Application.Bundler.DomaIQ.Q_b30d423773

by malwarelabrobot on January 13th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.Lollipop.qo (Kaspersky), Application.Bundler.DomaIQ.Q (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b30d4237736d4a63d13b3c14feb5dc38
SHA1: d3f21910a661b60f969536170dce914f2b703924
SHA256: ccc9e54f438d4c2ea4f3027195be5ed6d231899a00a7933cdd45e400cedb42f5
SSDeep: 6144:z K03Pn0NShKvAPBGxr4mbOlq1QTiZZaN9BJvilHKMiRE3Ywk:a3 AmhYqa59iFiO5k
Size: 322056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-14 23:09:38
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

%original file name%.exe:3636

The Application injects its code into the following process(es):

%original file name%.exe:3488

Mutexes

The following mutexes were created/opened:

CTF.TimListCache.FMPDefaultS-1-5-21-796845957-1563985344-1801674531-1003MUTEX.DefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.TMD.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
ShimCacheMutex
RasPbFile
!PrivacIE!SharedMemory!Mutex
ZonesCounterMutex
!IETld!Mutex
ZoneAttributeCacheCounterMutex
DDrawWindowListMutex
ZonesCacheCounterMutex
ZonesLockedCacheCounterMutex
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
__DDrawCheckExclMode__

File activity

The process %original file name%.exe:3636 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\465ff7c14db84a079d0b97406e3a8ff6.txt (7864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe.config (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe (1431 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB2.tmp (0 bytes)

The process %original file name%.exe:3488 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\PPI OptimizerProinfo.dfe (3505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Dockings.dfe (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\MyBackupPcinfo.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo-big.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\vuupc.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\Vuupc\info.html (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\base.css (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\MyBackupPc\info.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-shortw.gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\box.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\optimizerpro2.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small_bg.png (3 bytes)
%System%\wbem\Logs\wbemprox.log (354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-img.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\PPI OptimizerPro\info.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\mypcbackup.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\mypcbackup.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateDisplays.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Vuupcinfo.dfe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateStyle.dfe (5690 bytes)

Registry activity

The process %original file name%.exe:3636 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 87 56 D7 23 16 0C 8C 38 9F 56 1C 22 6F B5 11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:3488 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 25 65 8A 0D 1A 10 26 5E 6A 16 CC 5F D2 1A A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1381828954"
"Name" = "%original file name%.exe"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
93f88a2379be0d22ed1039e87771e3f5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe
1dadb63a5dfaa0679485c5dbaf96033f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiB3.tmp\nsisdl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23148 23552 4.44633 1c619949741a76b63a54c1e6c4d6b2f8
.rdata 28672 4558 4608 3.62955 6c31e0693072284f258d2c4a271de506
.data 36864 110520 1024 3.36948 78f5760d9fafb71fdbc88c3497afef46
.ndata 147456 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 208896 17000 17408 3.5656 7fae611f3f73978e9992534a50a87055

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1546
24dfc5735ffdc44ab04ecaf68c5c37c0
06fb90b7081f8881f62cf9a1912ce90d
61786c35bdbbdbee8d8167359fe4c006
de0142141abde6286d0f1d1411e3b743
1aa2c540070a3fc070648c3439e76e3a
3769e46ead3f1f03a6f592e17a55f03a
3f9c8f78e5f622f4798e840a91ef9331
6a7ab12a471271c6b6d2b7e5ab75aa49
a15e3163b8b3bb0fd7e358bc9463b0f2
3cc49afc567afd78de810cecd2331a51
03af95d2db790ef4fd0fc67992b3fa34
b32f2d9bdc802fd71488a1b25225c135
c1aa9894e43eece9d16da59cab758d1b
3928afae406e3f808f6087e5dbfe750b
b8f83f5316971b925c153a2a609e5813
c29b34bdbafbaf60a830a2ecaf10002d
dff9c91218427199a7f530647221fd5f
7ba577817c32ac2d586e4167b98ef660
657d39d063cf5a1e530b16c94500a362
716f95a4a54169322100b0765c8245fa
64cb934e5261377004abae209e4f0c1f
c2f5e9657bb65d08da1efd7754ed31bb
8469f7c58f3cdf13f1410c65c6321b3a
8f219358f07cfca28da6f98458031aee
e712a6e10e590a49603d33c110c495bf

