Application.Bundler.DomaIQ.Q_8517aba1e5

by malwarelabrobot on November 20th, 2014 in Malware Descriptions.

not-a-virus:AdWare.MSIL.DomaIQ.chgb (Kaspersky), Application.Bundler.DomaIQ.Q (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8517aba1e5989d5cc8701b151783808a
SHA1: ad40518e77ecad25586c619af7436d98b39fda85
SHA256: 86aaef044139dacb14692bc5f16988a33a5cc8d4b287cf11919849b75fa11dd1
SSDeep: 6144:b K036Qh8dhkgaMeahKXdWWHzP2dOTy/qCQTdPJ fmvTbCfL1No8pYvV:C3T ahKXdWWw1qf6mvTbMZW8WV
Size: 321088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-14 23:09:38
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

%original file name%.exe:668

The Application injects its code into the following process(es):

%original file name%.exe:676

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:676 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Browser appinfo.dfe (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Vuupcinfo.dfe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mystart.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-small.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Vuupc\info.html (1287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\MyBackupPc\info.html (1419 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mypcbackup.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DHD6E441\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Wajam\info.html (2473 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\browserapp.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\SM Mystart\info.html (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\HQVideo-Proinfo.dfe (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\optimizerpro2.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mypcbackup.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\HQVideo-Pro\info.html (1089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-shortw.gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-gris.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\PPI OptimizerPro\info.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Dockings.dfe (2617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo3.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateStyle.dfe (6468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris-small.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\hq-videopro.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mystart-toolbar-gris.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo2.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\base.css (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\PPI OptimizerProinfo.dfe (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Wajaminfo.dfe (2823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U4QB9L07\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\MyBackupPcinfo.dfe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo-big.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateDisplays.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-big.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1a.png (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UWC4R3L\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2.png (9 bytes)
%System%\wbem\Logs\wbemprox.log (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\box.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\vuupc.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\SM Mystartinfo.dfe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Browser app\info.html (1497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\wajam.css (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-img.png (1552 bytes)

The process %original file name%.exe:668 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv7E.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe (1431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe.config (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\09ac72b88ef140aa8ee609de7640785e.txt (8027 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa7D.tmp (0 bytes)

Registry activity

The process %original file name%.exe:676 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1381415142"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD BE FD 00 A1 E4 C1 44 65 3C C7 6E 41 68 94 F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:668 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 45 93 5E 12 7D B6 BF 33 7D E2 21 97 2C B4 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
6c1fa3fd9e135ec4a98cc3deb7b6e90d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe
1dadb63a5dfaa0679485c5dbaf96033f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv7E.tmp\nsisdl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23148 23552 4.44633 1c619949741a76b63a54c1e6c4d6b2f8
.rdata 28672 4558 4608 3.62955 6c31e0693072284f258d2c4a271de506
.data 36864 110520 1024 3.36948 78f5760d9fafb71fdbc88c3497afef46
.ndata 147456 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 208896 17000 17408 3.5656 7fae611f3f73978e9992534a50a87055

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1515
24dfc5735ffdc44ab04ecaf68c5c37c0
023e74bd64ebc99619c93b4b3d1549f9
578f66559828a9654c22b53e8922aaf3
24eaff8e36cf4c7dc3ec8ab617c96f72
c7a40961a60a30f5111e76b42bb876fb
91ac5454066fc45f94900f08326adbac
53a66efed7616a5f1edfddf2107cc06a
25b37a1d04449c97a3f4394cc7780e7f
d4de0ed3e5316de52c3fa462920671d9
5b5065a38d2f3b44ad1164ecde53a627
ff803c25f93d4519c56f550504707d01
bcd0a2f3979274cf627b5eb65e3d8bd3
390337ee47db95c1ad190a1ab76f7bb2
7194e0e4f8d47d821228baf267eda916
65cc752553b88d03ffd7741d80d5c1f1
e726975f7da8a420dce486ff812589e1
53b30d9ead31925cab1ed0c3056e4083
738eccb8e0f31ec64912d068cf29eb1d
3f00e0fad23e2a181804a527e71acbdf
4c1db3a2072077eeab9e7fd5ebf2bee0
2321f4af5c7414581ec0212f000788a0
403915c3810b587dd3bc647f87a0f36f
8e623b806e29721a02600c9a6a4f58fd
741d472facacad7638aa813d24b9baea
450ac58039e89da51df25d55cd8a1b99
35a3c356b5e513775f42448575e25796

URLs

URL IP
hxxp://204.11.56.26/debug/Version/4_0_6_25/Nsis/CopyFiles
hxxp://204.11.56.26/debug/Version/4_0_6_25/Nsis/GetParameters
hxxp://204.11.56.26/debug/Version/4_0_6_25/Nsis/PreRun
hxxp://staticrr.tgusrv.com/test.html
hxxp://track.v2.sslsecure1.com/test.html 204.11.56.26
hxxp://Track-903226030.us-west-2.elb.amazonaws.com/test.html
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/test.html
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/283/google-chrome/291/679/English.xml
hxxp://staticrr.tgusrv.com//Dictionaries/English.xml
hxxp://betatest.vmn.net/betatest/mystart/mystartTb_5.4.1.4_sambamedia.exe 66.115.174.144
hxxp://cds.c5z6s5a3.hwcdn.net/ba/full/mon/setup.exe
hxxp://www.wajam-download.com/download/wajam_download.exe 54.208.23.129
hxxp://dl.softservers.net/111001464/OptimizerPro.exe 198.20.70.75
hxxp://s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe
hxxp://cds.c5z6s5a3.hwcdn.net/21/all/hqv/ca/setup.exe
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip
hxxp://staticrr.tgusrv.com//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip
hxxp://staticrr.tgusrv.com//Docking/Docking.zip
hxxp://staticrr.tgusrv.com//Styles/Softwares/70e7b9d8_mystart.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/222ac0df_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/844a2c3b_browserapp.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/9103144e_display (1).html
hxxp://staticrr.tgusrv.com//Styles/Softwares/67423fe2_wajam.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/1f76ab55_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/0ba5df4c_optimizerpro2.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/7f3e6cee_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/e7bf26c3_mypcbackup.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/16220985_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/06a50625_hq-videopro.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/cb3d709d_display.html
hxxp://staticrr.paleokits.net//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip 85.12.8.28
hxxp://api.v2.sslsecure4.com/index.php/api/283/google-chrome/291/679/English.xml 54.200.36.178
hxxp://api.v2.sslsecure2.com/test.html 204.11.56.26
hxxp://staticrr.paleokits.net//Styles/Softwares/e7bf26c3_mypcbackup.zip 85.12.8.28
hxxp://staticrr.paleokits.net//Displays/Softwares/9103144e_display (1).html 85.12.8.28
hxxp://track.v2.sslsecure3.com/test.html 204.11.56.26
hxxp://api.v2.sslsecure3.com/test.html 204.11.56.26
hxxp://staticrr.paleokits.net//Styles/Softwares/844a2c3b_browserapp.zip 85.12.8.28
hxxp://aff-software.s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe 54.231.2.20
hxxp://staticrr.paleokits.net//Displays/Softwares/16220985_display.html 85.12.8.28
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_25/Nsis/CopyFiles
hxxp://staticrr.paleokits.net//Dictionaries/English.xml 85.12.8.28
hxxp://staticrr.paleokits.net//Displays/Softwares/cb3d709d_display.html 85.12.8.28
hxxp://staticrr.paleokits.net//Docking/Docking.zip 85.12.8.28
hxxp://dl.newonlinedemoserv.com/21/all/hqv/ca/setup.exe 69.16.175.10
hxxp://staticrr.paleokits.net//Displays/Softwares/222ac0df_display.html 85.12.8.28
hxxp://staticrr.paleokits.net/test.html 85.12.8.28
hxxp://staticrr.paleokits.net//Styles/Softwares/67423fe2_wajam.zip 85.12.8.28
hxxp://staticrr.paleokits.net//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip 85.12.8.28
hxxp://api.v2.sslsecure1.com/test.html 204.11.56.26
hxxp://staticrr.paleokits.net//Displays/Softwares/7f3e6cee_display.html 85.12.8.28
hxxp://staticrr.paleokits.net//Styles/Softwares/70e7b9d8_mystart.zip 85.12.8.28
hxxp://staticrr.paleokits.net//Styles/Softwares/06a50625_hq-videopro.zip 85.12.8.28
hxxp://staticrr.paleokits.net//Displays/Softwares/1f76ab55_display.html 85.12.8.28
hxxp://api.v2.sslsecure4.com/test.html 54.200.36.178
hxxp://staticrr.paleokits.net//Styles/Softwares/0ba5df4c_optimizerpro2.zip 85.12.8.28
hxxp://track.v2.sslsecure4.com/test.html 54.186.105.91
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_25/Nsis/GetParameters
hxxp://dl.newonlinedemoserv.com/ba/full/mon/setup.exe 69.16.175.10
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_25/Nsis/PreRun
hxxp://track.v2.sslsecure2.com/test.html 204.11.56.26
s3.amazonaws.com 54.231.2.152


