Application.Bundler.DomaIQ.Q_ce54353def

by malwarelabrobot on November 12th, 2014 in Malware Descriptions.

not-a-virus:AdWare.MSIL.DomaIQ.ahty (Kaspersky), Application.Bundler.DomaIQ.Q (AdAware), SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ce54353defcd2a3e31e25c8ecf6c484e
SHA1: bde28f477d07f36d0c5dbcc8332b25dcbc0af138
SHA256: 44a0f5545202e252701b8bc3117305d27887bca0888306e6ed0d9ab43647853e
SSDeep: 12288:duudwYcGL//JWM01Vfby4QQvRO4mqPeQ9HXD4AQf4CR5TqOM:duewYT/hmflRBmqPeQ93D4AQPjM
Size: 560504 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: download manager
Created at: 2009-12-06 00:50:41
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

rstart.exe:688
%original file name%.exe:1232

The Application injects its code into the following process(es):

e%original file name%.exe:1576

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process e%original file name%.exe:1576 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Browser app shoppinginfo.dfe (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bullet-shortw.gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\base.css (471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\vuupc.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Media Player Enhanceinfo.dfe (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\TheBestDeals\info.html (1217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\TheBestDealsinfo.dfe (750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Media Player Enhance\info.html (1219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\config.dll (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\optimizerpro2.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\SM Mystart\info.html (1217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\SM Mystartinfo.dfe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\box.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\mypcbackup.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Browser app shopping\info.html (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\aartemis.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Catchall Revizer\info.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Dockings.dfe (2597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Browser appinfo.dfe (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\templateDisplays.dfe (606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Vuupc\info.html (1919 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\templateStyle.dfe (6081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\browserapp.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\PPI OptimizerProinfo.dfe (1902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\MyBackupPc\info.html (1217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Vuupcinfo.dfe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\mystart.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\MyBackupPcinfo.dfe (606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\optimizerpro-img.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Browser app\info.html (1217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\optimizerpro-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\feven.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\mystart-toolbar-gris.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\show.png (235 bytes)
%System%\wbem\Logs\wbemprox.log (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\PPI OptimizerPro\info.html (1219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\thebestdeals.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\mypcbackup.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Catchall Revizerinfo.dfe (979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\optimizerpro-logo-big.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\group.html (10 bytes)

The process %original file name%.exe:1232 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\e%original file name%.exe (5918 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\rstart.exe.config (359 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\installer.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\rstart.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\%original file name%.exe.config (690 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\rstart.exe.config (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\rstart.exe (0 bytes)

Registry activity

The process e%original file name%.exe:1576 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "e%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1376923655"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 48 66 1E FC 4F 96 28 60 F7 A4 0B BC FC 54 F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rstart.exe:688 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA F8 0A A2 FD 99 A6 9D E3 81 AA 9F 69 9F 6C 45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1232 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 1F 4E 09 31 F1 7E CC D8 0A 6B 3C BD F4 A1 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
a626437b4821f5b37ddc89f479d11a7f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\e%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22738 23040 4.45908 c69726ed422d3dcfdec9731986daa752
.rdata 28672 4496 4608 3.59034 a2c7710fa66fcbb43c7ef0ab9eea5e9a
.data 36864 110456 1024 3.20082 e59cdcb732e4bfbc84cc61dd68354f78
.ndata 147456 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 208896 25648 26112 4.29742 d25af015f1b708d62c89977f8bfe9711

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 790
1fd64b26c08904cbfcf8b8d8d94b5ecb
8e9725c08b4fea5755b35de3c0752c9c
20f5b49a961e65250fbaef73347c98ca
1e7ecb4ace87a3c204da95e07f26cd1b
2b315801224cbe96b29fceb936167632
319f55f5dab95ee90e6418c2a40f5055
592f83f8055b37841bd040c6c604d04d
1185a5a79cc9a9ea89c23de5d23f8c08
5d4004f44d76aa93528903ab90bec2bf
ef77ef37fd7829464973f49beca0a831
9ea06e2438e54c943a75fd71de204ed8
67960c3acd5b64cb6355d789d617f15f
7b11b9ef4db26eed8460fb926973ccba
1dff57ecc097f9ce4ca510e55f303498
3e5c113fa8048b7911aec1b768dda33c
0c291eab5c90a35c2c709f028a0b585d
71f00956c175405cf836e32ddf23bda3
5ec787acfd62b8d01a846205b2f473d4
6bc08206e4f327713dded823a41f6e0f
fad41b412733f1e1c1226c4bdcb51d49
8d529db46da0e06a80527e40ffc2251c
10c2e83b145fdc2728c72b2f17491d34
def5024f673c2b72d61da065c4fded80
76d6e290e280e4da6cdb9677621a53e9
f26dea89cd64973e336eb7eab2ee42e7
18d80bc4cb482e19aed3868541fc855e

URLs

URL IP
hxxp://api.v2.sslsecure1.com/test.html 204.11.56.26
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/test.html
hxxp://staticrr.tgusrv.com/test.html
hxxp://Track-903226030.us-west-2.elb.amazonaws.com/test.html
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/151/Setup/477/545/English.xml
hxxp://staticrr.tgusrv.com//Dictionaries/English.xml
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip
hxxp://staticrr.tgusrv.com//Displays/Templates/8a204893_Win_A_Banner_DeclineLink.zip
hxxp://staticrr.tgusrv.com//Docking/Docking.zip
hxxp://staticrr.tgusrv.com//Styles/Softwares/70e7b9d8_mystart.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/222ac0df_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/844a2c3b_browserapp.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/9103144e_display (1).html
hxxp://staticrr.tgusrv.com//Styles/Softwares/9c04a3ed_thebestdeals.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/c9c92824_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/e7bf26c3_mypcbackup.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/16220985_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/db393704_vuupc.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/1d58e78d_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/0ba5df4c_optimizerpro2.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/7f3e6cee_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/03652e13_aartemis.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/ac80703b_display.html
hxxp://staticrr.tgusrv.com//Styles/Softwares/a616773d_feven.zip
hxxp://staticrr.tgusrv.com//Displays/Softwares/217ec6eb_display.html
hxxp://staticrr.tgusrv.com/sdb/doma.js
hxxp://api.v2.sslsecure2.com/test.html 204.11.56.26
hxxp://staticrr.paleokits.net//Styles/Softwares/e7bf26c3_mypcbackup.zip 85.12.5.27
hxxp://staticrr.paleokits.net//Styles/Softwares/9c04a3ed_thebestdeals.zip 85.12.5.27
hxxp://staticrr.paleokits.net//Styles/Softwares/844a2c3b_browserapp.zip 85.12.5.27
hxxp://track.v2.sslsecure3.com/test.html 204.11.56.26
hxxp://api.v2.sslsecure3.com/test.html 204.11.56.26
hxxp://staticrr.paleokits.net//Displays/Softwares/16220985_display.html 85.12.5.27
hxxp://staticrr.paleokits.net//Displays/Softwares/222ac0df_display.html 85.12.5.27
hxxp://staticrr.paleokits.net//Displays/Softwares/217ec6eb_display.html 85.12.5.27
hxxp://staticrr.paleokits.net//Docking/Docking.zip 85.12.5.27
hxxp://staticrr.paleokits.net//Styles/Softwares/03652e13_aartemis.zip 85.12.5.27
hxxp://staticrr.paleokits.net//Displays/Softwares/1d58e78d_display.html 85.12.5.27
hxxp://staticrr.paleokits.net//Displays/Softwares/9103144e_display (1).html 85.12.5.27
hxxp://staticrr.paleokits.net//Displays/Softwares/c9c92824_display.html 85.12.5.27
hxxp://track.v2.sslsecure1.com/test.html 204.11.56.26
hxxp://staticrr.paleokits.net//Displays/Softwares/7f3e6cee_display.html 85.12.5.27
hxxp://staticrr.paleokits.net//Styles/Softwares/a616773d_feven.zip 85.12.5.27
hxxp://staticrr.paleokits.net/test.html 85.12.5.27
hxxp://staticrr.paleokits.net//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip 85.12.5.27
hxxp://staticrr.paleokits.net//Displays/Softwares/ac80703b_display.html 85.12.5.27
hxxp://staticrr.paleokits.net//Styles/Softwares/70e7b9d8_mystart.zip 85.12.5.27
hxxp://staticrr.paleokits.net//Displays/Templates/8a204893_Win_A_Banner_DeclineLink.zip 85.12.5.27
hxxp://api.v2.sslsecure4.com/test.html 54.213.138.138
hxxp://api.v2.sslsecure4.com/index.php/api/151/Setup/477/545/English.xml 54.213.138.138
hxxp://staticrr.paleokits.net/sdb/doma.js 85.12.5.27
hxxp://staticrr.paleokits.net//Styles/Softwares/0ba5df4c_optimizerpro2.zip 85.12.5.27
hxxp://track.v2.sslsecure4.com/test.html 54.186.105.91
hxxp://staticrr.paleokits.net//Styles/Softwares/db393704_vuupc.zip 85.12.5.27
hxxp://staticrr.paleokits.net//Dictionaries/English.xml 85.12.5.27
hxxp://track.v2.sslsecure2.com/test.html 204.11.56.26