URLs

URL IP
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/Start 204.11.56.45
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/GetInfo 204.11.56.45
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/CopyFiles 204.11.56.45
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/GetParameters 204.11.56.45
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/PreRun 204.11.56.45
hxxp://staticrr.tgusrv.com/test.html
hxxp://dtrack.sslsecure1.com/test.html 204.11.56.45
hxxp://Track-903226030.us-west-2.elb.amazonaws.com/test.html
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/test.html
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/256/Browser_Update/502/703/English.xml
hxxp://staticrr.tgusrv.com//Dictionaries/English.xml
hxxp://s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe
hxxp://dl.softservers.net/111001899/OptimizerPro.exe 184.154.145.171
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip
hxxp://staticrr.tgusrv.com//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip
hxxp://staticrr.tgusrv.com//Docking/Docking.zip
hxxp://staticrr.tgusrv.com//Styles/Softwares/e7bf26c3_mypcbackup.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/16220985_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/db393704_vuupc.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/1d58e78d_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/0ba5df4c_optimizerpro2.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/7f3e6cee_display.html
hxxp://staticrr.tgusrv.com/sdb/doma.js
hxxp://staticrr.paleokits.net//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip 85.12.5.2
hxxp://api.v2.sslsecure2.com/test.html 204.11.56.45
hxxp://staticrr.paleokits.net//Styles/Softwares/e7bf26c3_mypcbackup.zip 85.12.5.2
hxxp://track.v2.sslsecure3.com/test.html 204.11.56.45
hxxp://staticrr.paleokits.net/sdb/doma.js 85.12.5.2
hxxp://api.v2.sslsecure3.com/test.html 204.11.56.45
hxxp://aff-software.s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe 54.231.2.204
hxxp://staticrr.paleokits.net//Docking/Docking.zip 85.12.5.2
hxxp://staticrr.paleokits.net//Displays/Softwares/1d58e78d_display.html 85.12.5.2
hxxp://track.v2.sslsecure1.com/test.html 204.11.56.45
hxxp://api.v2.sslsecure4.com/index.php/api/256/Browser_Update/502/703/English.xml 54.200.36.178
hxxp://staticrr.paleokits.net/test.html 85.12.5.2
hxxp://staticrr.paleokits.net//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip 85.12.5.2
hxxp://api.v2.sslsecure1.com/test.html 204.11.56.45
hxxp://api.v2.sslsecure4.com/test.html 54.200.36.178
hxxp://staticrr.paleokits.net//Displays/Softwares/7f3e6cee_display.html 85.12.5.2
hxxp://staticrr.paleokits.net//Styles/Softwares/0ba5df4c_optimizerpro2.zip 85.12.5.2
hxxp://track.v2.sslsecure4.com/test.html 54.186.105.91
hxxp://staticrr.paleokits.net//Styles/Softwares/db393704_vuupc.zip 85.12.5.2
hxxp://staticrr.paleokits.net//Displays/Softwares/16220985_display.html 85.12.5.2
hxxp://staticrr.paleokits.net//Dictionaries/English.xml 85.12.5.2
hxxp://track.v2.sslsecure2.com/test.html 204.11.56.45
s3.amazonaws.com 54.231.17.136


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Executable served from Amazon S3

Traffic

GET /test.html HTTP/1.1
Host: api.v2.sslsecure3.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:31:00 GMT
Server: Apache
Set-Cookie: vsid=916vr1686474605802126; expires=Sat, 11-Jan-2020 22:31:00 GMT; path=/; domain=api.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET //Displays/Softwares/7f3e6cee_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:11 GMT
Content-Type: text/html
Last-Modified: Tue, 08 Jul 2014 14:47:05 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
f06.............._o......O1....(.u....b.I.8.`.5..`....-w7.G4.1......3K
.....8.E...?..{............_.u.7..~x...o...k...|...W..w....WZ...o...~.
>.z.>,....6<;[.U.c...X..e....YSw..uu...P.[W7}.._C......K...?.
.<q.xv........P..mp}..M..Zt.WW]..|..........k.6....s...C.>._}[\]
n...;...W./X..........o...w:.af.lC.\.......s....U.).b.v....:_..t.v.>
;....z.....*."Ta.{.j...7 }.:>.....9-..B....7....j....Ky.._..?".JZNP
..u....D1.s-P......*w..8..~......;.O.v._.y(...U...D.........nU........
l......v.../..n_...y!.....w...?Zv..j.N<........|.gvh.... ...}.e...?
....:\.%......}..j.wW..`.\V.l......%.MX.M.....GZ_...#)y.m...'[email protected].`
...24..)......&.......{...{..2P..Z.....Ca."...%..&(..jg........`..RB..
.....F..Vv....... f.]...[n|....M...."../Ff.F[a...,u...|VC..-...|jf..&g
t;.,.F(.z....=......X.a.z..(i.hU..\...v..P ....C.....V..~.V.....~-$r.=
.b*bKTS.,.f..#..!.p...a..#.....o..R.A..e_;Y9S..T...._..."..nXla..c..6f
...)..beU..Y..J..Wl..3......r;sa..._.^....e{..M-.=. F.0`....a.4.6T.{y.
.vu[X....\.........Q)}p.aS.O.....Y.....4U..%.E........o....~. ...0.E.r
.a.r..O.ai.JQ\..li.9....l...#.)...thA.H..$..:8.G.......U..N...n.......
.......,.>...P...j....dmr9.5....0.h....O.....N@o)..!...... Z.1cjsC.
]...%[email protected].]...........e;...V.|....^!..'U.:.....
.:%\.>|..AE...* ?KUQ/.C2m..E....#.e\.~o...D.cx.Q..w0K.H..Q>)... 
.. ......YP.D........,....Ci...w..8A.Nz......%JB.-..0^....@ ..h..}....
.hH.$h.D.;zB.QY.co...t..j.8.......{.W<=.4..4.#..I..u....%..6...Z..^
q...$R1.k.3)i.{C,....;......%&m.R..q_..X.r.>J,....$..F...?..M@.
<<< skipped >>>