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET DROP Dshield Block Listed Source group 1
ET POLICY Executable served from Amazon S3

Traffic

GET /test.html HTTP/1.1
Host: track.v2.sslsecure1.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:22 GMT
Server: Apache
Set-Cookie: vsid=912vr1639663426406766; expires=Mon, 18-Nov-2019 18:12:22 GMT; path=/; domain=track.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /index.php/api/283/google-chrome/291/679/English.xml HTTP/1.1
Accept-Encoding: gzip, deflate,gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: api.v2.sslsecure4.com
Connection: Close


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding: gzip
Content-Type: text/xml; charset=utf-8
Date: Wed, 19 Nov 2014 18:12:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: symfony=s28oriin477t5gh1negh78ijf2; path=/
transfer-encoding: chunked
Connection: Close
1ac7..............ks.H....;b...D....X.._f...MnoK..T....P@$$aD.l......~
......E.U.dgOx....B.....J.....I...b?.~..r$.....p..W?.e.\J._....?..j.N.
...z5..K.j.......z._.....;g....d[Q..1...m....y...H.7h...-.!..li.....?.
.*[.i[........K.&.O....Oe.4.Og....d.,..f..4..._.RI.*,.C!.\)......F..1.
4..\.j.......i..#KQ,YUd[.5.^........i ...gY.:[email protected]
,...{u.F..;K...8o..j..z.Q8..wa...n.......N.._..8q...EG.{.%........(...
B........$.'..k&P.2...ny.u.MzK.y...........Ap5...#...aY....7.M...5....
....g..q[w4.St.....w..n.x...<......&~...G...e].....l......~..Y...o.
.sF....\..EY.De.3.G7....my....p3.}......M.3.i.....g7y./....`...L.W....
'.?.x]7.7...e..|..ux...'.xSe..<.{.....^.6`z:a..6o.H.p..<.>.M.
..(......0./.W.6.p......^]E.M%..B.....jwwwwG.>.....(..?......}.....
/.......,y.@'.T......!.....a.x.')...<s.6...}...$;..7K.P..>....w.
.l.bI65'....7Q8..Zkw.$....W....Y8.G.....';.u.L.?,No.Zv%kv..w..Q.......
............A{.....P.....]Y.Y.i=......=...!.V-K..^...`.U...k.#U.X.\].1
 .x.i.^............... .....q.E..r.z.....b...*..E...cFv....M....<..
.q....t...?.u.,..`>}............Y.$.k.....[.Z&Z.-Z .......D......{.
f....N.a0.E......_$o..//...u9q....K.cy..C......Iktu.]...6....R..^.C..K
2.r.}.3..RT......<._.3.M.....h]!?.6...![..ie."..`.|o...yo..Ny.O.d.#
._."...._...^........o.W...4.......G..}.I.../..x.8./.;7.V...}...I..W..
.{..=.......YY..Y......x..<._..Q{..C/......._K.. .[.j.~.N.V..U.F. H
...6.z(o.L...}..e.=.(.;.C.......t....c...E.Xt6S..&.`.v...:^..l....n..j
H.NdJ.<..m.N..<.z.usH....7>......../.B...xt.?.(?........m
<<< skipped >>>


GET /download/wajam_download.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: VVV.wajam-download.com
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 21 May 2014 20:10:53 GMT
ETag: "66d4e-f0c0-4f9ee97e8ed40"
Accept-Ranges: bytes
Content-Length: 61632
Connection: close
Content-Type: application/x-msdos-program
Set-Cookie: APPSESSID=w1|VGzdn|VGzdn; path=/
Cache-control: private
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.........`............................................................
..P...p...............................................................
.............................text....a.......b.................. ..`.r
data...............f..............@[email protected]..........
[email protected].................
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ...Pj.h.[[email protected].@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /ba/full/mon/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:31 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416410780"
Last-Modified: Wed, 19 Nov 2014 15:26:20 GMT
Cache-Control: max-age=836
Content-Length: 11715336
Content-Type: application/x-msdownload
X-HW: 1416420751.dop008.ny2.t,1416420751.cds007.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......P
.....................n......-A............@...........................
................ ..............................p......................
h.....................................................................
...........................text...<........................... .0`.
[email protected]$.......&.............
[email protected]@.bss..................................0..idata.......p.......
[email protected]...`....... [email protected]......
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..WVS.......U..E....t.
..F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E..
.$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT.
.......FP..E........}..VP........U.......FT.............}..........E..
M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q...
.~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX.
.$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\
.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>


GET //Displays/Softwares/9103144e_display (1).html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: text/html
Last-Modified: Tue, 01 Jul 2014 09:28:50 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
2215...............r..q...*..D.;R.I.....*.9.`C....y...CbV .......6o.T%
O.7.'...>gf..k..l.....s.....t....?>N....]o.\U.}.W.z.............
.go4.s:..G..K..~..w.*...{1 W..X..q.z...Y]..b]...(W...u...v.?.g..?..wo.
.I..w/6.f./^.../g.m.l.d..........^g.......O...e.M.......6....:.R.9..o^
/~.......,..../~...7.*...\..{..@h=..|...zSmg..N..f.......N.m...q.riw..
....j.I....(.V..*_...&....$N..6y.oy..Vy.h.v=...6.".E`y}.W'o^k....o[..&
gt;...s..K..|....r...."(../..r.?..].. v$..\....I.%.Gx.[....b....` ...p
mQ,s..J..]gweUl.nSV.(..Z.....b..v_.t)./6....u*..9EB...v.WG..En.r...Y^.
Y.....Yg...m.Y....V"( ....6.....s..<0V....\.&.3...^B.?o..3[...;.^3.
/.Te..|..7...i..?l.*...?..f.z..f.Z2..[..:...........v.,f...H/.....^~_.
....w.O?.Ww..~..W.M...5.X......#.........>..G..)'|........_-.l.....
.o.:........f.[=\j..u.....c....a...z....;$.Lz`w.1..l..,V..v..^m.OttY..
...`n...>J..zs.......m....Js..v.r/.......C.nWs.b.55<Jn.M..n..#..
.Y...Q".*..G...)..\.zs..LAF..O?.g...].{@....j....%......X....*/._q..[.
..l......a.]V,. ......oW....._.wI^s._Q............l.,...y9...x......l.
WI......|H^.P....oZ.s.....3....HUN.)L..>.bc.2.A.@,.R..np6"......A..
L...TGZ....e.x..:..S./.....eYeI.u.....A.Dy.......`o..z.E...*....a.....
.;.g5._......f.'...3#..v'M..<...!Vsx.B...Q..~d..V.{.7..........D.!.
[email protected].$!hf-.pL...H..!....|......J..]V.....-.....{.. ..*.
j ...p.5....E2I...9Q.9t...P. [email protected][email protected].......:..Eb.G.%
....RQq..k0...3.........0C..I......7..>H........:)...p...'....l..G.
..a......#....I2z.\L...|..&i2.....~..g...........7<K.|L.i2N....
<<< skipped >>>