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /sdb/doma.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.paleokits.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:16 GMT
Content-Type: application/x-javascript
Content-Length: 2184
Last-Modified: Wed, 07 Aug 2013 11:37:26 GMT
Connection: keep-alive
ETag: "52023176-888"
Accept-Ranges: bytes
..   //muestra una capa y oculta otra..   function changeVisibility(ca
pamostrar,capaocultar) {..      div = document.getElementById(capamost
rar);..      div.style.display = "";..      div = document.getElementB
yId(capaocultar);..      div.style.display = "none";..  }..  // funcio
n para mostrar u ocultar el progreso de la instalacion separado por of
ertas..  function mostrardiv() {..      div = document.getElementById(
'multipleProgress');..      div.sty..



GET /test.html HTTP/1.1
Host: api.v2.sslsecure4.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Date: Tue, 11 Nov 2014 20:04:45 GMT
Server: nginx
Content-Length: 8
Connection: keep-alive
correct.HTTP/1.1 200 OK..Content-Type: text/html..Date: Tue, 11 Nov 20
14 20:04:45 GMT..Server: nginx..Content-Length: 8..Connection: keep-al
ive..correct.....


GET /index.php/api/151/Setup/477/545/English.xml HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: api.v2.sslsecure4.com


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/xml; charset=utf-8
Date: Tue, 11 Nov 2014 20:05:01 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: symfony=rmp3ekhtj5e6t3eeppksdr0sn5; path=/
transfer-encoding: chunked
Connection: keep-alive
371f..<?xml version="1.0" encoding="utf-8"?>...<doma>...  
<config>...  . <time><![CDATA[0.05463695526123]]><
;/time>...  . <time3><![CDATA[[0.012609958648682][0.173815
96565247][-11-] [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] ]]>&l
t;/time3>...  . <time4><![CDATA[52]]></time4>... 
 . <time5><![CDATA[ [0.18646693229675] [0.44606113433838] [0.
00013494491577148] [1.0013580322266E-5] [0.049944877624512] ]]><
/time5>...     <formCaption><![CDATA[New Player]]></
formCaption>....     <server><![CDATA[hXXp://staticrr.safe
tydownload.net/]]></server>....     <formControlBox><
;![CDATA[1]]></formControlBox>     ...     <urlConfig>&
lt;![CDATA[Dictionaries/English.xml]]></urlConfig>...     <
;templateUrl><![CDATA[Displays/Templates/8a204893_Win_A_Banner_D
eclineLink.zip]]></templateUrl><templateApp></templa
teApp><styles><![CDATA[Styles/Templates/e9c1a9ca_Win_A_Ban
ner_DeclineLink.zip]]></styles> ...     <dockingUrl><
;![CDATA[Docking/Docking.zip]]></dockingUrl>...     <Downl
oadPath><![CDATA[temp]]></DownloadPath>...     <Dele
teOnEnd><![CDATA[]]></DeleteOnEnd>...     <MultipleB
ars><![CDATA[]]></MultipleBars>...     <declineShowC
hilds><![CDATA[1]]></declineShowChilds>...     <hide
WhenInstalling><![CDATA[1]]></hideWhenInstalling>..
<<< skipped >>>


GET /test.html HTTP/1.1
Host: track.v2.sslsecure1.com
Connection: Keep-Alive


HTTP/1.0 500 Internal Server Error
Date: Tue, 11 Nov 2014 20:04:48 GMT
Server: Apache
Set-Cookie: vsid=902vr1632818885129735; expires=Sun, 10-Nov-2019 20:04:48 GMT; path=/; domain=track.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: track.v2.sslsecure4.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Date: Tue, 11 Nov 2014 20:04:51 GMT
Server: nginx
Content-Length: 8
Connection: keep-alive
correct...



GET /test.html HTTP/1.1
Host: api.v2.sslsecure1.com
Connection: Keep-Alive


HTTP/1.0 500 Internal Server Error
Date: Tue, 11 Nov 2014 20:04:41 GMT
Server: Apache
Set-Cookie: vsid=918vr1632818814416723; expires=Sun, 10-Nov-2019 20:04:41 GMT; path=/; domain=api.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: api.v2.sslsecure3.com
Connection: Keep-Alive


HTTP/1.0 500 Internal Server Error
Date: Tue, 11 Nov 2014 20:04:43 GMT
Server: Apache
Set-Cookie: vsid=924vr1632818837002987; expires=Sun, 10-Nov-2019 20:04:43 GMT; path=/; domain=api.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: track.v2.sslsecure3.com
Connection: Keep-Alive


HTTP/1.0 500 Internal Server Error
Date: Tue, 11 Nov 2014 20:04:50 GMT
Server: Apache
Set-Cookie: vsid=917vr1632818906521954; expires=Sun, 10-Nov-2019 20:04:50 GMT; path=/; domain=track.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: staticrr.paleokits.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:04:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
8..correct...0......