GET //Displays/Softwares/1d58e78d_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:10 GMT
Content-Type: text/html
Last-Modified: Fri, 10 Jan 2014 15:52:57 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
18ea...............r.Fr..5OQ..ks"H..$.B....P..rH..9.s..6.l...^...^..7~
.?..&~...V..n....{...* ....U8.....]]].=.q.oo.O...O....Swpp..H.?..L....
..K.1..\....&..l........y.4...u..m^....: ..{....`.#..^.-.vy....."[N.?e
..Ze..\...y..IQd..fm.v...'uz.f... .?....7.\.._..G.o...uv.cU....B.f^gY.
r.....j\...".\...q..B..9&...l......W-.Q.N..jD.../i....>. .....L.]Vf
..u..Z.8X..Y..,i.:k..n...o.y.4..Z,.....V...=.H......h}|tw....O........
...Y.......6....2....Cz.. .:.G...d...\x......UU...".g6.=W<..OU....8
.WA..^.....a.u...aU..Ev.....q.0..v.,...)._'e..e..Jn72l..q{.j.hz]'M....
re............................C6..#.6....Zg.61?..yw|#..j.F..|..g....(.
...........6....W......=2_f./.gl._|.N..z../......tm.s..q.W..X.m../0x..
.....E.zuy5;?=.@.....;7{.....S......;.9s'....;P...tsv...rv..~v........
.;9==..M.[W7..................=........Y.u;.....S7..q..I....[........w
?!....]|.........o ....).l...........;w>.w.o?.=...=so.xR"...~....G.
...CG~t==(H..^....:uW?.(........gw........%}:......FEi...C.m..~Y../...
..O.nf'@.|............n.y:;...$......l:Eb.8..Z....}...1..8.....".[An..
Cg.._..........U....^....../....E........t...K.....F1.....,...'...y!..
...x..zy2.oM^..iL...=....j.)$....  .......~|....?.*.2..[....>......
C."q...9..l....J.AF`.z.S.}...{..d..O..~....Vush..f..Zk..l,0y..x%3.Y.N.
:...d.}.`.J21ODd.wk...m.|.f.D.M.'-?d.........h.u...$..<.&Q..k.Di..u
.A.^R......h........GO..H........p...v..v{..e..u~.D...M.C.....<en..
0a"#a.......Y...=...)4.ZFc......T.W..,L0..)a...<.....8...... .m..J/
.X.'."..5IK........6eQ%>:.....M'......O^=.._O.1...\.......%"j."
<<< skipped >>>


GET /test.html HTTP/1.1
Host: track.v2.sslsecure3.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:58 GMT
Server: Apache
Set-Cookie: vsid=920vr1686474586003694; expires=Sat, 11-Jan-2020 22:30:58 GMT; path=/; domain=track.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET //Displays/Softwares/16220985_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:08 GMT
Content-Type: text/html
Last-Modified: Thu, 03 Oct 2013 10:28:07 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
1f87...............r..u...W....UEB..{..\.!..`...@i.?.!0$g.`..@.}...\`.
.t.L..j7UIU*.dE.3.O....>3..rp.....7..;.xq..t..vy..?w.......;8x.s...
........?._N..n....w'.b....:(..n2.....eY...\.....b=w....*.|Z/.........
.......*V..v...|6)..[.nu..aqU/.8...",.u.Y..i^O..&.}}.L..v.|.^...?.jz..
.......?../....O.^.....I9..wZ..c=..|..E.....].r....).rYQ.;#/.t]6......
}...{\y.~...b...E~]..uU.]$6.Vy.wy.ZWy.t.z9.....mV....:.:...S6.....I.O.
O./&oL.|.'.>\.....Y..$ci....{Q..m.>..p.EU.......r]..b.....gF,%YV
he1-..}w.M...X...DO..;-. e....Y.....a..PV.,.\.....j.9.g...K&...Sz.3.|.
.*.......w{.J.Z._VY.c.H.i.yi......\..^.y...$_Lr..a..|.....^.........=v
G.a..r0.......b{......V..r{.F..w...m..b(en..d3...1.....c.v{y.WTh.;gg.t
......,V...........U9.V.'...U...k.....?*.....;.g~.f.....iU...,[...|.mc
..Fj...Ww.X.2 &.Y.....-&.n....d..rM].....J>-.}....}....fX..(m...e.`
.......t.......].WnQ....."...U.H..q.)qd.i....|.kj...L...{.^.V......V..
*..6..JTb1R.Bz.......3.....}.b..UW....f.&m...v...n.....'..^.Pp.....>
;c.H.S..........4..$.-.$ru....2........5:1.W..Rh...|t....;............
.....y..>t..z......;....?.G=wi_..].../...........z.8....._..k.]5..O
G.....Q".A..w.=...w6.....:>wg....C*.=v.....w.a....H<$......._...
j......;.w~...%\%.:;.e....B...TX.7..gv.z.^9.............s.W.{.v.b...75
/...r6..<...C..d...I..0ay../.4.......C..q..5..L6..E..Z..0...]...Y..
.b......!S..56G.-...#...*......0=.yg..A.]........8;..y..Ir.~.r..W.eU..
[email protected]..'.).".bv.q.|...=yM......<H...p$8 I...*....ky
$N.FU.........s.p........7.._...?....u...q"...............BHk. t.E
<<< skipped >>>