GET /test.html HTTP/1.1
Host: api.v2.sslsecure3.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:24 GMT
Server: Apache
Set-Cookie: vsid=921vr1639663443705083; expires=Mon, 18-Nov-2019 18:12:24 GMT; path=/; domain=api.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: track.v2.sslsecure3.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:23 GMT
Server: Apache
Set-Cookie: vsid=915vr1639663431904681; expires=Mon, 18-Nov-2019 18:12:23 GMT; path=/; domain=track.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /debug/Version/4_0_6_25/Nsis/GetParameters HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:11:58 GMT
Server: Apache
Set-Cookie: vsid=913vr1639663183724887; expires=Mon, 18-Nov-2019 18:11:58 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i2.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>


GET /test.html HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
8..correct...0..



GET /test.html HTTP/1.1
Host: api.v2.sslsecure4.com
Connection: Close


HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 19 Nov 2014 18:12:24 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...



GET /test.html HTTP/1.1
Host: track.v2.sslsecure2.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:22 GMT
Server: Apache
Set-Cookie: vsid=921vr1639663429504924; expires=Mon, 18-Nov-2019 18:12:22 GMT; path=/; domain=track.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET //Styles/Softwares/70e7b9d8_mystart.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:45 GMT
Content-Type: application/zip
Content-Length: 4152
Last-Modified: Tue, 03 Jun 2014 10:06:47 GMT
Connection: close
ETag: "538d9e37-1038"
Accept-Ranges: bytes
PK.........Y.D................images/PK.........Y.D,...I...........ima
ges/mystart-toolbar-gris.jpg}T.<........%.K....m63..f.h.s;..e...6.J
.....".....R!....pR.RBEr ...?.s......]..y...}..}~?.3q...&....(.M......
@.:< $......E...#...........9..T.......1([email protected].@"
[email protected] &$.4.ni.#D.E..,......e.......f......-Q.!D8i1.....#s
x......`....x..g..c.....,[email protected]^.n3.....$...mQ....HC......
.....b........E!.|......... `r..E..... ........?.......SY.?.|.....l.[4
...1..p^.CB.Y.s..<....s.pB...s0G...s.0. ......d/:.K.*..........5...
...@3 .....1..........`.lm0VV.F.&x........b......j..U..._...3..h...`K.
6c.C-F&$#kc.Sk[..?......Z.iI..EK.A..Q.wI.gq.G.Z..l}.[..<Ic........E
...$.....?.^[email protected]...$...H.....).C... I.|.R..Ka... ..
.P@....).R. .2H.....'.......I.B.2Pi9...K....,.[..........2...z....sYm.
D<....;...k.*H.........'O..R.....]...$)...X..=.N<.!.o...%.<.A
.Zg...D...J..e...8N........QkU...2..f .b?..W..........edO.....B.=.1...
..d......6.7..*=.%m9.?.L.;.u ..D...a....6.......PB,ag.3...Z...9.n..kX.
..t.r.%..M.EBM8.>.lj1..9.....q&.FP.y..7..>[email protected]..|.}
`......X..; ..6....L.J.".I.F'4.#..%......e.{.mK.14.A.r..uf.f*.N.."..g.
.-{z.Vm.....|.f.!..}.THn.v[AZMr.L.sg.../.Uk:`s.f...8...b.......4.j43_X
.K.<f....P..E.....'3.X'....Zi......M.S..{d.a..O..6&3.%%8.......;F..
.%l9.. F.S..^..g.....[...GE<......e?..8#u.C..B7.}...}.S.yJ.v...zR..
.<...>........t.E|.4"..<.p..MIY....~.......g..6....6.=..\R...
.lp.......*.;..c...h.............7.S....S}......3 t=.U.a.....t..l.
<<< skipped >>>


GET //Styles/Softwares/e7bf26c3_mypcbackup.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:48 GMT
Content-Type: application/zip
Content-Length: 7774
Last-Modified: Tue, 15 Oct 2013 10:54:23 GMT
Connection: close
ETag: "525d1edf-1e5e"
Accept-Ranges: bytes
PK.........]OC................images/PK.........fJC..2.....T.......ima
ges/bullet-shortw.gifs.t..L.d.dh`d......#|..\.K....}EAbrvj.BRjzf......
..2Sl..M}.|..S32=..R...B....-S....l*.*r.rSK..*rs...*l..S..R..l.....XII
...#HB.d.s~Q.....n...........................X..Y.. @......4. .7.]@..R
FII...~yy.^..^~Q.....%..##]...........be......E..%..y. ~bR~i........pc
......K....H,.7.3.GR..._in.\uqIPj.~..!....A....E..@.. ..V.E..%.E!..9.P
..././../Pp.6S..ML....h.u..Zy...$.%.z..*.E.23S..L.,.M,..,....]....M...
.,......\.z.z]..KsS.J`zS.z-p..%............\....2q....yP.)..b.S.>.1
.hQ........p...I?5............~......._>.......o^.z.....O.?z.....wn
..y....W._.x....gN.:y....G..:x`...{v...c...[6o..a...kV.Z.b...K./Z.`...
sf..9c...S&O.8................................ ?/7'; 3#=-5%9)1!>.6&
:*2"<,4$8(0................................@_OWG[KSC]MUEYIQA^NVFZJR
B\LTDXHP.................A.'..dd.a..P.........{...........PK.........N
.C.U.?}...w.......images/mypcbackup.png}X.T.....CW....tH(...".wA..B.PB
S..."H/"..).D:"E.*M.P..D@........[..Y_.9..=g...Y.....J......T.jJ..w(.f
!'.?/[email protected].(...][email protected]..%.D.......w...)2r.
.6H...d.rprG..Z:. ';.......PD9:.=.B.>.1B>rA...r. ..)<...c..ws
u...G........!`._......A.j....^(.LHT...............@"Pa........I...D$@
.,`|o^v.R.J*....B..1..)....O.OT.........8DD..........Awo....P.H/'.....
..mc... ......./Zw.....0....DX..._...........1.(.....(...1@y.}........
..R.B.`.^Fh...Y.sDc...h....8.G.........B[[J...c..D. !.x.......TY...S.T
.... .((....%....I...%..*..>n(w..X..cU. .....Fy9...T..n...-...b
<<< skipped >>>


GET //Styles/Softwares/0ba5df4c_optimizerpro2.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:47 GMT
Content-Type: application/zip
Content-Length: 65688
Last-Modified: Tue, 08 Jul 2014 14:49:06 GMT
Connection: close
ETag: "53bc04e2-10098"
Accept-Ranges: bytes
PK.........i.D................images/PK.........N.C..mT............ima
ges/optimizerpro-img.png....~.PNG........IHDR..............L......pHYs
................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB
....&*!..J.!...Q..EE...........Q,......!.........{.k........>......
.....H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0....
.B.\[email protected]..@F....&S....`.cb..P-.`'........{..[.!..... .e.D
.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ..
.*..x..<.$9E.[.-q.WW..(.I. [email protected]..._
-...."[email protected]~..,/...;..m..%..h^[email protected].~<<E....
.....J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X
*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h
...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..
B(....*`/[email protected]..=p..a...(....A...a!...b.X#......!.H...$ ...Q"
K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h
...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. 
.$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H
.#...dk..9.,  .......3...!.[[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R
.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L..
....T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.S
g.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W
.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'G
g.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$...
<<< skipped >>>


