmit

{8269CF0D-348A-464b-87A1-C6B259477DCC}

GoogleToolbarDynamic_64.dll

8clients4.google.com

application/vnd.chrome.uma

hXXps://VVV.google.com/accounts/

hXXps://VVV.google.%s/accounts/

{6A5FD32A-A74A-4c5e-9260-3EC5BB6FAC1A}

{1F62A67F-0650-4d06-8E24-43F1AD74CDA4}

Latency.PreconnectAddressBar

Latency.PreconnectSearchBox

.HTML

.JSON

{204E0C2A-28A5-43b9-97D2-E198EAD3BF4A}

{CAA28367-C28C-47c6-A78E-5A6039B89337}

{69364682-1744-4315-AE65-18C5741B3F04}

port

HoverDictionary.%sServerLookup

HoverDictionary.SegmentationFailed

HoverDictionary.MissingEndDelimiter

GoogleCld.dll

3Software\Microsoft\Internet Explorer\SearchUrl

hXXp://VVV.google.com/ie

hXXp://VVV.google.com

DefaultSearchURL

hXXp://VVV.google.com/search?q=

Use Custom Search URL

Software\Microsoft\Internet Explorer\SearchURL

hXXp://VVV.google.com/search?q=%s

Default_Search_URL

google.ma

google.zw

/webhp

VVV.265.com

hXXp://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}

hXXp://VVV.google.com/favicon.ico

x-osid:1:search:%s

SuggestionsURL_JSONFallback

SuggestionsURL_JSON

SuggestionsURLFallback

SuggestionsURL

FaviconURLFallback

FaviconURL

{6A1806CD-94D4-4689-BA73-E35EA1EA9990}

hXXp://VVV.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

hXXp://VVV.google.com/

\Internet Explorer\iexplore.exe

?%s=%s

hXXp://%s

{098870b6-39ea-480b-b8b5-dd0167c4db59}

3%s\%s\%s

Mozilla/4.0 (compatible; Win32)

clients1.google.com

{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}

psapi.dll

%s -uninstall -silent -toolbar

Google\Google Desktop Search\GoogleDesktopSetup.exe

explorer.exe

Global\{DEAF7D9B-0E34-45ee-9C22-213E6CD8E72C}

ButtonWebHistorySearch

ButtonWebHistory

ChromeFrameTimestamp

ChromeFrameCount

ShowChromeFrameToast

DnsDatabaseStatReported

PlusSharePromotionShownUsers

PlusSharePromotionShown

PlusSharePromotionShowTime

AutoFillImportDataOffered

ChromeFrameToast

WhatsNewUrl

SearchUseHTTPS

CrashReportingEnabled

ReadyPingUrl

F2C8C320-F2EC-4FC6-8DB0-3C7C4E54421A

1Global\{5EE357DB-BE24-40d1-9E7C-25C9EFBABA49}

Global\{907EB98D-8E25-4abd-9433-9E6BC9446D80}

\Packages\windows_ie_ac_

Google\%s\

Software\Google\%s\Component

Normaliz.dll

{234CCEF8-E6A4-4fa5-A59F-74B399051804}

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\

wtsapi32.dll

ielowutil.exe

CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32

{702E06BE-4C3B-486b-951D-E69447B76E38}_%x

0x%x,0x%x

TBResult %s, %S:%hu

res://%s/%d

hXXp://toolbar.google.com%sfaq.html#dog

---Stop %s

---Start %s

%s.log

IEXPLORE.EXE

IEUSER.EXE

CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32

{24880F08-AE9F-4eb1-AB94-22AD47DC6B89}

PendingFileRenameOperations

Software\Microsoft\Windows\CurrentVersion\Setup\State

cmdkey

password

8DEE75AF-5463-4142-A821-139B0ECEFBA5

%u.%u.%u.%u

HTTP/1.1

User-Agent: %s

GoogleRegQueue-%s-{CD028B70-5426-4cd0-91AF-2F47534B717A}

Win32Error %x, %s

HRESULT %x, %s

$suggest_window_beta.html

{DA78D5C4-0EB6-473c-B9BE-3C46A4DA5E4E}

suggest_extra_sections.css

suggest_extra_sections_comp.js

gadget_loading.html

gadget_suggest_window.html

setWindowSize

onKeyDown

password_hash

balloon_autofill.html

Portugal

Turkey

_GTB_OptionsAutoFill_ProfileData.LAST_NAME

_GTB_OptionsAutoFill_ProfileData.MIDDLE_NAME

_GTB_OptionsAutoFill_ProfileData.FIRST_NAME

Connection.CallbackTimePerPageD

Connection.Connection.CallbackToPLTPermille

broker_metrics.xml

broker_metrics.proto

metrics_%I64d.xml

metrics_%I64d.proto

metrics*.xml

metrics*.proto

google.bookmarks

MSIE %s)

%d.%d;