GET //Docking/Docking.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:07 GMT
Content-Type: application/zip
Content-Length: 37048
Last-Modified: Tue, 26 Nov 2013 13:00:11 GMT
Connection: close
ETag: "52949b5b-90b8"
Accept-Ranges: bytes
PK........1Q.A..T.............position1A.css.....0.D..W\.n....H.Q... .
[email protected]"*..k.......9..]..t.jp.../.......6.<7Th...5L....}..E.. ....
L.S...........V*...8.;r...,6..r..'.?WC......yX.'c............&.XHA...P
K........,g.B^P.]............position2A.css.S.N.0.}n..b.K...m$p^v.j%^.
..~..............!.RB....c.9s.L~f...[r.....y.x..\.V.7d.-..L..}o.3k....
.....Dp.....99....x...P)3....(..V........EL..I..B.G.A..{.y........en..
..<.&.l...[..~.U..'..7..sCC.....O.Z....H.J..G.p;...`.>.....-V ..
g6R.......qQ%.Ua....E.7>..o...W.....f..k.L.ME.....cTSF.....s|....#.
.%....| ..hBv...Lqf([email protected]=...~P$<p.E...y.u..........W.k0[...w.Z....
..fye.../...&Q.....c.q........1.0.g..ay......|.gI....W.4...GJ...R..e..
.;.....}b.5.3.^\...A[..O.FX..'5o.%r......F..:[email protected]..
.........position2B.css.Q.N.0.....D..a..Fp.1B............]....mA......
$=.|?=.uF.U.....[ot..~...9Ld.Y.......N.y`~................#.||..j)y.(/
..n.....^....45.....\.."..k$. ...0..@C'.$....Q..V.:k&.Z%.U ?.X.-..F..E
.Ra.<u..;($g...}.......Ah...)...L.*5.Q0(.M.v.....t`....ho..........
d/4.p...A.7.....Ee.$*J...S..r.=.<.... l..%.|!j..6..c"...%:.d.......
Hen.[xK...O./....U.}fuV..PK.........lMBjre.....B.......position2C.css.
....0....S...bL/....A...P}....h3%....nE.*..Y...}.]..FZ.m7s:.%..0MS...P
Im.g....7...U..,VK..}....c..c..-b.g.FS...(.P.x.0.\.?\.'TS...k.2!WG4...
..#G%l.. .'.{.....ix...B.}a..m..R.v......(.........,..#E.3'8.._....?..
.z.PK........VG.@! h.............position3A.css..Qo.0....S.:...-..R...
......}..N.f|..k...}6Ic.%.:x;.......TT.l....._..Y._]..r._.x..Ppq.C
<<< skipped >>>


GET //Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate,gzip, deflate
Host: staticrr.paleokits.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:06 GMT
Content-Type: application/zip
Content-Length: 344899
Last-Modified: Fri, 07 Mar 2014 11:17:00 GMT
Connection: close
ETag: "5319aaac-54343"
Accept-Ranges: bytes
PK.........YgD..l>9....c......style.css..ko......?....M-G.#q...m...
p.-..^...D.... ..w....S")JvrIp-b#.I.3...p.....\....,Z.PZ.......Q..._D.
,*.%h.K..a.*..r8......R.s]....<.*T............^.Sx?,QD....A..<._
..$.>_..|;<..`........#..!(s...:.....< VC..|].A.6.,.... X,p:u
..A.......!.......u...3.}.D...eIVL...9}...j9=;w..-..^,.i0.e.8..... j].
.,......,.S.k:[email protected])*@....J~. F....-
.U..,&.P......arr.>%.1..W..........l%..p.W..h.........LJ....<...
.m..U..........!H..vN`:s........D....{D4..e.i.........%..t...!~\......
F..^..Sgt...."...x...<.-.`[email protected].. (."=U.....(....(....
.JL-..@...=...W..1.p..2.j..y...rlK.l..{|D....s.%.2....3.\ 'H3.... ....
..'[email protected](`>.3b0?;..1..CW... ..V.W.
gd.......R1..2.P.|.......^..p.."...5..L."mF.......R..8...[.PB..#]}F8- 
.....%E.......F#.D.!....."..:.,.:R\Y...g>...R.u].....B...B....@C./.
DP.Zc.....g.d#i.2.A......af.D.4;.@~WW.......&..Srfk.8--.....n..s..b...
.d).......e..W.d......?l=...5...GG...G......$&..=.......tV.W....p...1.
.......p...xF. ..1..pL.sD....;......._,....3..,....a.....s<.L...<
;..`.....)9.4...x(...P2...w...e......a....wqIe...6.8.....5..mx.gD.1G..
...`.IA...>.X.<.... .~..b..dq..8.^...uN>.d..!...8*.2.W..  ...
..H.U........7. ...w..D.O_r.W....9....0.F..._..L.........V.VI5Y.s..sZ 
]` #%Z..p ..Z .;olx.........M.C..^.....7.......p.....O.6.m.....zd.<
..G.,g...Y.j.|..TP...|...d2.r.....K.6......b....vu..|..s.. ... 7.....9
'.c..[...sD0C........F..,I..R....IcL._...I ...(ZB....LZ.m.2.....;h
<<< skipped >>>


GET /debug/Version/4_0_6_27/Nsis/Start HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:38 GMT
Server: Apache
Set-Cookie: vsid=914vr1686474385710320; expires=Sat, 11-Jan-2020 22:30:38 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i1.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>


GET /test.html HTTP/1.1
Host: track.v2.sslsecure2.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:58 GMT
Server: Apache
Set-Cookie: vsid=916vr1686474583427928; expires=Sat, 11-Jan-2020 22:30:58 GMT; path=/; domain=track.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /debug/Version/4_0_6_27/Nsis/GetParameters HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:41 GMT
Server: Apache
Set-Cookie: vsid=911vr1686474414929741; expires=Sat, 11-Jan-2020 22:30:41 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i1.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>


GET /test.html HTTP/1.1
Host: api.v2.sslsecure4.com
Connection: Close


HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 12 Jan 2015 22:31:00 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...