GET /test.html HTTP/1.1
Host: api.v2.sslsecure1.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:23 GMT
Server: Apache
Set-Cookie: vsid=903vr1639663438121596; expires=Mon, 18-Nov-2019 18:12:23 GMT; path=/; domain=api.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /betatest/mystart/mystartTb_5.4.1.4_sambamedia.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: betatest.vmn.net
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:32 GMT
Server: Apache/1.3.41 (Unix)
Last-Modified: Wed, 04 Jun 2014 14:56:26 GMT
ETag: "8fbd-5362b8-538f339a"
Accept-Ranges: bytes
Content-Length: 5464760
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................@........S......................................s.
.........hI...........KS..............................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc...hI.......J...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>


GET //Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:45 GMT
Content-Type: application/zip
Content-Length: 7828
Last-Modified: Mon, 03 Mar 2014 12:56:47 GMT
Connection: close
ETag: "53147c0f-1e94"
Accept-Ranges: bytes
PK.........gcD...qV...........box.html.V.n.8.}v......&E%...4.e [email protected].
e/O.%..k.TI*...'.?.P..q.d...F3g...R.....G.....\..........?..Ap.]._..O.
..?.HSi..JR...k.$..h..l6.gg... .......n.....S.....n.q..i.=8'...ux..h..
?.....E#o.......4...@..:.\G!..Kh..*,g.......?....e.z..`...*$..m..u ..6
...([email protected].&k... 
.m..p.m..B..I4/0..d.)$ay.._P...[.Kf...A.r..1...j.... .x.....P..e.4Vs.E
.D.....P.I.o.\.(sI........j<f..)...V..g,..m....6.xj....?7....`I....
.2V...D.4$.J....O.......az..Rbs...ct0.G...ZH.R...)..R...@].n.. ......)
.L......V..6...-'hu..^.*[......u.../;.p..f..n..V.j...>e&.zBW....h..
M.....V.....-/..w..j...q..X..$.m8=..........F.(`$.......)....(...<Y
.i..#..h........X....`.B_R.....4.E qIy....I.w.7.p8.2U3.5.4.1G.v..:...}
-...B.E[............s....t.S...u....Y9....6.C.A5#'../.&.......R".3...Z
M4.....x.f2.....hd........,..7..!..vI.|...SNZ....;..,V..a.......=..L."
.D^..Vfx.o..R.U..c.%.eQZ..Eh.......QXl...U...>[email protected].
.E.....T..u.j..U.[jC.*E...{......C.......>..-...u../..$a.....$k..z.
.z..6g....5.)].l.I.|=..H.V....T:..y.My..B.|&...g.&..{I?.......8<x!.
.P.=.p3.=.O~....W........H..B..6.....P.......?PK.........F.C.2........
......close.html]PAN.0.</..09p }.f.x.G.M.."8U.".=N.E .....L2>...
..'..4d.:..p..v...E.n0 .a...^2D.....u>[email protected][ryK....].c...)...E.
f.F.K.#[email protected].
..77.~.....fB........Eiw..9t........z.~.PK..........$C~...h...........
finish.html.TM..0.=.R.....!...R.I..Jp.".8p....1....4._......j.d%.y
<<< skipped >>>


GET //Displays/Softwares/16220985_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:48 GMT
Content-Type: text/html
Last-Modified: Thu, 03 Oct 2013 10:28:07 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
1f87...............r..u...W....UEB..{..\.!..`...@i.?.!0$g.`..@.}...\`.
.t.L..j7UIU*.dE.3.O....>3..rp.....7..;.xq..t..vy..?w.......;8x.s...
........?._N..n....w'.b....:(..n2.....eY...\.....b=w....*.|Z/.........
.......*V..v...|6)..[.nu..aqU/.8...",.u.Y..i^O..&.}}.L..v.|.^...?.jz..
.......?../....O.^.....I9..wZ..c=..|..E.....].r....).rYQ.;#/.t]6......
}...{\y.~...b...E~]..uU.]$6.Vy.wy.ZWy.t.z9.....mV....:.:...S6.....I.O.
O./&oL.|.'.>\.....Y..$ci....{Q..m.>..p.EU.......r]..b.....gF,%YV
he1-..}w.M...X...DO..;-. e....Y.....a..PV.,.\.....j.9.g...K&...Sz.3.|.
.*.......w{.J.Z._VY.c.H.i.yi......\..^.y...$_Lr..a..|.....^.........=v
G.a..r0.......b{......V..r{.F..w...m..b(en..d3...1.....c.v{y.WTh.;gg.t
......,V...........U9.V.'...U...k.....?*.....;.g~.f.....iU...,[...|.mc
..Fj...Ww.X.2 &.Y.....-&.n....d..rM].....J>-.}....}....fX..(m...e.`
.......t.......].WnQ....."...U.H..q.)qd.i....|.kj...L...{.^.V......V..
*..6..JTb1R.Bz.......3.....}.b..UW....f.&m...v...n.....'..^.Pp.....>
;c.H.S..........4..$.-.$ru....2........5:1.W..Rh...|t....;............
.....y..>t..z......;....?.G=wi_..].../...........z.8....._..k.]5..O
G.....Q".A..w.=...w6.....:>wg....C*.=v.....w.a....H<$......._...
j......;.w~...%\%.:;.e....B...TX.7..gv.z.^9.............s.W.{.v.b...75
/...r6..<...C..d...I..0ay../.4.......C..q..5..L6..E..Z..0...]...Y..
.b......!S..56G.-...#...*......0=.yg..A.]........8;..y..Ir.~.r..W.eU..
[email protected]..'.).".bv.q.|...=yM......<H...p$8 I...*....ky
$N.FU.........s.p........7.._...?....u...q"...............BHk. t.E
<<< skipped >>>


GET //Styles/Softwares/844a2c3b_browserapp.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: application/zip
Content-Length: 734
Last-Modified: Tue, 01 Jul 2014 09:26:57 GMT
Connection: close
ETag: "53b27ee1-2de"
Accept-Ranges: bytes
PK........YE.D...=....=.......browserapp.css.S.N.1.='R.aJ......j.\@TH\
z.U........l.."...I..JI.:....y...}U..:.p...- Nf....n....U......q...ki.
(-u..0.>V}8..A.....w_......\'GF.H....?.4.:..e..}?.X.Y....E..._L..&g
t;..!..... .......C...R(,/...o.Hx.p.B....s.. ..0KY.=s.'...m...o..8}..F
d.$....b...... b....Y>..<&...%...Jjd....p...XQK.g... ...F.......
fp.E..7S>b......"..>.it.W......k..4.E....,).<...H.dk....p.d..
...^..'....=.U.v3Q5L......6B...//l.....^........R..t^...fp<I.!....E
b...G............#`/.../PK.........k3C................images/PK.......
...YE.D...=....=.....$....... .......browserapp.css.. ................
.\.5.....\.5.....PK...........k3C..............$...............images/
.. .........x..,3.....7.......7.....PK......................