Mozilla/4.0 (compatible; {clientname}; Windows

Global\{302ABB8A-FFA9-4749-9735-AAACCDDBB7B0}

INVALID_KEY

MISSING_KEY

;{EA84AF75-6FD9-4fef-8002-766B2EA005FF}

onkeyup

onkeydown

onkeypress

{12B37F35-CAEC-4460-AFED-E8A5A6DFF078}

%Program Files%\Google\Google Toolbar\Component\GoogleToolbarManager_8B0481A9A34D47CD.exe

CUSTOMBUTTON TOOLBAR.GOOGLE.COM_O8Y91YHB24Z6SR0SGYSK.XML

c%s %s

2000-2014

7, 5, 8231, 2252

per defecte) de l'Internet Explorer. A alguns desenvolupadors web els agrada tenir activat aquest par

rci web

r indstillingerne for scriptfejl fra i Internet Explorer (som er standardkonfigurationen). Nogle webudviklere foretr

Der Pop-up-Blocker der Google Toolbar funktioniert am besten, wenn die Skriptfehlereinstellungen von Internet Explorer deaktiviert sind (Standardkonfiguration). Einige Webentwickler bevorzugen diese Einstellung, f

The Google Toolbar's pop-up blocker works best if you turn off Internet Explorer's script error settings (which is the default configuration). Some web developers like to have this setting on, but most users do not need it.

n de errores de secuencias de comandos de Internet Explorer, que viene predeterminada. Algunos programadores web prefieren tener activados estos ajustes, pero la mayor

Nais ng ilang mga web developer ay nakabukas ang setting na ito, ngunit hindi ito kailangan ng karamihan sa mga gumagamit.

I-click ang OO kung nais mong pigilan namin ang mga script error..Katanungan sa Pag-install: Mga Error sa SCript

faut). Certains d

veloppeurs Web choisissent d

to je zadana konfiguracija). Neki web programeri radije uklju

ny web-fejleszt

This feature lets users type names instead of URLs in the browser address bar.

Pencekal munculan Google Toolbar akan bekerja penuh jika Anda menonaktifkan pengaturan kesalahan skrip Internet Explorer (yang merupakan konfigurasi standar). Sebagian pengembang web sering mengaktifkan pengaturan ini, namun sebagian besar pengguna tidak memerlukannya.

Klik YA jika Anda ingin kami menonaktifkan pengaturan tersebut..Pertanyaan tentang pemasangan: Kesalahan Skrip

Ti consigliamo di utilizzare la funzione Blocco popup di Google Toolbar dopo aver disattivato le impostazioni relative agli errori di script di Internet Explorer (configurazione predefinita). Alcuni sviluppatori web preferiscono attivare questa impostazione, sebbene risulti di scarsa utilit

De functie voor pop-ups blokkeren van de Google Toolbar werkt het best als u de optie voor scriptfouten in Internet Explorer uitschakelt (dit is de standaardinstelling). Deze optie is slechts interessant voor sommige webontwikkelaars.