GET //Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:07 GMT
Content-Type: application/zip
Content-Length: 7828
Last-Modified: Mon, 03 Mar 2014 12:56:47 GMT
Connection: close
ETag: "53147c0f-1e94"
Accept-Ranges: bytes
PK.........gcD...qV...........box.html.V.n.8.}v......&E%...4.e [email protected].
e/O.%..k.TI*...'.?.P..q.d...F3g...R.....G.....\..........?..Ap.]._..O.
..?.HSi..JR...k.$..h..l6.gg... .......n.....S.....n.q..i.=8'...ux..h..
?.....E#o.......4...@..:.\G!..Kh..*,g.......?....e.z..`...*$..m..u ..6
...([email protected].&k... 
.m..p.m..B..I4/0..d.)$ay.._P...[.Kf...A.r..1...j.... .x.....P..e.4Vs.E
.D.....P.I.o.\.(sI........j<f..)...V..g,..m....6.xj....?7....`I....
.2V...D.4$.J....O.......az..Rbs...ct0.G...ZH.R...)..R...@].n.. ......)
.L......V..6...-'hu..^.*[......u.../;.p..f..n..V.j...>e&.zBW....h..
M.....V.....-/..w..j...q..X..$.m8=..........F.(`$.......)....(...<Y
.i..#..h........X....`.B_R.....4.E qIy....I.w.7.p8.2U3.5.4.1G.v..:...}
-...B.E[............s....t.S...u....Y9....6.C.A5#'../.&.......R".3...Z
M4.....x.f2.....hd........,..7..!..vI.|...SNZ....;..,V..a.......=..L."
.D^..Vfx.o..R.U..c.%.eQZ..Eh.......QXl...U...>[email protected].
.E.....T..u.j..U.[jC.*E...{......C.......>..-...u../..$a.....$k..z.
.z..6g....5.)].l.I.|=..H.V....T:..y.My..B.|&...g.&..{I?.......8<x!.
.P.=.p3.=.O~....W........H..B..6.....P.......?PK.........F.C.2........
......close.html]PAN.0.</..09p }.f.x.G.M.."8U.".=N.E .....L2>...
..'..4d.:..p..v...E.n0 .a...^2D.....u>[email protected][ryK....].c...)...E.
f.F.K.#[email protected].
..77.~.....fB........Eiw..9t........z.~.PK..........$C~...h...........
finish.html.TM..0.=.R.....!...R.I..Jp.".8p....1....4._......j.d%.y
<<< skipped >>>


GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: HRUd6mTasJKkgUc6niHb0BmA7L0DSem4FrTCLr0XMXpKgGjaIf8cS4fdmFzrg5gPDNYke6bg5WQ=
x-amz-request-id: 52B4062A478CC5E0
Date: Mon, 12 Jan 2015 22:31:05 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................|........................................t....
......0m..............p...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..0m.......n...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET //Styles/Softwares/db393704_vuupc.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:10 GMT
Content-Type: application/zip
Content-Length: 741
Last-Modified: Fri, 10 Jan 2014 15:21:49 GMT
Connection: close
ETag: "52d0100d-2e5"
Accept-Ranges: bytes
PK.........^.B................images/PK........op*D.r.8....C.......vuu
pc.css.S.N.0.=7R.a......@.:.].B...@{v.7.p<...e .}mC.[....!q2~o.....
53-.pr.wM.'y.......~b.5\Y8..._...Pb.u.....G....Q..o~..........YD9g...Q
...... ...f.....A#....jK.T...h4....}.....t7{.<P..3C.h..I..Dik:..>
;..J(z.8.H......*KZ...4...EF.a.W$IC.R.Z.G.P..8.V.j..M. ...]aN......DC.
..$../........c:. .B..rb..B".T.E.@...........>.=On...5-_[f8.}..^.K.
.x..v......k.,..A).,..!.n4%7...iQ...W!.....u."........37..a...)`......
..b..E.E..^.'=.......I.....,\.............[.....>.k..11......PK....
.......^.B..............$...............images/.. ............A.V...B]
......B].....PK..........op*D.r.8....C.....$....... ...%...vuupc.css..
 ...........k.....R.[.....R.[.....PK......................