GET //Displays/Softwares/222ac0df_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: text/html
Last-Modified: Tue, 03 Jun 2014 10:09:14 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
16e1..............]s.H...._.C.l."(j........d[...|..W..d.).......}...`.
z...lK.....y..<....n....`.n_.]R....\8..D.....E.\c...I...]4.......M.
K{Q..$...c...b.T./.mQe...?.^.i.......3..Z.?..~t........U...]/.M.v.....
......j...*...../.j...I.....^.I..o.]...\..Z.x.r....W..0......|[..W.z]&
lt;k.....L..ey. ...\.b.[......*.l.K8.K.k.:O..SZV|......M....y....CYl\3
.:.....d./..i.~...?6.*.$`......O.....h..k.].k.M......7.............K.4
.....[...E1.....?3..g.l.../.Y,.Jb.....n..{$L...-.....E..]......[fe...X
..K7/..*-;.*Y.....q..d?O;n.*..,...t.d.z>../VnS....j.*\l.....rC.)<
;..{C..t..t....~R&....'..|j_... [email protected]'..r
3...qx5......M4q..8.o.....m...4v.h4.._.....]0..x8..........p.%........
....>..W.;Vr.q......^....Y.....4.z4.]GC~..cn....E...Om..h..z.......
....XW..h.L.mp..C..&.qt9..}..GA?t.. .....]../.$.......I.ug..!s.M.d...`
..jz......ff&I....j.~|7.....qA..L.W4.bHo..'....K.f.G.llvA..x....~.....
O._...L...t.5...i8....E....V..U.a..F%.l.......P v..........*....|.C...
.}.I.....W.yR..e_........n..{.....2-........^....%...G.m.K...{q...<
....O.........agk.,...gY/..On.........z...9..c.P.............E.{0...x.
.... .........nCsN.[.#.........&L..a8u.....i.\..[..x{$W....E..^h."....
....a..!X.K......>X....l......W.`[email protected].'8Z.
...|.?.SGJ..P....#[email protected]..|]$K..zGu].`o../..~a......^"J...RFF
^...q"4.....:...i..sO".Q.2c...9.l.\f;..%...(...s..Z..[.G....Ks#u....X.
...(H...I..;..r> .......'..e..lY..M...l......W...d.!..H.\.Md.......
.0......F.f.l...7.....6...-~.....q?."..$.p*.1p..n..........N\8..V.
<<< skipped >>>


GET //Dictionaries/English.xml HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:31 GMT
Content-Type: text/xml
Content-Length: 626
Last-Modified: Fri, 12 Apr 2013 09:51:55 GMT
Connection: close
ETag: "5167d93b-272"
Accept-Ranges: bytes
<dictionary>.  <installed> Installed </installed> . 
 <installing>Installing</installing> .  <installingetc&
gt;Installing...</installingetc> .  <downloadError>An Erro
r has occurred</downloadError> .  <takeFewMinutes>It may t
ake a few seconds</takeFewMinutes> .  <confirmExit>Are you
 sure you want to exit?</confirmExit> .  <installClose>Do 
you want to install the remaining offers?</installClose> .  <
welcome>Welcome</welcome> .  <license>Welcome</licen
se> .  <options>Additional Options</options> .  <ins
talando>Installing</instalando> .  <finish>Finished<
/finish>.  <downloadingetc>Downloading...</downloadingetc&
gt; .</dictionary>..



GET //Displays/Softwares/7f3e6cee_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:48 GMT
Content-Type: text/html
Last-Modified: Tue, 08 Jul 2014 14:47:05 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
f06.............._o......O1....(.u....b.I.8.`.5..`....-w7.G4.1......3K
.....8.E...?..{............_.u.7..~x...o...k...|...W..w....WZ...o...~.
>.z.>,....6<;[.U.c...X..e....YSw..uu...P.[W7}.._C......K...?.
.<q.xv........P..mp}..M..Zt.WW]..|..........k.6....s...C.>._}[\]
n...;...W./X..........o...w:.af.lC.\.......s....U.).b.v....:_..t.v.>
;....z.....*."Ta.{.j...7 }.:>.....9-..B....7....j....Ky.._..?".JZNP
..u....D1.s-P......*w..8..~......;.O.v._.y(...U...D.........nU........
l......v.../..n_...y!.....w...?Zv..j.N<........|.gvh.... ...}.e...?
....:\.%......}..j.wW..`.\V.l......%.MX.M.....GZ_...#)y.m...'[email protected].`
...24..)......&.......{...{..2P..Z.....Ca."...%..&(..jg........`..RB..
.....F..Vv....... f.]...[n|....M...."../Ff.F[a...,u...|VC..-...|jf..&g
t;.,.F(.z....=......X.a.z..(i.hU..\...v..P ....C.....V..~.V.....~-$r.=
.b*bKTS.,.f..#..!.p...a..#.....o..R.A..e_;Y9S..T...._..."..nXla..c..6f
...)..beU..Y..J..Wl..3......r;sa..._.^....e{..M-.=. F.0`....a.4.6T.{y.
.vu[X....\.........Q)}p.aS.O.....Y.....4U..%.E........o....~. ...0.E.r
.a.r..O.ai.JQ\..li.9....l...#.)...thA.H..$..:8.G.......U..N...n.......
.......,.>...P...j....dmr9.5....0.h....O.....N@o)..!...... Z.1cjsC.
]...%[email protected].]...........e;...V.|....^!..'U.:.....
.:%\.>|..AE...* ?KUQ/.C2m..E....#.e\.~o...D.cx.Q..w0K.H..Q>)... 
.. ......YP.D........,....Ci...w..8A.Nz......%JB.-..0^....@ ..h..}....
.hH.$h.D.;zB.QY.co...t..j.8.......{.W<=.4..4.#..I..u....%..6...Z..^
q...$R1.k.3)i.{C,....;......%&m.R..q_..X.r.>J,....$..F...?..M@.
<<< skipped >>>


GET /debug/Version/4_0_6_25/Nsis/PreRun HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:08 GMT
Server: Apache
Set-Cookie: vsid=905vr1639663281509643; expires=Mon, 18-Nov-2019 18:12:08 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i3.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>


GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: wgcmSekBETb0nbN v9J08dVMcyPuhtEsezW2SLhqp02ifjh15UxVtFK2K2hYd4QEZOG7TnT3oR0=
x-amz-request-id: 02EFF118D334B900
Date: Wed, 19 Nov 2014 18:12:43 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................|........................................t....
......0m..............p...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..0m.......n...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /ba/full/mon/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:31 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416410780"
Last-Modified: Wed, 19 Nov 2014 15:26:20 GMT
Cache-Control: max-age=836
Content-Length: 11715336
Content-Type: application/x-msdownload
X-HW: 1416420751.dop005.ny2.t,1416420751.cds007.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......P
.....................n......-A............@...........................
................ ..............................p......................
h.....................................................................
...........................text...<........................... .0`.
[email protected]$.......&.............
[email protected]@.bss..................................0..idata.......p.......
[email protected]...`....... [email protected]......
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..WVS.......U..E....t.
..F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E..
.$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT.
.......FP..E........}..VP........U.......FT.............}..........E..
M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q...
.~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX.
.$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\
.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>


GET //Styles/Softwares/06a50625_hq-videopro.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:49 GMT
Content-Type: application/zip
Content-Length: 725
Last-Modified: Wed, 12 Feb 2014 17:09:57 GMT
Connection: close
ETag: "52fbaae5-2d5"
Accept-Ranges: bytes
PK..........LD.GCw............hq-videopro.css.SMO"A.=C..(%\H....4.7nL.
.......f:6]mO....nw.D\M@c.....{............Wlz:...}.....T...x.........
]....H...n9::.N.[..._...!.CF?...O.....>[email protected] eX...<..
..N......y..m..L....H..F...|..7J.....y ..R.~..3..5<..%..j...hd.GP..
zE.fKr..h..e....9.6..x7..X Um.x..he.-4...Q..T...&H..KM.s.....R*S.lOb.g
Q%........[/...@sny/./Dq[:.7..!.....P...N.t.R.jr.....5i%.{.".....I6...
..O.e.,...)^...8Vx\.*h..8..]w..:.L&.c..X..rc...W...Y....._.......z..3P
K........Fv2C................images/PK............LD.GCw..........$...
.... .......hq-videopro.css.. ..............(../..W.(../..W.(..PK.....
.....Fv2C..............$...............images/.. ..........O.`~...ao.W
.(..ao.W.(..PK......................