GET //Dictionaries/English.xml HTTP/1.1


Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:05 GMT
Content-Type: text/xml
Content-Length: 626
Last-Modified: Fri, 12 Apr 2013 09:51:55 GMT
Connection: keep-alive
ETag: "5167d93b-272"
Accept-Ranges: bytes
<dictionary>.  <installed> Installed </installed> . 
 <installing>Installing</installing> .  <installingetc&
gt;Installing...</installingetc> .  <downloadError>An Erro
r has occurred</downloadError> .  <takeFewMinutes>It may t
ake a few seconds</takeFewMinutes> .  <confirmExit>Are you
 sure you want to exit?</confirmExit> .  <installClose>Do 
you want to install the remaining offers?</installClose> .  <
welcome>Welcome</welcome> .  <license>Welcome</licen
se> .  <options>Additional Options</options> .  <ins
talando>Installing</instalando> .  <finish>Finished<
/finish>.  <downloadingetc>Downloading...</downloadingetc&
gt; .</dictionary>HTTP/1.1 200 OK..Server: nginx..Date: Tue, 11 
Nov 2014 20:05:05 GMT..Content-Type: text/xml..Content-Length: 626..La
st-Modified: Fri, 12 Apr 2013 09:51:55 GMT..Connection: keep-alive..ET
ag: "5167d93b-272"..Accept-Ranges: bytes..<dictionary>.  <ins
talled> Installed </installed> .  <installing>Installin
g</installing> .  <installingetc>Installing...</install
ingetc> .  <downloadError>An Error has occurred</downloadE
rror> .  <takeFewMinutes>It may take a few seconds</takeFe
wMinutes> .  <confirmExit>Are you sure you want to exit?</
confirmExit> .  <installClose>Do you want to install the rema
ining offers?</installClose> .  <welcome>Welcome</w
<<< skipped >>>

GET //Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:06 GMT
Content-Type: application/zip
Content-Length: 344899
Last-Modified: Fri, 07 Mar 2014 11:17:00 GMT
Connection: keep-alive
ETag: "5319aaac-54343"
Accept-Ranges: bytes
PK.........YgD..l>9....c......style.css..ko......?....M-G.#q...m...
p.-..^...D.... ..w....S")JvrIp-b#.I.3...p.....\....,Z.PZ.......Q..._D.
,*.%h.K..a.*..r8......R.s]....<.*T............^.Sx?,QD....A..<._
..$.>_..|;<..`........#..!(s...:.....< VC..|].A.6.,.... X,p:u
..A.......!.......u...3.}.D...eIVL...9}...j9=;w..-..^,.i0.e.8..... j].
.,......,.S.k:[email protected])*@....J~. F....-
.U..,&.P......arr.>%.1..W..........l%..p.W..h.........LJ....<...
.m..U..........!H..vN`:s........D....{D4..e.i.........%..t...!~\......
F..^..Sgt...."...x...<.-.`[email protected].. (."=U.....(....(....
.JL-..@...=...W..1.p..2.j..y...rlK.l..{|D....s.%.2....3.\ 'H3.... ....
..'[email protected](`>.3b0?;..1..CW... ..V.W.
gd.......R1..2.P.|.......^..p.."...5..L."mF.......R..8...[.PB..#]}F8- 
.....%E.......F#.D.!....."..:.,.:R\Y...g>...R.u].....B...B....@C./.
DP.Zc.....g.d#i.2.A......af.D.4;.@~WW.......&..Srfk.8--.....n..s..b...
.d).......e..W.d......?l=...5...GG...G......$&..=.......tV.W....p...1.
.......p...xF. ..1..pL.sD....;......._,....3..,....a.....s<.L...<
;..`.....)9.4...x(...P2...w...e......a....wqIe...6.8.....5..mx.gD.1G..
...`.IA...>.X.<.... .~..b..dq..8.^...uN>.d..!...8*.2.W..  ...
..H.U........7. ...w..D.O_r.W....9....0.F..._..L.........V.VI5Y.s..sZ 
]` #%Z..p ..Z .;olx.........M.C..^.....7.......p.....O.6.m.....zd.<
..G.,g...Y.j.|..TP...|...d2.r.....K.6......b....vu..|..s.. ... 7.....9
'.c..[...sD0C........F..,I..R....IcL._...I ...(ZB....LZ.m.2.....;h
<<< skipped >>>

GET //Displays/Templates/8a204893_Win_A_Banner_DeclineLink.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:11 GMT
Content-Type: application/zip
Content-Length: 8012
Last-Modified: Mon, 03 Mar 2014 12:55:03 GMT
Connection: keep-alive
ETag: "53147ba7-1f4c"
Accept-Ranges: bytes
PK.........fcDg...............box.html.V.n.6....}.......\.!..E..h.6...
.~..tl..H..b{E.y..CI.;E2t./...|.J6....D...$u.$..7..:...}>.0v...?.F.
...p.D.  ...K...........x...Cm.,..&^......[.......'...$......?>>
.. f.........(...?./>.h..a.).|....Q.*..<N....q...p[....h.@. ..@I
\.....c..).Sn,...:8:zu..S...'......K.hC. MVQq[.5"..A..!..e}n!..%.d.Z7.
`[email protected]"G!k.y.....1a.%..p6T..M.,....X.n.J_........
.^..-:....'..$C...X .V..~...e.)n..V........Kl..!_ ...Rsw"a.N...H\z....
5.[.....u.^\.u2%Z...E....&(...J..7..d.....y........RRjk..0V.........J.
.f".H,..j.i.B...9..O...]...V.H........g......'._z..\.M........L!.M.6.f
...dEsl...2.K.J],=X...^.<.F......5.X.b...r..ON......:......c.....jD
..l..yOK.O..6m..;.OIEj2>..oj ..=.."....W...c.1....y..f. =......;3..
..'.c..{..)G.mP.o.m_..J.j.7p5......=.3].....MH..).....<....,....eWE
?.n..[........B....A.D9Ae`[email protected].......|P......~
.o1..8..%.15.....q.T...d............1.z..H..'...5B...Y.m1..as..'..6...
.-..%..s...N.........../q<...F..@R..?..?....V.h....}<R_.......0.
%A.l...(..1...~'...........ln....g..5w.....^..b}.0.v.s.?..!.].....i.).
...n....fg...T...*/...EHj.K..../..E..!6~...$......t.78...,..A~1.....-.
.....]T...5......oxB1)....E.\ZX.~. .WbX..#......rw...).. U*.U.4.s%...&
...Y...3.H."%.s...Ii.q.0.F"'gR>>'..ws......7.......^.y$.........
.....|...Z.yt.k...^.BO.,S......~.O'\..PK.........F.C.2..............cl
ose.html]PAN.0.</..09p }.f.x.G.M.."8U.".=N.E .....L2>.....'..4d.
:..p..v...E.n0 .a...^2D.....u>[email protected][ryK....].c...)...E.f.F.
<<< skipped >>>