GET /debug/Version/4_0_6_27/Nsis/CopyFiles HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:40 GMT
Server: Apache
Set-Cookie: vsid=913vr1686474405623145; expires=Sat, 11-Jan-2020 22:30:40 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i2.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>


GET /111001899/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Mon, 12 Jan 2015 22:31:05 GMT
Content-Type: application/octet-stream
Content-Length: 6049272
Last-Modified: Mon, 12 Jan 2015 16:49:56 GMT
Connection: close
ETag: "54b3fb34-5c4df8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......(.......................%.......................,....... .....Ri
ch............................PE..L...J..T.................N....Z.....
[q.......`....@...........................\.....R.\...@...............
......................d.........Z..........0\...... \......a..........
....................P...@............`...............................t
ext....M.......N.................. ..`.rdata..NS...`...T...R..........
....@[email protected][email protected]...
..............@[email protected]... \..X....[[email protected]............
......................................................................
......................................................................
......................................................................
......................................................................
[email protected]....@b
A..4M...E..t.V..K.......^]............U..j.h.YA.d.....P...SV...A.3.P.E
.d......u.3.S...TF...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..
OL..h..A..M.Q.E..bA...d..WV.LC........M.d......Y^[..].....U..j.h.XA.d.
....PVW...A.3.P.E.d......u.V.E.......B...F.3....;.t.P.;P......~..F.;.t
.P.(P......~..F.;.t.P..P......~..F.;.t.P..P........~..E......}E...M.d.
.....Y_^..].............U...E.VP....L.....bA...^].......U..QV..j..M...
[email protected]..^..].......U..QVW..j..M...D...G...t....s.H.
<<< skipped >>>


GET /test.html HTTP/1.1
Host: api.v2.sslsecure1.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:59 GMT
Server: Apache
Set-Cookie: vsid=914vr1686474600210261; expires=Sat, 11-Jan-2020 22:31:00 GMT; path=/; domain=api.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: api.v2.sslsecure2.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:31:00 GMT
Server: Apache
Set-Cookie: vsid=911vr1686474603006292; expires=Sat, 11-Jan-2020 22:31:00 GMT; path=/; domain=api.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:30:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
8..correct...0..



GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: 1Az407UJdTbB4g/fg8iQ2idt5hfYWWyZYCuohkKUUK/kjzI vlW6eq4feoHTlKmEwdnAKgB3udk=
x-amz-request-id: 693A476A6FB6EA2B
Date: Mon, 12 Jan 2015 22:31:05 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................|........................................t....
......0m..............p...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..0m.......n...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /debug/Version/4_0_6_27/Nsis/GetInfo HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:39 GMT
Server: Apache
Set-Cookie: vsid=920vr1686474395903694; expires=Sat, 11-Jan-2020 22:30:39 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i4.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>


GET /test.html HTTP/1.1
Host: track.v2.sslsecure4.com
Connection: Close


HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 12 Jan 2015 22:30:58 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...



GET /sdb/doma.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: staticrr.paleokits.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:15 GMT
Content-Type: application/x-javascript
Content-Length: 2184
Last-Modified: Wed, 07 Aug 2013 11:37:24 GMT
Connection: keep-alive
ETag: "52023174-888"
Accept-Ranges: bytes
..   //muestra una capa y oculta otra..   function changeVisibility(ca
pamostrar,capaocultar) {..      div = document.getElementById(capamost
rar);..      div.style.display = "";..      div = document.getElementB
yId(capaocultar);..      div.style.display = "none";..  }..  // funcio
n para mostrar u ocultar el progreso de la instalacion separado por of
ertas..  function mostrardiv() {..      div = document.getElementById(
'multipleProgress');..      div.style.display = "";..      div = docum
ent.getElementById('ocultar');..      div.style.display = "";..  }..  
function cerrar() {..     ..



GET /111001899/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Mon, 12 Jan 2015 22:31:05 GMT
Content-Type: application/octet-stream
Content-Length: 6049272
Last-Modified: Mon, 12 Jan 2015 16:49:56 GMT
Connection: close
ETag: "54b3fb34-5c4df8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......(.......................%.......................,....... .....Ri
ch............................PE..L...J..T.................N....Z.....
[q.......`....@...........................\.....R.\...@...............
......................d.........Z..........0\...... \......a..........
....................P...@............`...............................t
ext....M.......N.................. ..`.rdata..NS...`...T...R..........
....@[email protected][email protected]...
..............@[email protected]... \..X....[[email protected]............
......................................................................
......................................................................
......................................................................
......................................................................
[email protected]....@b
A..4M...E..t.V..K.......^]............U..j.h.YA.d.....P...SV...A.3.P.E
.d......u.3.S...TF...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..
OL..h..A..M.Q.E..bA...d..WV.LC........M.d......Y^[..].....U..j.h.XA.d.
....PVW...A.3.P.E.d......u.V.E.......B...F.3....;.t.P.;P......~..F.;.t
.P.(P......~..F.;.t.P..P......~..F.;.t.P..P........~..E......}E...M.d.
.....Y_^..].............U...E.VP....L.....bA...^].......U..QV..j..M...
[email protected]..^..].......U..QVW..j..M...D...G...t....s.H.
<<< skipped >>>


GET //Styles/Softwares/0ba5df4c_optimizerpro2.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:10 GMT
Content-Type: application/zip
Content-Length: 65688
Last-Modified: Tue, 08 Jul 2014 14:49:06 GMT
Connection: close
ETag: "53bc04e2-10098"
Accept-Ranges: bytes
PK.........i.D................images/PK.........N.C..mT............ima
ges/optimizerpro-img.png....~.PNG........IHDR..............L......pHYs
................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB
....&*!..J.!...Q..EE...........Q,......!.........{.k........>......
.....H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0....
.B.\[email protected]..@F....&S....`.cb..P-.`'........{..[.!..... .e.D
.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ..
.*..x..<.$9E.[.-q.WW..(.I. [email protected]..._
-...."[email protected]~..,/...;..m..%..h^[email protected].~<<E....
.....J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X
*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h
...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..
B(....*`/[email protected]..=p..a...(....A...a!...b.X#......!.H...$ ...Q"
K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h
...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. 
.$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H
.#...dk..9.,  .......3...!.[[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R
.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L..
....T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.S
g.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W
.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'G
g.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$...
<<< skipped >>>