GET /21/all/hqv/ca/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416403573"
Last-Modified: Wed, 19 Nov 2014 13:26:13 GMT
Cache-Control: max-age=1065
Content-Length: 12531440
Content-Type: application/x-msdownload
X-HW: 1416420761.dop005.ny2.t,1416420761.cds045.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......P
.....................n......-A............@...........................
......\:........ ..............................p......................
X%....................................................................
...........................text...<........................... .0`.
[email protected]$.......&.............
[email protected]@.bss..................................0..idata.......p.......
[email protected]...`....... [email protected]......
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..WVS.......U..E....t.
..F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E..
.$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT.
.......FP..E........}..VP........U.......FT.............}..........E..
M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q...
.~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX.
.$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\
.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>


GET //Displays/Softwares/cb3d709d_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:49 GMT
Content-Type: text/html
Last-Modified: Wed, 12 Feb 2014 17:10:19 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
21c6...............r.Ir..G.z....."HjOWc........\....D.h.=...n.........
.i.&.$....>...b...X.}....YYY......t4....]..~.?.>q...>........
;>~....=.).O...........m.u...y....& ....7_.U...mQ.........f.v......
.......2..g..Y.....^...*[.x.9[..u.v..-...\U..}Sm.M.......EV...&}...k.}
.&.n.u.........o......7... ......7.2{{^.V..frPZ..,..|S...\.W...V...*..
....D..KW {{......x.....(N7.w.m..|...b..`.t.U\.....*......~........uV.
.y-N...ok.|#.o.....~.Ijq.%"/...]..].3z.K...F...-.&....\K..Y.=..|...t.z
.H...2]..S/..........]Zf....#..<.....%_.iV.Q...U..gS4.mF.on.*.g.*3.
..s{.....7.........=..?.. wS..../..K...*.E..q..|.}.....``.......m.Eq.Y
...(...W...y.9.z<....y..z&Y..6n.y.E.^..t.....{s.)=...U~fe....|3_...
..~.6.....aa..No...U......9.J....e... =vS..e>..6......faC..f~Gn...]
z..........~..Kg...UqS.....g0..A/...?.g.n....P..(..c.Y.BZ...]..c..,...
.w.....m.....y...6.W..*.v ...... d.t9.K.....U.......R....`Q.<o.b._g
`n.B.x0.lT..2.B/.{.r.ygL|..4S.....&a..L "....M.P..Q.\.Uv.............4
...A1.#.?~0......vQ....H..[.....c.*...7....8..#....__..... .=^...2....
......7:.3.._.....w..'.I.1pb..W2g..\...>.^..6H.\......w$.......jyaC
.l'9.2.0J.P.'..j2...5.m...XT...x....9P.Y.T.@]."7....'.s...Yy...W.7K.l.
L77.Z......*0h..Xi...y..b....9sO.]..X5.....X..&.G..s.i......K 3l&P.m.L
....0....G.%/...2PI.G..S...f......5.0B..A..b.q..tO?d`._....K..k.......
......GS.{?N..)7..?.......l....A..$n2.]...wt...19........g...d..q2H>
;..S7....io08Q.*-tu..S.k..2..D>,.C......z.q.!.ee...),.ZVC...q. .?i.
.l..;....*B].....?.1...E7.....Y..a......".$....xi....e....... .1&l
<<< skipped >>>


GET /test.html HTTP/1.1
Host: track.v2.sslsecure4.com
Connection: Close


HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 19 Nov 2014 18:12:23 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...



GET /111001464/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Wed, 19 Nov 2014 18:08:49 GMT
Content-Type: application/octet-stream
Content-Length: 6160376
Last-Modified: Wed, 19 Nov 2014 16:07:25 GMT
Connection: close
ETag: "546cc03d-5dfff8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........A...A...
A.....x.Q.....M.t.....L.?...H.u.H...A.........I.C.....|.@.....{[email protected]
chA...........................PE..L...KncT.................F....\.....
ih.......`....@..........................@^.......^...@...............
......................P.......,.[...........].......]......a..........
....................@...@............`..d............................t
ext....D.......F.................. ..`.rdata...Q...`...R...J..........
....@[email protected][email protected]...,.[.......[...
..............@[email protected]....]..X....][email protected]............
......................................................................
......................................................................
......................................................................
......................................................................
.............................................. bA...E.......U..V.... b
A...E...E..t.V.jC.......^]............U..V...dE...E..t.V.@C.......^]..
.................:E.............U..j.h.PA.d.....P...SV...A.3.P.E.d....
..u.3.S...m>...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..iD.
.hp.A..M.Q.E..bA...[..WV.e;........M.d......Y^[..].....U..j.hTPA.d....
.PVW...A.3.P.E.d......u.V.E.......:...F.3....;.t.P.KH......~..F.;.t.P.
8H......~..F.;.t.P.%H......~..F.;.t.P..H........~..E.......=...M.d....
..Y_^..].............U...E.VP... D.....bA...^].......U..QV..j..M..
<<< skipped >>>


GET /debug/Version/4_0_6_25/Nsis/CopyFiles HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:11:57 GMT
Server: Apache
Set-Cookie: vsid=922vr1639663172813827; expires=Mon, 18-Nov-2019 18:11:57 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i2.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>


GET //Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate,gzip, deflate
Host: staticrr.paleokits.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:44 GMT
Content-Type: application/zip
Content-Length: 344899
Last-Modified: Fri, 07 Mar 2014 11:17:00 GMT
Connection: close
ETag: "5319aaac-54343"
Accept-Ranges: bytes
PK.........YgD..l>9....c......style.css..ko......?....M-G.#q...m...
p.-..^...D.... ..w....S")JvrIp-b#.I.3...p.....\....,Z.PZ.......Q..._D.
,*.%h.K..a.*..r8......R.s]....<.*T............^.Sx?,QD....A..<._
..$.>_..|;<..`........#..!(s...:.....< VC..|].A.6.,.... X,p:u
..A.......!.......u...3.}.D...eIVL...9}...j9=;w..-..^,.i0.e.8..... j].
.,......,.S.k:[email protected])*@....J~. F....-
.U..,&.P......arr.>%.1..W..........l%..p.W..h.........LJ....<...
.m..U..........!H..vN`:s........D....{D4..e.i.........%..t...!~\......
F..^..Sgt...."...x...<.-.`[email protected].. (."=U.....(....(....
.JL-..@...=...W..1.p..2.j..y...rlK.l..{|D....s.%.2....3.\ 'H3.... ....
..'[email protected](`>.3b0?;..1..CW... ..V.W.
gd.......R1..2.P.|.......^..p.."...5..L."mF.......R..8...[.PB..#]}F8- 
.....%E.......F#.D.!....."..:.,.:R\Y...g>...R.u].....B...B....@C./.
DP.Zc.....g.d#i.2.A......af.D.4;.@~WW.......&..Srfk.8--.....n..s..b...
.d).......e..W.d......?l=...5...GG...G......$&..=.......tV.W....p...1.
.......p...xF. ..1..pL.sD....;......._,....3..,....a.....s<.L...<
;..`.....)9.4...x(...P2...w...e......a....wqIe...6.8.....5..mx.gD.1G..
...`.IA...>.X.<.... .~..b..dq..8.^...uN>.d..!...8*.2.W..  ...
..H.U........7. ...w..D.O_r.W....9....0.F..._..L.........V.VI5Y.s..sZ 
]` #%Z..p ..Z .;olx.........M.C..^.....7.......p.....O.6.m.....zd.<
..G.,g...Y.j.|..TP...|...d2.r.....K.6......b....vu..|..s.. ... 7.....9
'.c..[...sD0C........F..,I..R....IcL._...I ...(ZB....LZ.m.2.....;h
<<< skipped >>>