GET //Docking/Docking.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:12 GMT
Content-Type: application/zip
Content-Length: 37048
Last-Modified: Tue, 26 Nov 2013 13:00:11 GMT
Connection: keep-alive
ETag: "52949b5b-90b8"
Accept-Ranges: bytes
PK........1Q.A..T.............position1A.css.....0.D..W\.n....H.Q... .
[email protected]"*..k.......9..]..t.jp.../.......6.<7Th...5L....}..E.. ....
L.S...........V*...8.;r...,6..r..'.?WC......yX.'c............&.XHA...P
K........,g.B^P.]............position2A.css.S.N.0.}n..b.K...m$p^v.j%^.
..~..............!.RB....c.9s.L~f...[r.....y.x..\.V.7d.-..L..}o.3k....
.....Dp.....99....x...P)3....(..V........EL..I..B.G.A..{.y........en..
..<.&.l...[..~.U..'..7..sCC.....O.Z....H.J..G.p;...`.>.....-V ..
g6R.......qQ%.Ua....E.7>..o...W.....f..k.L.ME.....cTSF.....s|....#.
.%....| ..hBv...Lqf([email protected]=...~P$<p.E...y.u..........W.k0[...w.Z....
..fye.../...&Q.....c.q........1.0.g..ay......|.gI....W.4...GJ...R..e..
.;.....}b.5.3.^\...A[..O.FX..'5o.%r......F..:[email protected]..
.........position2B.css.Q.N.0.....D..a..Fp.1B............]....mA......
$=.|?=.uF.U.....[ot..~...9Ld.Y.......N.y`~................#.||..j)y.(/
..n.....^....45.....\.."..k$. ...0..@C'.$....Q..V.:k&.Z%.U ?.X.-..F..E
.Ra.<u..;($g...}.......Ah...)...L.*5.Q0(.M.v.....t`....ho..........
d/4.p...A.7.....Ee.$*J...S..r.=.<.... l..%.|!j..6..c"...%:.d.......
Hen.[xK...O./....U.}fuV..PK.........lMBjre.....B.......position2C.css.
....0....S...bL/....A...P}....h3%....nE.*..Y...}.]..FZ.m7s:.%..0MS...P
Im.g....7...U..,VK..}....c..c..-b.g.FS...(.P.x.0.\.?\.'TS...k.2!WG4...
..#G%l.. .'.{.....ix...B.}a..m..R.v......(.........,..#E.3'8.._....?..
.z.PK........VG.@! h.............position3A.css..Qo.0....S.:...-..R...
......}..N.f|..k...}6Ic.%.:x;.......TT.l....._..Y._]..r._.x..Ppq.C
<<< skipped >>>

GET //Styles/Softwares/70e7b9d8_mystart.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:12 GMT
Content-Type: application/zip
Content-Length: 4152
Last-Modified: Tue, 03 Jun 2014 10:06:47 GMT
Connection: keep-alive
ETag: "538d9e37-1038"
Accept-Ranges: bytes
PK.........Y.D................images/PK.........Y.D,...I...........ima
ges/mystart-toolbar-gris.jpg}T.<........%.K....m63..f.h.s;..e...6.J
.....".....R!....pR.RBEr ...?.s......]..y...}..}~?.3q...&....(.M......
@.:< $......E...#...........9..T.......1([email protected].@"
[email protected] &$.4.ni.#D.E..,......e.......f......-Q.!D8i1.....#s
x......`....x..g..c.....,[email protected]^.n3.....$...mQ....HC......
.....b........E!.|......... `r..E..... ........?.......SY.?.|.....l.[4
...1..p^.CB.Y.s..<....s.pB...s0G...s.0. ......d/:.K.*..........5...
...@3 .....1..........`.lm0VV.F.&x........b......j..U..._...3..h...`K.
6c.C-F&$#kc.Sk[..?......Z.iI..EK.A..Q.wI.gq.G.Z..l}.[..<Ic........E
...$.....?.^[email protected]...$...H.....).C... I.|.R..Ka... ..
.P@....).R. .2H.....'.......I.B.2Pi9...K....,.[..........2...z....sYm.
D<....;...k.*H.........'O..R.....]...$)...X..=.N<.!.o...%.<.A
.Zg...D...J..e...8N........QkU...2..f .b?..W..........edO.....B.=.1...
..d......6.7..*=.%m9.?.L.;.u ..D...a....6.......PB,ag.3...Z...9.n..kX.
..t.r.%..M.EBM8.>.lj1..9.....q&.FP.y..7..>[email protected]..|.}
`......X..; ..6....L.J.".I.F'4.#..%......e.{.mK.14.A.r..uf.f*.N.."..g.
.-{z.Vm.....|.f.!..}.THn.v[AZMr.L.sg.../.Uk:`s.f...8...b.......4.j43_X
.K.<f....P..E.....'3.X'....Zi......M.S..{d.a..O..6&3.%%8.......;F..
.%l9.. F.S..^..g.....[...GE<......e?..8#u.C..B7.}...}.S.yJ.v...zR..
.<...>........t.E|.4"..<.p..MIY....~.......g..6....6.=..\R...
.lp.......*.;..c...h.............7.S....S}......3 t=.U.a.....t..l.
<<< skipped >>>

GET //Displays/Softwares/222ac0df_display.html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:12 GMT
Content-Type: text/html
Content-Length: 12475
Last-Modified: Tue, 03 Jun 2014 10:09:14 GMT
Connection: keep-alive
ETag: "538d9eca-30bb"
Accept-Ranges: bytes
<!-- TOOLBAR Mystart v1 ENGLISH -->.<!-- VERSION WIN -->.&
lt;div name="container-in" class="position-typenum mystart-win">...
<h2 id="titleh">Welcome to the <span name="titulo_descar
ga"></span> Setup Wizard</h2>.    .    <h3></h
3>.    <h4><pre>Follow the on-screen instructions outli
ned in this wizard to install the new version of <span name="titulo
_descarga"></span> and benefit from all the latest features a
nd updates <span name="titulo_descarga"></span> has to off
er.</pre></h4>....<div class="imagen-01"></div>
;  .    <p>Get the best of the Web delivered to you!</p>  
.    <p>Instantly access tons of apps, games, video and social n
etwork directly in your browser, Facebook, Youtube, Shopping, email an
d so much more!</p>..<div class="options-form">.        &l
t;div class="options-check">.        </div>.        <div c
lass="options-radio">.        </div>. </div>.  .    .  
  <div class="textarea">.. PLEASE READ THE FOLLOWING TERMS OF US
E CAREFULLY..THIS AGREEMENT IS MEANT TO APPLY TO ANY AND ALL ONLINE CO
NTENT AND SERVICES, INCLUDING ANY SOFTWARE PRODUCTS OF ANY KIND SUCH A
S TOOLBARS, PLUGINS, EXTENSIONS, WIDGETS AND APPS (COLLECTIVELY "Tools
") THAT MAY BE DISTRIBUTED OR MADE AVAILABLE BY VISICOM MEDIA INC. ("V
ISICOM") IN ASSOCIATION WITH THIS DOCUMENT AND THE FOLLOWING TERMS OF 
USE. BY DOWNLOADING, ACCESSING, INSTALLING AND/OR ACTIVATING ANY O
<<< skipped >>>