GET /index.php/api/256/Browser_Update/502/703/English.xml HTTP/1.1
Accept-Encoding: gzip, deflate,gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: api.v2.sslsecure4.com
Connection: Close


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding: gzip
Content-Type: text/xml; charset=utf-8
Date: Mon, 12 Jan 2015 22:31:03 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: symfony=qs8fr43jga7490i21ainjdelq5; path=/
transfer-encoding: chunked
Connection: Close
1ac7.............}.s.8...I...x.*S.Uc...3N.......XNr...\...<.H.I..l.
.~.....h..................._....W.'~...Ak.?(4..]?.~..0.m9?.....W..p.e.
.......].x.l................P....k...\....w..<...y.......9...C3.dI.
i.....c......4m.O._..#.Og...3....l...?7..f..r... u..n.....<&..d....
.FtS7..>.A\.0.W.. kr....f..f;.n........lb...h..-.....UU..Y.....E;..
..0..yQ.x............4/..^..&4fl..n.4...LR/.;q.H..M...m...n#.i3.V.{]mD
..q....q............^1V....N.P/.i.<...~r.`c0'...I.t....~..H$a.wI..|
.4.W7.f.W...j.j....o...~.ek.v.~@....~Tt5....."x..J..>Mx...7.L......
R...*KR...a...h.o .......w\~......p.Y..".......~..../S..7..'.~.G}....D
.. .Q...n......M&......7~.~...Q..i....,<%..._.}...aB'.;.r\(.S.wW...
.....i.m_.lN..nN.U>............\|...mt.A.r......f..j._.?.WL....]..7
.~Ih^.H|..z.....).L.>.R.... R.....N.....)...%.....>[email protected]
6.......cd...QZ7H...bq..&.g:.e......2..p..r`w..(...M.1...}.s.....6....
=...^..'..q=...Y.|.K..>....$...)2...rJ#....qYb.Nh.Ba.. .].x.2mqw.."
N^...UQ...K.2{;X&.:..yI]f......8..<SO.=j...`..5oB..A.!.`..Cf....S..
.b.r..[..x.3c.(S-Z./.2..Y.n.....$Sc....F...o..?.~..~{.M.......E..p.Nc.
.....F{.....|W.....I.:.di.z.i}oY.F.ic.V7.}.V.yf6|..0hubJ..,dR4..l...[.
 ...V....;..wc.V....Y....u...2...N)..e...!NV...K..........=....../{U..
F....1..l...s...........0.|".~.c....Dp.-.$.......M...=....n_v...-..`}.
g.g.<.........2}...{.....d!Mx.q.|(UJ......|.....J';.L...h..yh..L...
.i.....0j.o......r......S..........i.yi..q{[email protected]%..
nh. ..r..I...Lj..k.J...A.|.TJ.w.V..|...y}.N.9.R~.hBd...K.....U....
<<< skipped >>>


GET //Styles/Softwares/e7bf26c3_mypcbackup.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:08 GMT
Content-Type: application/zip
Content-Length: 7774
Last-Modified: Tue, 15 Oct 2013 10:54:23 GMT
Connection: close
ETag: "525d1edf-1e5e"
Accept-Ranges: bytes
PK.........]OC................images/PK.........fJC..2.....T.......ima
ges/bullet-shortw.gifs.t..L.d.dh`d......#|..\.K....}EAbrvj.BRjzf......
..2Sl..M}.|..S32=..R...B....-S....l*.*r.rSK..*rs...*l..S..R..l.....XII
...#HB.d.s~Q.....n...........................X..Y.. @......4. .7.]@..R
FII...~yy.^..^~Q.....%..##]...........be......E..%..y. ~bR~i........pc
......K....H,.7.3.GR..._in.\uqIPj.~..!....A....E..@.. ..V.E..%.E!..9.P
..././../Pp.6S..ML....h.u..Zy...$.%.z..*.E.23S..L.,.M,..,....]....M...
.,......\.z.z]..KsS.J`zS.z-p..%............\....2q....yP.)..b.S.>.1
.hQ........p...I?5............~......._>.......o^.z.....O.?z.....wn
..y....W._.x....gN.:y....G..:x`...{v...c...[6o..a...kV.Z.b...K./Z.`...
sf..9c...S&O.8................................ ?/7'; 3#=-5%9)1!>.6&
:*2"<,4$8(0................................@_OWG[KSC]MUEYIQA^NVFZJR
B\LTDXHP.................A.'..dd.a..P.........{...........PK.........N
.C.U.?}...w.......images/mypcbackup.png}X.T.....CW....tH(...".wA..B.PB
S..."H/"..).D:"E.*M.P..D@........[..Y_.9..=g...Y.....J......T.jJ..w(.f
!'.?/[email protected].(...][email protected]..%.D.......w...)2r.
.6H...d.rprG..Z:. ';.......PD9:.=.B.>.1B>rA...r. ..)<...c..ws
u...G........!`._......A.j....^(.LHT...............@"Pa........I...D$@
.,`|o^v.R.J*....B..1..)....O.OT.........8DD..........Awo....P.H/'.....
..mc... ......./Zw.....0....DX..._...........1.(.....(...1@y.}........
..R.B.`.^Fh...Y.sDc...h....8.G.........B[[J...c..D. !.x.......TY...S.T
.... .((....%....I...%..*..>n(w..X..cU. .....Fy9...T..n...-...b
<<< skipped >>>