GET /21/all/hqv/ca/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416403573"
Last-Modified: Wed, 19 Nov 2014 13:26:13 GMT
Cache-Control: max-age=1065
Content-Length: 12531440
Content-Type: application/x-msdownload
X-HW: 1416420761.dop002.ny2.t,1416420761.cds045.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......P
.....................n......-A............@...........................
......\:........ ..............................p......................
X%....................................................................
...........................text...<........................... .0`.
[email protected]$.......&.............
[email protected]@.bss..................................0..idata.......p.......
[email protected]...`....... [email protected]......
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..WVS.......U..E....t.
..F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E..
.$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT.
.......FP..E........}..VP........U.......FT.............}..........E..
M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q...
.~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX.
.$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\
.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>


GET /betatest/mystart/mystartTb_5.4.1.4_sambamedia.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: betatest.vmn.net
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:32 GMT
Server: Apache/1.3.41 (Unix)
Last-Modified: Wed, 04 Jun 2014 14:56:26 GMT
ETag: "8fbd-5362b8-538f339a"
Accept-Ranges: bytes
Content-Length: 5464760
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................@........S......................................s.
.........hI...........KS..............................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc...hI.......J...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>


GET /download/wajam_download.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: VVV.wajam-download.com
Connection: Close


HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 21 May 2014 20:10:51 GMT
ETag: "7015d-f0c0-4f9ee97ca68c0"
Accept-Ranges: bytes
Content-Length: 61632
Connection: close
Content-Type: application/x-msdos-program
Set-Cookie: APPSESSID=w2|VGzdn|VGzdn; path=/
Cache-control: private
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.........`............................................................
..P...p...............................................................
.............................text....a.......b.................. ..`.r
data...............f..............@[email protected]..........
[email protected].................
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ...Pj.h.[[email protected].@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET //Displays/Softwares/1f76ab55_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:47 GMT
Content-Type: text/html
Last-Modified: Thu, 17 Jul 2014 09:13:47 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
28a3...............r.......i..-E.Two;foI....$. ..@....;[email protected].......
y.....7.'...2..p.Zrx..8l.(de.:........p...A.Mg..;..........k....~.Z_..
.G........iYeE.......OK?l...<..?.M.|.dyZ.d.......aoQT.......4_..C.s
2?Xr.....~.;.......{.M..[f.Yz.wt..&.<u..-..?......j..aQ..f..O.j....
..........j....'.......lzQ...Z.......Z[....E...-f..A.:..&e.....e......
.....\eXV..[O...d6.........7.....Sw...M.t7e1wq.Y.L ...rU.....b.._6.]Ri
...MZ..~!J....j..3i.........d.r..,_=d.......?....,.....O.[.g.....A....
..n....M..*.{.......J.X<.~q..].2E..4..c....>........5*..........
.*.).l6......../.d...j.....m2I.....p..-.i.e.%l.wEq;K.......}V.......kC
0.^................>:.M....A[..N4V..K.6.J.rrw.n.'.....d:=(.}7 &P.(.
O..n:....Dfi.....tf:...TT.t.4A....}O'.H.z...vq.....oL...m.).@7..?O....
.D..Of.i...=B.4_j.4....%$.d.'.I.........FI=.bMK..o.l.....-.tv.E..V.7..
.DU..%.e.gl...R.vy.}......b.vW.e.....r..^.(/.y.....:...2....u.........
r.........).!:..&...[b;.......%....>..M.^.H..__........[..m1$...Y.\
.=.^,....V._.p[&sd=K.........C.P...<.f..%..).[....TzP.y6.J..E..x...
...W2....@...?..L....6c^0O...Y.d...oy.....u.<...#...Kin..G...xx1...
.....#.#.....,....."|;[email protected]..).....Z..U.m..<z.......Y..R.E....
*z..[6s..g.....#.mB.eI>..\/...T'Co...m.%&.Fc.@D2.. ..:.e.q.0. ....B
Qc.......u.h.............R..R..62M......u..........~...b. .?..(<.\.
..g.(p.9N.;..Yq......bu ...f`$DV.d.-..Y.......*U1[.l..g.y1...W.|'.a..E
...&A......A.t..?}....hy.Op..e.......v..b.(20..*.N'.............<.&
...I*k...B...).....U.\.dBa..v../...B...q#....T.....Q.&. .@R..#....
<<< skipped >>>


GET //Styles/Softwares/67423fe2_wajam.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: application/zip
Content-Length: 111525
Last-Modified: Thu, 17 Jul 2014 09:09:05 GMT
Connection: close
ETag: "53c792b1-1b3a5"
Accept-Ranges: bytes
PK.........P.D.........0......wajam.css.Z[o.H.~&R..l.H..b.`...lD.UW.V.
t.gb...3.p...._f..xn....Rjl.e.|.;.....^....... }~......{w.^..~.G..M.w.
..(1q..........E//.qp....?/.*;../..%..g...^....'...._./..o.a..}.v.>
....v..O'..=D.4....o...EHO.....vy...s...G.ez.|.....<...K6A..Y|.5.o.
. ?...C.1 t....|..<..l...k...$.liYr..[.5>...k...........z.......
..e[J....C....k...P.".....Aw?.H.U...A.q....M....Z...a\Ci.EE.P....a....
..TD.....^K..(.....#Jv........F.a*.;.mL...][email protected].\.........L.(.Z.
A..2n.g2..y..._.A.......l.xa......|.............n..Uc1}.d^....,.$..i..
7....J;...I..Oap.B.F.......>...IR..#..%.2* 1eV..nhr..t.eQ..5wNFr..M
..i..i.{....".........o. .6,{..*..}.2..L/...q...o........h2.;.r.......
...&..{.......H..:....7uCg.o..&..X.......o.C.)7.`.).p....)..0...... v.
...T.UQi..../......2.-....M.....z....d.Es....J...u`,......k..,.Q.QT.a.
.....%..R.q..d...d.....}.fqk3.Q6F..1O.....2..B..wd.......=Um/.03H1....
..t......w.T$.......P.M.....v*y/Q.R.9.t.X..OFt.F...$..Zn..-.........\.
...d....rOg;...f..3...r.tw.p.....r.........6...:..%#......m..../....f.
...n.......tci.t.?.X.........z...y......'...K.vA..n.Z.....f>C, .P..
.O..D...D........s. ..kf...8^(....8 .qc6....0..NJ....../....Y..BW{....
.c...f7....n...?.......,v.A.&L...#j.&.`/.v*...|)Nr..E.>..6 ....&_..
I....af...:...V.*...h.......~6....=.ya.f.9;...Y|...:..$(.....6Lm-.7R5.
... 4;......<f%..A..`.J......9..............<."3?:D!^......Go...
QJ...2mV...>[g.?...O...^... PP.....=w#...n...}..~....P.[jx... ]g...
[email protected].../^..\.....y..OQ......d..>.I..'..
<<< skipped >>>