GET //Styles/Softwares/844a2c3b_browserapp.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:12 GMT
Content-Type: application/zip
Content-Length: 734
Last-Modified: Tue, 01 Jul 2014 09:26:57 GMT
Connection: keep-alive
ETag: "53b27ee1-2de"
Accept-Ranges: bytes
PK........YE.D...=....=.......browserapp.css.S.N.1.='R.aJ......j.\@TH\
z.U........l.."...I..JI.:....y...}U..:.p...- Nf....n....U......q...ki.
(-u..0.>V}8..A.....w_......\'GF.H....?.4.:..e..}?.X.Y....E..._L..&g
t;..!..... .......C...R(,/...o.Hx.p.B....s.. ..0KY.=s.'...m...o..8}..F
d.$....b...... b....Y>..<&...%...Jjd....p...XQK.g... ...F.......
fp.E..7S>b......"..>.it.W......k..4.E....,).<...H.dk....p.d..
...^..'....=.U.v3Q5L......6B...//l.....^........R..t^...fp<I.!....E
b...G............#`/.../PK.........k3C................images/PK.......
...YE.D...=....=.....$....... .......browserapp.css.. ................
.\.5.....\.5.....PK...........k3C..............$...............images/
.. .........x..,3.....7.......7.....PK........................


GET //Displays/Softwares/9103144e_display (1).html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:12 GMT
Content-Type: text/html
Content-Length: 21047
Last-Modified: Tue, 01 Jul 2014 09:28:50 GMT
Connection: keep-alive
ETag: "53b27f52-5237"
Accept-Ranges: bytes
<!-- TOOLBAR browserapp INGL..S -->..<!-- VERSION WIN -->.
.<div name="container-in" class="position-typenum browserapp-win"&g
t;...<h2 id="titleh">Welcome to the <span name="titulo_d
escarga"></span> Setup Wizard</h2>..    ..    <h3>
;</h3>..    <h4><pre>Follow the on-screen instructio
ns outlined in this wizard to install the new version of <span name
="titulo_descarga"></span> and benefit from all the latest fe
atures and updates <span name="titulo_descarga"></span> ha
s to offer.</pre></h4>    ..    ..    <p>Browser-app
 helps you save time & money on your online shopping. We'll help you f
ind attractive offers while you browse your favorite store.</p>.
.    <p>You can use your Browser-app with any browser installed 
on your computer, it is not necessary to install any particular browse
r just for saving money during online shopping.</p>..    ..    &
lt;div class="options-form">..        <div class="options-check"
>..        </div>..        <div class="options-radio">.
.        </div>..    </div>..    ..    <div class="text
area">..Acceptance of Terms of Use..The following license and terms
 of use (jointly: ...Terms of Use...) govern your access and use of th
e Browser-app.com.com website (...Site...) and your download, install,
 access and use of the Browser-app.com Browser Add-On (...Browser-app.
com Add-On...) and all Site and Browser-app.com Add-On contained o
<<< skipped >>>

GET //Styles/Softwares/844a2c3b_browserapp.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:12 GMT
Content-Type: application/zip
Content-Length: 734
Last-Modified: Tue, 01 Jul 2014 09:26:57 GMT
Connection: keep-alive
ETag: "53b27ee1-2de"
Accept-Ranges: bytes
PK........YE.D...=....=.......browserapp.css.S.N.1.='R.aJ......j.\@TH\
z.U........l.."...I..JI.:....y...}U..:.p...- Nf....n....U......q...ki.
(-u..0.>V}8..A.....w_......\'GF.H....?.4.:..e..}?.X.Y....E..._L..&g
t;..!..... .......C...R(,/...o.Hx.p.B....s.. ..0KY.=s.'...m...o..8}..F
d.$....b...... b....Y>..<&...%...Jjd....p...XQK.g... ...F.......
fp.E..7S>b......"..>.it.W......k..4.E....,).<...H.dk....p.d..
...^..'....=.U.v3Q5L......6B...//l.....^........R..t^...fp<I.!....E
b...G............#`/.../PK.........k3C................images/PK.......
...YE.D...=....=.....$....... .......browserapp.css.. ................
.\.5.....\.5.....PK...........k3C..............$...............images/
.. .........x..,3.....7.......7.....PK........................


GET //Displays/Softwares/9103144e_display (1).html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: text/html
Content-Length: 21047
Last-Modified: Tue, 01 Jul 2014 09:28:50 GMT
Connection: keep-alive
ETag: "53b27f52-5237"
Accept-Ranges: bytes
<!-- TOOLBAR browserapp INGL..S -->..<!-- VERSION WIN -->.
.<div name="container-in" class="position-typenum browserapp-win"&g
t;...<h2 id="titleh">Welcome to the <span name="titulo_d
escarga"></span> Setup Wizard</h2>..    ..    <h3>
;</h3>..    <h4><pre>Follow the on-screen instructio
ns outlined in this wizard to install the new version of <span name
="titulo_descarga"></span> and benefit from all the latest fe
atures and updates <span name="titulo_descarga"></span> ha
s to offer.</pre></h4>    ..    ..    <p>Browser-app
 helps you save time & money on your online shopping. We'll help you f
ind attractive offers while you browse your favorite store.</p>.
.    <p>You can use your Browser-app with any browser installed 
on your computer, it is not necessary to install any particular browse
r just for saving money during online shopping.</p>..    ..    &
lt;div class="options-form">..        <div class="options-check"
>..        </div>..        <div class="options-radio">.
.        </div>..    </div>..    ..    <div class="text
area">..Acceptance of Terms of Use..The following license and terms
 of use (jointly: ...Terms of Use...) govern your access and use of th
e Browser-app.com.com website (...Site...) and your download, install,
 access and use of the Browser-app.com Browser Add-On (...Browser-app.
com Add-On...) and all Site and Browser-app.com Add-On contained o
<<< skipped >>>

GET //Styles/Softwares/9c04a3ed_thebestdeals.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: application/zip
Content-Length: 750
Last-Modified: Thu, 09 Jan 2014 10:45:27 GMT
Connection: keep-alive
ETag: "52ce7dc7-2ee"
Accept-Ranges: bytes
PK.........S)D6.lz............thebestdeals.css..QO.0....)..F.....F.:/c
P.I.^.i.NrM,....-C.........v..........u..E.G...drT......s.R.m....(.{[.
55J,>.>.......9.....I...p.....n...."z.9.D.......B..d.....0H....i
...&..K.!o;G....w...8&].f.z3.~.;._#*.....r]... ...N'.....Kz...!.O?...J
:b...E...he.g-J..Q..V.vO..x@:dJ;..%Ke.][email protected](C.......Rp.....y..a
.W`5...|,.b..\..h.4\.4.b..4`..G;wK.W...1.,..\.X...7.Q..........[.%Dtfx
.#[email protected].{...}[email protected]..!...l.xz.p....t.i.p.:...^......x..
..A..>w._;..X|.-....PK.........^.B................images/PK........
...S)D6.lz..........$....... .......thebestdeals.css.. ...........0.%.
....Ts%.....Ts%...PK...........^.B..............$...............images
/.. ............A.V....Ts%.....Ts%...PK........................