o). Alguns desenvolvedores da web precisam dessas configura

o predefinida). Alguns programadores da Web preferem ter esta defini

Unor dezvoltatori Web le place ca aceast

This feature lets users type names instead of URLs in the browser address bar.(

ri webov

r standardkonfigurationen). En del webbutvecklare f

web tasar

n web th

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   GoogleUpdate.exe:3588
   GoogleUpdate.exe:4020
   GoogleUpdate.exe:2184
   bytefence-installer-3.18.0.0.exe:2020
   %original file name%.exe:1908
   GoogleUpdateSetup_1.3.21.169.exe:672
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\GUMCCE.tmp\goopdate.dll (872 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_en.dll (864 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsDialogs.dll (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtapi_signed.dll (2465 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\UserInfo.dll (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtb\toolbar-screenshot.jpg (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\ButtonEvent.dll (13 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gtb\toolbar.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjDA5A.tmp (517686 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\PF-Toolbar-W78.exe (28539 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\execDos.dll (13 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\System.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\modern-header.bmp (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\pfWWW.dll (5520 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsProcess.dll (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\g\gcapi_dll.dll (8401 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsExec.dll (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\nsAED.tmp (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyDB06.tmp\modern-wizard.bmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsE6BE.tmp (14 bytes)
   %Program Files%\ByteFence\ByteFenceService.exe.config (383 bytes)
   %Program Files%\ByteFence\rsEngineHelper.exe (6573 bytes)
   %Program Files%\ByteFence\ByteFenceScan.exe.config (147 bytes)
   %Program Files%\ByteFence\rsEngineHelper.exe.config (383 bytes)
   %Program Files%\ByteFence\websocket-sharp.dll (10676 bytes)
   %Program Files%\ByteFence\Signatures.dat (22262 bytes)
   %Program Files%\ByteFence\RsMessages.dll (8157 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsisdl.dll (30 bytes)
   %Program Files%\ByteFence\rsLggr.dll (3498 bytes)
   %Program Files%\ByteFence\x86\lz4_x86.dll (3629 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsE47B.tmp (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsD6B5.tmp (14 bytes)
   %Program Files%\ByteFence\ByteFence.exe.config (147 bytes)
   %Program Files%\ByteFence\EULA.txt (28 bytes)
   %Program Files%\ByteFence\ByteFenceGUI.dll (18782 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsC989.tmp (14 bytes)
   %Program Files%\ByteFence\Uninstall.exe (1867 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsD34A.tmp (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstC67C.tmp\nsExec.dll (14 bytes)
   %Program Files%\ByteFence\rsEngine.dll (104521 bytes)
   %Program Files%\ByteFence\x86\System.Data.SQLite.dll (22599 bytes)
   %Program Files%\ByteFence\x64\System.Data.SQLite.dll (30244 bytes)
   %Program Files%\ByteFence\x64\lz4_x64.dll (5223 bytes)
   %Program Files%\ByteFence\Microsoft.Win32.TaskScheduler.dll (5936 bytes)
   %Program Files%\ByteFence\rsUtils.dll (8332 bytes)
   %Program Files%\ByteFence\WhiteList.dat (11709 bytes)
   %Program Files%\ByteFence\rsMessages-license.txt (13 bytes)
   %Program Files%\ByteFence\rsLggr.exe (9075 bytes)
   %Program Files%\ByteFence\protobuf-net.dll (6755 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoC23.tmp\System.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_1.3.21.169.exe (26262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Resume_Button.png (718 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\button.css (417 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Grey_Button.png (698 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\csshover3.htc (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\EL.locale (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006BD4FC.log (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (924 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CF6DE.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\browse.css (337 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\BG.jpg (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\EN.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Progress.png (104 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\form.bmp.Mask (244 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Color_Button_Hover.png (818 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CBA5B.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\ID.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D61015565366021.dat (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Pause_Button.png (577 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\sponsored.png (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD682.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\6CD6BBF2_stp.EXE.part (534 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Close.png (207 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp\bytefence-installer-3.18.0.0.exe (1746 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp.CIS.part (795 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\00377329_stp\asgnd.json (6341 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Icon_Generic.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\progress-bar.css (506 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Lolosobeken[1].jpg (3254 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp.CIS (82136 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\checkbox.css (190 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD6E0.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\button-bg.png (131 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Loader.gif (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\bootstrap_37575.html (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\JA.locale (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\ProgressBar.png (812 bytes)
   C:\Users\"%CurrentUserName%"\Desktop\Continue CCleaner Installation.lnk (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\CS.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ccleaner[1].jpg (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Grey_Button_Hover.png (719 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg2.png (978 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Close_Hover.png (207 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\default_tb.png (19 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\default_wi.png (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD6FF.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Color_Button.png (808 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\text-bg.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\images\Quick_Specs.png (221 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in364BB553\4A9B28F8_stp.CIS.part (1648 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006CD663.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\ie6_main.css (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D61015565366022.dat (82061 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\locale\NL.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\sdk-ui\images\progress-bg.png (1 bytes)
   C:\Users\"%CurrentUserName%"\Downloads\ccleaner.exe.EXE (51303 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH706544148292\css\main.css (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4A21WW8U.txt (123 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\006BCEC5.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_%original file name%.exe (100 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1302 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar233C.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_3FD623D81F01CC7158ABFAD4F5E4B368 (1624 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_3FD623D81F01CC7158ABFAD4F5E4B368 (471 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab233B.tmp (53 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_fi.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_en-GB.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_th.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ru.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_hr.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\GoogleUpdateHelper.msi (26 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_pt-PT.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ro.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_sr.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\psmachine.dll (163 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_el.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_fil.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ko.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_is.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_am.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_de.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_fr.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ml.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ta.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_uk.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_kn.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\GoogleUpdateOnDemand.exe (59 bytes)
   %Program Files%\GUMCCE.tmp\GoogleUpdateBroker.exe (59 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_zh-CN.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_lt.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_te.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_sw.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_da.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_gu.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_cs.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ar.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_nl.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_vi.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_mr.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\GoogleCrashHandler.exe (237 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_sk.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_bn.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_fa.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_bg.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_it.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\GoogleUpdate.exe (234 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_pt-BR.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ms.dll (1702 bytes)
   %Program Files%\GUTCCF.tmp (63108 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_sl.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ur.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_sv.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\GoogleUpdateSetup.exe (5873 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_es.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_id.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_lv.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\psuser.dll (163 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_es-419.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_pl.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_hu.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_zh-TW.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_hi.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\GoogleCrashHandler64.exe (550 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_no.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ja.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_tr.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\npGoogleUpdate3.dll (838 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_iw.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_et.dll (1702 bytes)
   %Program Files%\GUMCCE.tmp\goopdateres_ca.dll (1702 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.