GET /111001464/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Wed, 19 Nov 2014 18:08:49 GMT
Content-Type: application/octet-stream
Content-Length: 6160376
Last-Modified: Wed, 19 Nov 2014 16:07:25 GMT
Connection: close
ETag: "546cc03d-5dfff8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........A...A...
A.....x.Q.....M.t.....L.?...H.u.H...A.........I.C.....|.@.....{[email protected]
chA...........................PE..L...KncT.................F....\.....
ih.......`....@..........................@^.......^...@...............
......................P.......,.[...........].......]......a..........
....................@...@............`..d............................t
ext....D.......F.................. ..`.rdata...Q...`...R...J..........
....@[email protected][email protected]...,.[.......[...
..............@[email protected]....]..X....][email protected]............
......................................................................
......................................................................
......................................................................
......................................................................
.............................................. bA...E.......U..V.... b
A...E...E..t.V.jC.......^]............U..V...dE...E..t.V.@C.......^]..
.................:E.............U..j.h.PA.d.....P...SV...A.3.P.E.d....
..u.3.S...m>...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..iD.
.hp.A..M.Q.E..bA...[..WV.e;........M.d......Y^[..].....U..j.hTPA.d....
.PVW...A.3.P.E.d......u.V.E.......:...F.3....;.t.P.KH......~..F.;.t.P.
8H......~..F.;.t.P.%H......~..F.;.t.P..H........~..E.......=...M.d....
..Y_^..].............U...E.VP... D.....bA...^].......U..QV..j..M..
<<< skipped >>>


GET /test.html HTTP/1.1
Host: api.v2.sslsecure2.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:24 GMT
Server: Apache
Set-Cookie: vsid=903vr1639663440521855; expires=Mon, 18-Nov-2019 18:12:24 GMT; path=/; domain=api.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: yoJdAcWghu8e0GmsJ9T8ZneomMMaQo6EcXXnzIssdoDa3ZhPU5nuJRh7BYGTDMzJirhPD2at7OE=
x-amz-request-id: EBA71CAF9DECDF78
Date: Wed, 19 Nov 2014 18:12:43 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................|........................................t....
......0m..............p...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..0m.......n...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET //Docking/Docking.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:45 GMT
Content-Type: application/zip
Content-Length: 37048
Last-Modified: Tue, 26 Nov 2013 13:00:11 GMT
Connection: close
ETag: "52949b5b-90b8"
Accept-Ranges: bytes
PK........1Q.A..T.............position1A.css.....0.D..W\.n....H.Q... .
[email protected]"*..k.......9..]..t.jp.../.......6.<7Th...5L....}..E.. ....
L.S...........V*...8.;r...,6..r..'.?WC......yX.'c............&.XHA...P
K........,g.B^P.]............position2A.css.S.N.0.}n..b.K...m$p^v.j%^.
..~..............!.RB....c.9s.L~f...[r.....y.x..\.V.7d.-..L..}o.3k....
.....Dp.....99....x...P)3....(..V........EL..I..B.G.A..{.y........en..
..<.&.l...[..~.U..'..7..sCC.....O.Z....H.J..G.p;...`.>.....-V ..
g6R.......qQ%.Ua....E.7>..o...W.....f..k.L.ME.....cTSF.....s|....#.
.%....| ..hBv...Lqf([email protected]=...~P$<p.E...y.u..........W.k0[...w.Z....
..fye.../...&Q.....c.q........1.0.g..ay......|.gI....W.4...GJ...R..e..
.;.....}b.5.3.^\...A[..O.FX..'5o.%r......F..:[email protected]..
.........position2B.css.Q.N.0.....D..a..Fp.1B............]....mA......
$=.|?=.uF.U.....[ot..~...9Ld.Y.......N.y`~................#.||..j)y.(/
..n.....^....45.....\.."..k$. ...0..@C'.$....Q..V.:k&.Z%.U ?.X.-..F..E
.Ra.<u..;($g...}.......Ah...)...L.*5.Q0(.M.v.....t`....ho..........
d/4.p...A.7.....Ee.$*J...S..r.=.<.... l..%.|!j..6..c"...%:.d.......
Hen.[xK...O./....U.}fuV..PK.........lMBjre.....B.......position2C.css.
....0....S...bL/....A...P}....h3%....nE.*..Y...}.]..FZ.m7s:.%..0MS...P
Im.g....7...U..,VK..}....c..c..-b.g.FS...(.P.x.0.\.?\.'TS...k.2!WG4...
..#G%l.. .'.{.....ix...B.}a..m..R.v......(.........,..#E.3'8.._....?..
.z.PK........VG.@! h.............position3A.css..Qo.0....S.:...-..R...
......}..N.f|..k...}6Ic.%.:x;.......TT.l....._..Y._]..r._.x..Ppq.C
<<< skipped >>>






The Application connects to the servers at the folowing location(s):







%original file name%.exe_668:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe" /path="c:\%original file name%.exe" ""
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp\nsisdl.dll
b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp
989d5cc8701b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe
D.MH;
<add key="UseElevatedPermissions" value="0" />
<system.net>
<httpWebRequest useUnsafeHeaderParsing="true"/>
</system.net>
<system.web>
<httpRuntime maxRequestLength="19000"/>
<webServices>
<add name="HttpGet"/>
<add name="HttpPost"/>
</webServices>
</system.web>
<supportedRuntime version="v2.0.50727"/>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/>
v2.0.50727
setup.exe
CallUrl
.ctor
System.Resources
System.Reflection
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.IO
System.Net
WebRequest
HttpWebRequest
IWebProxy
get_DefaultWebProxy
WebResponse
HttpWebResponse
Password
<PrivateImplementationDetails>{653B694D-F0F9-46DC-9D9E-8009DAEE1127}
System.Security.Cryptography
PasswordDeriveBytes
set_Key
4.0.6.25
$a789a08e-b7be-465a-9659-4044b21e32a9
_CorExeMain
mscoree.dll
Ñ[g
]]%uB
%original file name%.exe
8517AB~1.EXE
151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0a1</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
09ac72b88ef140aa8ee609de7640785e.txt

%original file name%.exe_676_rwx_675A6000_00003000:




.Qg<-Qg
*Rg`.Rg|)RgL Rg






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:668
    

    2. 

  2. Delete the original Application file.
    3. 

  3. Delete or disinfect the following files created/modified by the Application:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Browser appinfo.dfe (734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Vuupcinfo.dfe (741 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\less.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-zipper.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mystart.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-small.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position4A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Vuupc\info.html (1287 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\MyBackupPc\info.html (1419 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mypcbackup.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DHD6E441\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bg_app.png (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\show.png (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Wajam\info.html (2473 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\browserapp.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\SM Mystart\info.html (686 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-gevideoconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\HQVideo-Proinfo.dfe (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\optimizerpro2.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\percentage-bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mypcbackup.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check-close.png (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\cross.jpg (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\HQVideo-Pro\info.html (1089 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-shortw.gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\more.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-miul.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\logo-win.jpg (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\close.html (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafmusic.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-geaudioconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\options.html (965 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafplayer.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton_xl.jpg (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris.png (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-gris.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\PPI OptimizerPro\info.html (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Dockings.dfe (2617 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo3.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\group.html (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateStyle.dfe (6468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\doma[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-short.gif (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris-small.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\hq-videopro.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mystart-toolbar-gris.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo2.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\finish.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\welcome.html (151 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\base.css (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\PPI OptimizerProinfo.dfe (2613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Wajaminfo.dfe (2823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\config.dmc (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2C.css (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U4QB9L07\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butpause.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-printpdf.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position1A.css (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-ifish.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet.gif (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\MyBackupPcinfo.dfe (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo-big.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3D.css (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateDisplays.dfe (611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-big.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1a.png (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UWC4R3L\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\instalando.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-olivebrowser.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin.dmc (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2.png (9 bytes)
    %System%\wbem\Logs\wbemprox.log (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butplay.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\box.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\hide.png (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.png (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\vuupc.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3C.css (638 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\SM Mystartinfo.dfe (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\style.css (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Browser app\info.html (1497 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\wajam.css (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-img.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv7E.tmp\nsisdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe (1431 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe.config (767 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\09ac72b88ef140aa8ee609de7640785e.txt (8027 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now