GET //Displays/Softwares/c9c92824_display.html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: text/html
Content-Length: 14037
Last-Modified: Thu, 09 Jan 2014 10:45:56 GMT
Connection: keep-alive
ETag: "52ce7de4-36d5"
Accept-Ranges: bytes
<!-- TOOLBAR DEALSCOMPARE INGL..S -->..<!-- VERSION WIN -->
;..<div name="container-in" class="position-typenum thebestdeals-wi
n">..<h2 id="titleh">Welcome to the Installer Setup Wizard<
;/h2>..    ..    <h3></h3>..    <!--<h4><pr
e>Follow the on-screen instructions outlined in this wizard to inst
all the new version of <span name="titulo_descarga"></span>
; and benefit from all the latest features and updates <span name="
titulo_descarga"></span> has to offer.</pre></h4>
-->        ...<p><b>TheBest-Deals</b></p>..
.<p>TheBest-Deals will save you money and time while shopping on
line, delivering the best deal straight to your browser.</p>..  
  <p>Lowest price, effort free</p>...<div class="imagen
-01"></div>   ..   ..   ..   <div class="options-form">
..        <div class="options-check">..        </div>..   
     <div class="options-radio">..        </div>..    <
/div>.....    <div class="textarea">....Terms of Service..Las
t Updated: October 1, 2013..Please read these terms of service as they
 constitute a legally binding agreement between BetterDeals (the ...Se
rvice...) and yourself. By accepting this agreement in the installatio
n process, or by downloading or installing the TheBestDeals browser ex
tension or by using any of the services included in it, you agree to b
e bound by the terms and conditions of this agreement, and you pro
<<< skipped >>>

GET //Styles/Softwares/e7bf26c3_mypcbackup.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: application/zip
Content-Length: 7774
Last-Modified: Tue, 15 Oct 2013 10:54:23 GMT
Connection: keep-alive
ETag: "525d1edf-1e5e"
Accept-Ranges: bytes
PK.........]OC................images/PK.........fJC..2.....T.......ima
ges/bullet-shortw.gifs.t..L.d.dh`d......#|..\.K....}EAbrvj.BRjzf......
..2Sl..M}.|..S32=..R...B....-S....l*.*r.rSK..*rs...*l..S..R..l.....XII
...#HB.d.s~Q.....n...........................X..Y.. @......4. .7.]@..R
FII...~yy.^..^~Q.....%..##]...........be......E..%..y. ~bR~i........pc
......K....H,.7.3.GR..._in.\uqIPj.~..!....A....E..@.. ..V.E..%.E!..9.P
..././../Pp.6S..ML....h.u..Zy...$.%.z..*.E.23S..L.,.M,..,....]....M...
.,......\.z.z]..KsS.J`zS.z-p..%............\....2q....yP.)..b.S.>.1
.hQ........p...I?5............~......._>.......o^.z.....O.?z.....wn
..y....W._.x....gN.:y....G..:x`...{v...c...[6o..a...kV.Z.b...K./Z.`...
sf..9c...S&O.8................................ ?/7'; 3#=-5%9)1!>.6&
:*2"<,4$8(0................................@_OWG[KSC]MUEYIQA^NVFZJR
B\LTDXHP.................A.'..dd.a..P.........{...........PK.........N
.C.U.?}...w.......images/mypcbackup.png}X.T.....CW....tH(...".wA..B.PB
S..."H/"..).D:"E.*M.P..D@........[..Y_.9..=g...Y.....J......T.jJ..w(.f
!'.?/[email protected].(...][email protected]..%.D.......w...)2r.
.6H...d.rprG..Z:. ';.......PD9:.=.B.>.1B>rA...r. ..)<...c..ws
u...G........!`._......A.j....^(.LHT...............@"Pa........I...D$@
.,`|o^v.R.J*....B..1..)....O.OT.........8DD..........Awo....P.H/'.....
..mc... ......./Zw.....0....DX..._...........1.(.....(...1@y.}........
..R.B.`.^Fh...Y.sDc...h....8.G.........B[[J...c..D. !.x.......TY...S.T
.... .((....%....I...%..*..>n(w..X..cU. .....Fy9...T..n...-...b
<<< skipped >>>

GET //Displays/Softwares/16220985_display.html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: text/html
Content-Length: 19650
Last-Modified: Thu, 03 Oct 2013 10:28:07 GMT
Connection: keep-alive
ETag: "524d46b7-4cc2"
Accept-Ranges: bytes
<!-- TOOLBAR MYPC BACKUP V1 ENGLISH -->.<!-- VERSION WIN --&g
t;.<div name="container-in" class="position-typenum mypcbackup-win"
>...<h2 id="titleh">Welcome to the <span name="titulo
_descarga"></span> Setup Wizard</h2>.    .    <h3>
;</h3>.    <h4><pre>Follow the on-screen instruction
s outlined in this wizard to install the new version of <span name=
"titulo_descarga"></span> and benefit from all the latest fea
tures and updates <span name="titulo_descarga"></span> has
 to offer.</pre></h4>....<h6>MyPcBackup</h6>..
<ul>...<li>Fast and Easy to Install</li>...<li>
;Protect all your files</li>..</ul>..<ul>...<li&g
t;For Windows, Mac and Linux</li>...<li>Free Mobile and Ta
blet app</li>..</ul>.    <div class="options-form">.
        <div class="options-check">.        </div>.       
 <div class="options-radio">.        </div>.    </div&g
t;.    .    <div class="textarea">...MyPCBackup EULA - End User 
Licence Agreement..IMPORTANT-READ CAREFULLY: This MyPCBackup ("MyPCBac
kup") License Agreement ("License" or "Agreement") is a legal agreemen
t between You (either an individual or an entity, who will be referred
 to in this License as "You" or "Your") and MyPCBackup for the use of 
desktop, laptop, and mobile device software applications, and which ma
y include associated media, printed materials, and other component
<<< skipped >>>

GET //Styles/Softwares/db393704_vuupc.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: application/zip
Content-Length: 741
Last-Modified: Fri, 10 Jan 2014 15:21:49 GMT
Connection: keep-alive
ETag: "52d0100d-2e5"
Accept-Ranges: bytes
PK.........^.B................images/PK........op*D.r.8....C.......vuu
pc.css.S.N.0.=7R.a......@.:.].B...@{v.7.p<...e .}mC.[....!q2~o.....
53-.pr.wM.'y.......~b.5\Y8..._...Pb.u.....G....Q..o~..........YD9g...Q
...... ...f.....A#....jK.T...h4....}.....t7{.<P..3C.h..I..Dik:..>
;..J(z.8.H......*KZ...4...EF.a.W$IC.R.Z.G.P..8.V.j..M. ...]aN......DC.
..$../........c:. .B..rb..B".T.E.@...........>.=On...5-_[f8.}..^.K.
.x..v......k.,..A).,..!.n4%7...iQ...W!.....u."........37..a...)`......
..b..E.E..^.'=.......I.....,\.............[.....>.k..11......PK....
.......^.B..............$...............images/.. ............A.V...B]
......B].....PK..........op*D.r.8....C.....$....... ...%...vuupc.css..
 ...........k.....R.[.....R.[.....PK........................