GET //Dictionaries/English.xml HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:04 GMT
Content-Type: text/xml
Content-Length: 626
Last-Modified: Fri, 12 Apr 2013 09:51:55 GMT
Connection: close
ETag: "5167d93b-272"
Accept-Ranges: bytes
<dictionary>.  <installed> Installed </installed> . 
 <installing>Installing</installing> .  <installingetc&
gt;Installing...</installingetc> .  <downloadError>An Erro
r has occurred</downloadError> .  <takeFewMinutes>It may t
ake a few seconds</takeFewMinutes> .  <confirmExit>Are you
 sure you want to exit?</confirmExit> .  <installClose>Do 
you want to install the remaining offers?</installClose> .  <
welcome>Welcome</welcome> .  <license>Welcome</licen
se> .  <options>Additional Options</options> .  <ins
talando>Installing</instalando> .  <finish>Finished<
/finish>.  <downloadingetc>Downloading...</downloadingetc&
gt; .</dictionary>..



GET /test.html HTTP/1.1
Host: track.v2.sslsecure1.com
Connection: Close


HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:57 GMT
Server: Apache
Set-Cookie: vsid=927vr1686474579924832; expires=Sat, 11-Jan-2020 22:30:57 GMT; path=/; domain=track.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /debug/Version/4_0_6_27/Nsis/PreRun HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:42 GMT
Server: Apache
Set-Cookie: vsid=904vr1686474423107647; expires=Sat, 11-Jan-2020 22:30:42 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /
><title>sslsecure1.com</title>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=UTF-8">..<style type="te
xt/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,p
re,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;
}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:
0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:
normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,
h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'
';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;
}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table 
{ text-align: left; margin: 0 auto; font-family: arial, sans-serif; co
lor: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i4.c
dn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...
h-list li {display: inline; text-align:left;}...h-list li strong {colo
r: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}
../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px
;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...
font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", 
arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a 
<<< skipped >>>






The Application connects to the servers at the folowing location(s):







%original file name%.exe_3636:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe" /path="c:\%original file name%.exe" ""
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp\nsisdl.dll
c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp
6d4a63d13b3c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe
).YJ}B
<add key="UseElevatedPermissions" value="0" />
<system.net>
<httpWebRequest useUnsafeHeaderParsing="true"/>
</system.net>
<system.web>
<httpRuntime maxRequestLength="19000"/>
<webServices>
<add name="HttpGet"/>
<add name="HttpPost"/>
</webServices>
</system.web>
<supportedRuntime version="v2.0.50727"/>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/>
v2.0.50727
setup.exe
CallUrl
.ctor
System.Resources
System.Reflection
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.IO
System.Net
WebRequest
HttpWebRequest
IWebProxy
get_DefaultWebProxy
WebResponse
HttpWebResponse
Password
<PrivateImplementationDetails>{69D79557-607E-461D-AA40-846B7DB81F90}
System.Security.Cryptography
PasswordDeriveBytes
set_Key
4.0.6.27
$4359678b-701f-494d-b0af-34df5ab92876
_CorExeMain
mscoree.dll
.BR\|g
=LB9a*R.YI>
e.yeAH8
QE .Qk
%original file name%.exe
B30D42~1.EXE
14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0a1</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
465ff7c14db84a079d0b97406e3a8ff6.txt

%original file name%.exe_3488_rwx_00E50000_00009000:




2;.yP

%original file name%.exe_3488_rwx_00E80000_00010000:




.QxY^






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:3636
    

    2. 

  2. Delete the original Application file.
    3. 

  3. Delete or disinfect the following files created/modified by the Application:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\nsisdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\465ff7c14db84a079d0b97406e3a8ff6.txt (7864 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe.config (767 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-geaudioconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3D.css (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\percentage-bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\PPI OptimizerProinfo.dfe (3505 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Dockings.dfe (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\MyBackupPcinfo.dfe (611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-short.gif (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo-big.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\vuupc.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\Vuupc\info.html (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.png (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\options.html (965 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\base.css (344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\config.dmc (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2C.css (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\MyBackupPc\info.html (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-shortw.gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\box.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\less.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\instalando.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position4A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\logo-win.jpg (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\optimizerpro2.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check-close.png (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton_xl.jpg (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafmusic.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet.gif (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small_bg.png (3 bytes)
    %System%\wbem\Logs\wbemprox.log (354 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bg_app.png (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3C.css (638 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butplay.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-zipper.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafplayer.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\group.html (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\more.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-img.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\PPI OptimizerPro\info.html (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\hide.png (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\cross.jpg (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position1A.css (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\welcome.html (151 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\show.png (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-miul.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\mypcbackup.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-gevideoconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\mypcbackup.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butpause.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\close.html (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\doma[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\style.css (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateDisplays.dfe (611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Vuupcinfo.dfe (741 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-olivebrowser.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-printpdf.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\finish.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-ifish.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateStyle.dfe (5690 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now