GET //Displays/Softwares/1d58e78d_display.html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: text/html
Content-Length: 15298
Last-Modified: Fri, 10 Jan 2014 15:52:57 GMT
Connection: keep-alive
ETag: "52d01759-3bc2"
Accept-Ranges: bytes
<!-- TOOLBAR VUUPC INGL..S -->.<!-- VERSION WIN -->.<di
v name="container-in" class="position-typenum vuupc-win">..<h2 i
d="titleh">Welcome to the Installer Setup Wizard</h2>.    .  
  <h3></h3>.    <!--<h4><pre>Follow the on-
screen instructions outlined in this wizard to install the new version
 of <span name="titulo_descarga"></span> and benefit from 
all the latest features and updates <span name="titulo_descarga">
;</span> has to offer.</pre></h4>-->        ..<
;p><b>VuuPC</b></p>..<p>Access your PC rom 
anywhere!</p>.    <ul>.        <li>Remote Access to 
your Home or Office PC remotely. Work on your PC from any internet com
puter or mobile</li>.        <li>Access All Your Files tra
nsfer them between computers (copy and paste, no need to send)</li&
gt;.        <li>Invite friends to view your LiveScreen and share
 presentations</li>..    </ul>...<div class="imagen-01"
></div>   .   .   .   <div class="options-form">.      
  <div class="options-check">.        </div>.        <d
iv class="options-radio">.        </div>.    </div>... 
   <div class="textarea">..End User License Agreement..NOTICE TO
 USER: THE TERMS BELOW ARE A BINDING AGREEMENT. BY CLICKING "I ACCEPT"
 BELOW OR BY DOWNLOADING, INSTALLING OR ACTIVATING OR USING THIS SOFTW
ARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS LICENSE AGREEMENT, TH
<<< skipped >>>

GET //Styles/Softwares/0ba5df4c_optimizerpro2.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:13 GMT
Content-Type: application/zip
Content-Length: 65688
Last-Modified: Tue, 08 Jul 2014 14:49:06 GMT
Connection: keep-alive
ETag: "53bc04e2-10098"
Accept-Ranges: bytes
PK.........i.D................images/PK.........N.C..mT............ima
ges/optimizerpro-img.png....~.PNG........IHDR..............L......pHYs
................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB
....&*!..J.!...Q..EE...........Q,......!.........{.k........>......
.....H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0....
.B.\[email protected]..@F....&S....`.cb..P-.`'........{..[.!..... .e.D
.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ..
.*..x..<.$9E.[.-q.WW..(.I. [email protected]..._
-...."[email protected]~..,/...;..m..%..h^[email protected].~<<E....
.....J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X
*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h
...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..
B(....*`/[email protected]..=p..a...(....A...a!...b.X#......!.H...$ ...Q"
K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h
...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. 
.$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H
.#...dk..9.,  .......3...!.[[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R
.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L..
....T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.S
g.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W
.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'G
g.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$...
<<< skipped >>>

GET //Displays/Softwares/7f3e6cee_display.html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:14 GMT
Content-Type: text/html
Content-Length: 8445
Last-Modified: Tue, 08 Jul 2014 14:47:05 GMT
Connection: keep-alive
ETag: "53bc0469-20fd"
Accept-Ranges: bytes
<!-- TOOLBAR OPTIMIZER PRO 2 ENGLISH -->.<!-- VERSION WIN --&
gt;.<div name="container-in" class="position-typenum optimizerpro2-
win">...<h2 id="titleh">Welcome to the <span name="ti
tulo_descarga"></span> Setup Wizard</h2>.    .    <h
3></h3>.    <h4><pre>Follow the on-screen instruc
tions outlined in this wizard to install the new version of <span n
ame="titulo_descarga"></span> and benefit from all the latest
 features and updates <span name="titulo_descarga"></span>
 has to offer.</pre></h4>....<div class="imagen-02">
</div>...    <p>Optimizer Pro will automatically:</p>
;.    .    ....<ul>...<li>Diagnose and Scan for System Err
ors.</li>.        <li>Optimize your PC to reach Peak Perfo
rmance.</li>.        <li>Maintain and Manage for extended 
PC Health.</li>..</ul>.        .    <!--<div class="
imagen-01"></div>-->.    .    <!--<div class="option
s-form">.        <div class="options-check">.        </div
>.        <div class="options-radio">.        </div>.  
  </div>-->.    .    <div class="textarea">...The Accep
tance of the Terms and Conditions:...By selecting to use our site PCUt
ilititesPro.com, you the user express your agreement to these Terms, (
as well as to future changes which can be made to the Terms in the pro
cess of your further usage of our services offered). The Terms in 
<<< skipped >>>

GET //Styles/Softwares/03652e13_aartemis.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:14 GMT
Content-Type: application/zip
Content-Length: 979
Last-Modified: Tue, 01 Apr 2014 16:23:37 GMT
Connection: keep-alive
ETag: "533ae809-3d3"
Accept-Ranges: bytes
PK.........OgC/w..............aartemis.css.U.O.0.~.........&..5/.`H<
;l....n.....9.-T....B..5.u.p.&=...}w..9.`UP..?o..........__..L.3*4..[.
...[..`......k..w.0[.7......1.4....)(....K(q....|.Ud..0V.f..fLDn%,....
.... .3F............e..F.8..'..Ri,......Io}...CL9.....X.#..F....s4....
.1..k...1o.A......8.Yf>.!U.y.p&]X4.q..&Rg.i(9...*r,.SUH...H`.WSi.\3
).hd6..%.. ....l1$..5OOO........Lp&h4.2....,[email protected]....#...1..sS.~....5.
..{.<XVJ^%9M.:/..... kM.....Q..J6..pY..TD...%r...F.XQ\:i=..C.......
.uhNyN.."U.sW.......T.*..T..3..s7Vi.N|xf.{..Re..E.(...sL..c...o9y..$..
.f.D9.c.^.%\.!.$Yz..........W=..y&...qE?.g..P..4.....G.._Vh.C....p...6
..k.P.yr.\r....t`pq.EV..Lf[e......0..Y...^V.qv' ....JHnG.R.V[CW...Zz..
...].[....*8..b...$V..*8~.P.?;..j.o.....'.....PK..........*C..........
......images/PK...........OgC/w............$....... .......aartemis.cs
s.. ...........&.....................PK............*C..............$..
.............images/.. ..........tVdE....K.......K......PK............
............


GET //Displays/Softwares/ac80703b_display.html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:14 GMT
Content-Type: text/html
Content-Length: 5460
Last-Modified: Tue, 01 Apr 2014 16:24:05 GMT
Connection: keep-alive
ETag: "533ae825-1554"
Accept-Ranges: bytes
<!-- TOOLBAR AARTEMIS ENGLISH -->..<!-- VERSION WIN - V RECOM
MENDED -->..<div name="container-in" class="position-typenum aar
temis-win-recom">.....    <h2 id="titleh">Welcome to the 
;<span name="titulo_descarga"></span> Setup Wizard</h2&
gt;......<h3></h3>...<h4><pre>Follow the on-sc
reen instructions outlined in this wizard to install the new version o
f <span name="titulo_descarga"></span> and benefit from al
l the latest features and updates <span name="titulo_descarga">&
lt;/span> has to offer.</pre></h4>  ......<p>Expr
ess Installation Includes: Aartemis.com Homepage, Default Search and N
ew Tab</p>...<p>Installation Options</p>......<h5
><span id="spanRecomended" class="spanRecomended"> </span&
gt;</h5>...<div class="imagen-01"></div>......<di
v class="textarea">.....Koyoter Technology Limited ("us" or "we") o
perate the website VVV.aartemis.com. We respects your privacy and we w
ant you to be confident in sharing your information with us. This Webs
ite Privacy Statement is designed to inform you of the types of inform
ation we collect from users,how we use that information,and the circum
stances under which we will share it with third parties. This Website 
Privacy Statement applies only to the Websites. It does not apply to y
our use of any other websites (whether or not operated by us),includin
g any websites to which we provide links or websites of our partne
<<< skipped >>>

GET //Styles/Softwares/a616773d_feven.zip HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:14 GMT
Content-Type: application/zip
Content-Length: 723
Last-Modified: Tue, 15 Oct 2013 09:27:22 GMT
Connection: keep-alive
ETag: "525d0a7a-2d3"
Accept-Ranges: bytes
PK.........k3C................images/PK........PSOC l..............fev
en.css.SMO.0.=.R..,..$.).(u/ .J{.....d.X...1m........~..9$.g..7..E^.[.
...w#...[...\...O......t...bgk..].....5..V.../.......x[z....#Rca...Lp.
..............S.Y....?.....SC....! ..l?......s...1.*@M....N......{....
..XE..Z.E.....e.*>..w1B....k6!;.........!.."..i...B.F.'.....XQ..w.7
.V...6B{1.csv#.B..'k..8..........p..E..^.. X...........4.E..A.[R*:....
.d......I...W1.....Z?..=.e...A0.....Z..B-_,\Ox.|..Cy^.*.....J.3Y;..y\.
...w.Mt..E....>..f..15.#........_.PK...........k3C..............$..
.............images/.. .........x..,3...x..,3...x..,3...PK..........PS
OC l............$....... ...%...feven.css.. ...........{.....a..S....a
..S....PK........................


GET //Displays/Softwares/217ec6eb_display.html HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 11 Nov 2014 20:05:14 GMT
Content-Type: text/html
Content-Length: 8927
Last-Modified: Thu, 03 Oct 2013 08:49:37 GMT
Connection: keep-alive
ETag: "524d2fa1-22df"
Accept-Ranges: bytes
<!-- TOOLBAR FEVEN INGL..S -->.<!-- VERSION WIN -->.<di
v name="container-in" class="position-typenum feven-win">...<h2 
id="titleh">Welcome to the <span name="titulo_descarga">
</span> Setup Wizard</h2>.    .    <h3></h3>. 
   <h4><pre>Follow the on-screen instructions outlined in 
this wizard to install the new version of <span name="titulo_descar
ga"></span> and benefit from all the latest features and upda
tes <span name="titulo_descarga"></span> has to offer.<
/pre></h4>    .    .    <p>Feven helps you save time & 
money on your online shopping. We'll help you find attractive offers w
hile you browse your favorite store.</p>.    <p>You can us
e your Feven with any browser installed on your computer, it is not ne
cessary to install any particular browser just for saving money during
 online shopping.</p>.    .    <div class="options-form">.
        <div class="options-check">.        </div>.       
 <div class="options-radio">.        </div>.    </div&g
t;.    .    <div class="textarea">.    .General.        This Pri
vacy Policy is intended for those using the feven.com website (...Site
...), the feven browser Add-On (...feven Add-On...) and all Site and f
even Add-On contained or displayed information and material (including
 but not limited to images, software, text, information, articles, gra
phics, pictures, sounds, solutions, metatags, trademarks and other
<<< skipped >>>


GET /test.html HTTP/1.1
Host: track.v2.sslsecure2.com
Connection: Keep-Alive


HTTP/1.0 500 Internal Server Error
Date: Tue, 11 Nov 2014 20:04:49 GMT
Server: Apache
Set-Cookie: vsid=922vr1632818893303279; expires=Sun, 10-Nov-2019 20:04:49 GMT; path=/; domain=track.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8



GET /test.html HTTP/1.1
Host: api.v2.sslsecure2.com
Connection: Keep-Alive


HTTP/1.0 500 Internal Server Error
Date: Tue, 11 Nov 2014 20:04:42 GMT
Server: Apache
Set-Cookie: vsid=908vr1632818827801948; expires=Sun, 10-Nov-2019 20:04:42 GMT; path=/; domain=api.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8







The Application connects to the servers at the folowing location(s):














Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    rstart.exe:688
    %original file name%.exe:1232
    

    2. 

  2. Delete the original Application file.
    3. 

  3. Delete or disinfect the following files created/modified by the Application:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Browser app shoppinginfo.dfe (734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bullet-shortw.gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-olivebrowser.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\check.png (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3C.css (638 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\finish.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\percentage-bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\base.css (471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\vuupc.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\logo-win.jpg (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Media Player Enhanceinfo.dfe (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\doma[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position1A.css (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bullet-short.gif (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\TheBestDeals\info.html (1217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\TheBestDealsinfo.dfe (750 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Media Player Enhance\info.html (1219 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-zipper.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\config.dll (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\optimizerpro2.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\boton_xl.jpg (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\butplay.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bg_app.png (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\SM Mystart\info.html (1217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\more.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-gevideoconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\instalando.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\cross.jpg (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-vafmusic.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\SM Mystartinfo.dfe (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\box.html (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\mypcbackup.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Browser app shopping\info.html (296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\aartemis.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\close.html (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\progress_small.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position2B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\check-close.png (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Catchall Revizer\info.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\butpause.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Dockings.dfe (2597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-ifish.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-geaudioconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position2A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Browser appinfo.dfe (734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\templateDisplays.dfe (606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Vuupc\info.html (1919 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\templateStyle.dfe (6081 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\browserapp.css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\PPI OptimizerProinfo.dfe (1902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\bullet.gif (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\options.html (965 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\MyBackupPc\info.html (1217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\progress.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Vuupcinfo.dfe (741 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-printpdf.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\boton.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\check.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\mystart.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\MyBackupPcinfo.dfe (606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\optimizerpro-img.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\Browser app\info.html (1217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-vafplayer.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position4A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\optimizerpro-logo.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\style.css (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\screen-miul.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\feven.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\mystart-toolbar-gris.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\show.png (235 bytes)
    %System%\wbem\Logs\wbemprox.log (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position2C.css (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\less.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\progress_small_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\PPI OptimizerPro\info.html (1219 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\thebestdeals.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\position3D.css (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\welcome.html (151 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\hide.png (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\mypcbackup.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\temp\Catchall Revizerinfo.dfe (979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\css\images\optimizerpro-logo-big.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\bin\exe\group.html (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\e%original file name%.exe (5918 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\rstart.exe.config (359 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\installer.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\efcbea222c7a44a0adc609f06e3defab\%original file name%.exe.config (690 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now