Gen.Variant.Application.Bundler.Outbrowse.1_a84fa21e53

by malwarelabrobot on March 3rd, 2015 in Malware Descriptions.

Gen:Variant.Application.Bundler.Outbrowse.1 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a84fa21e5397f001256e70cba5de8a9a
SHA1: 183ddfa8fdae9d3720ed43cccda185a03552cf23
SHA256: 891feae794c60a1046e1a1f6093dbbb5eb035f1aaffed21eeb0644b6db1d097d
SSDeep: 12288:i7qyYeBBspMgZmZl3UdK/B19nvrftSAGRgOJPvVYNHQsqyMX5OLe5EY:i7NzBsegZmloKz9jVSAGimPvVYHdMX5J
Size: 625960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

GI15X10700.exe:1436
wmic.exe:312
%original file name%.exe:1928

The Malware injects its code into the following process(es):

cdcabfhjcbb.exe:252

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GI15X10700.exe:1436 makes changes in the file system.
The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp (0 bytes)

The process wmic.exe:312 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81425260898.txt (238 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81425260898.txt (0 bytes)

The process cdcabfhjcbb.exe:252 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\dc[1].js (2195 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe (8690 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81425260898\GI15X10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\bodyImg[1].png (1 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81425260898.txt (0 bytes)

The process %original file name%.exe:1928 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rc64.exe (433345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rc64.cdcabfhjcbb (9120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\7tm.dll (2528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cdcabfhjcbb.zip (61716 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)

Registry activity

The process GI15X10700.exe:1436 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D B2 CF 11 EE 7F F8 64 4A 44 85 7A 3C F2 57 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\OperaOB]
"Install" = "1"

The process wmic.exe:312 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 86 B0 05 9F 81 8F C3 1E 6D 65 A7 6E 39 E5 03"

The process cdcabfhjcbb.exe:252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 44 E9 18 AB D9 65 BB 7E 29 B9 56 C8 F8 36 77"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1928 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 24 0F 16 9B 0C 8C B9 46 77 05 47 35 5C DE F6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
10ffabc748d68c40b68f883058c9b932 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81425260898\GI15X10700.exe
86c05d6b5c9b6f8f7fcf32bbcc6ad881 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cdcabfhjcbb.exe
b7c88041bb05a8b5e5fe4336b4554fad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\7tm.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\nsisunz.dll
10ffabc748d68c40b68f883058c9b932 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Download Manager
Product Version: 1.1523.78.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 229376 26864 27136 3.95633 35c47e890bdb64f8806ab70acc33898d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 148
640fe14973543b93c8ebe1e068e94547
d09d3c78420b9b501a55131bacffa61d
0fc749842178e51219a139c14b28ddb9
0810a6ed6fe1af544f6441d881dcfb61
016c00aba2a5e4fddf5482e69dbdfe49
fbe1b256709357ea7ad71aae6cee9ff9
dbb1d271cddb8550049da619b0d3c76d
d65c9ed6e8a3444d4f4aae1b3a6d2855
c851d31f2e5a31eb23f8793d46d90f01
b851af52a5117de27110400570b0460d
7a5101cd5a0e1ba1b5ba19d82d2a536f
6f8828cdbcb23ccf9dcf77ebb78d46fb
5f4d8b59442f54a79ec6d7acbdaf6959
5e3c25f74ff722d0b8de5e06ee1a3c9b
561a00b7d3be92b529a0ef85beac08ff
53a3d4a7db18abfedaf9127a95d68084
3a596b5250bcc5ca7974183874952e48
27337d32af6170d513249b1b1d51a142
1e3e005154c1f3e3a3709846afd5a5a6
06dacfa69eef2dde76a76af32a434e4b
05a67f9782515716ed6ce33a44053418
ff8a4d34f9d0e15e4566742b0a2fe398
fa73d6e37868c3a406793e836d9e7e83
f06086c9c34b30c57a65f7a1b244689c
e94fcfd78d016d6c5d0c25db6290339b

URLs

URL IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&version=6.0
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&version=6.0&nipids=-13298-12929-24443-24263-26109&secondcall=1&reqid=236255255
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&reqid=236255255&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topComp.png
hxxp://stats.l.doubleclick.net/dc.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bodyImg.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bottomLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button.png
hxxp://serv.the-app-data.info/Installer/Track?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&reqid=236255255&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 54.225.114.189
hxxp://serv.the-app-data.info/Installer/Flow?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&version=6.0&nipids=-13298-12929-24443-24263-26109&secondcall=1&reqid=236255255 54.225.114.189
hxxp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0& 23.23.202.69
hxxp://static.revenyou.com/offers/images/Theme12/bgImg.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/bodyImg.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/bottomLine.jpg 198.232.124.224
hxxp://serv.the-app-data.info/Installer/Flow?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&version=6.0 54.225.114.189
hxxp://stats.g.doubleclick.net/dc.js 74.125.205.156
hxxp://static.revenyou.com/offers/images/Theme12/topComp.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/topLine.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/nextCase.jpg 198.232.124.224
hxxp://cdn.download4desktop.com/Installer/OperaBrowser/OperaChecker25-6.exe 198.232.124.192
hxxp://static.revenyou.com/offers/images/Theme12/button.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/button_over.png 198.232.124.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 02 Mar 2015 00:49:13 GMT
Expires: Mon, 02 Mar 2015 02:49:13 GMT
Last-Modified: Thu, 05 Feb 2015 17:35:24 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15844
Cache-Control: public, max-age=7200
Age: 3550
Alternate-Protocol: 80:quic,p=0.08
...........}i[[email protected]'...{.ww..K
....&..q..n?...7r.(e........{..A?.I*"..&.n.M....H... ...".aw.V....D..B
.0.........K....:...EYN.......=...........k....'. ...p'.D..W2U...@p...
.....L.~O_A}...^....q.].G.........I....7....N!.(..N....Hl.'~.^.......r
...@..~.W..'. .b..P...`....B....v..j..'...b..%.,cO$....1..C.......4.~.
PB(.px<q.Yt.A...>..@..{..B.?wc..cE..q.Y...v.....7.Ff.~I,...=.Q..
....t.%..q.V.......go......S.CHA..J....J.N...,V.2.5.YZ2..,..._rb..$.l.
*....P/......r.I.x......P./.T.}YV...<V..........E..e.*.K.$......uBa
K..1..yI.v...4q...z.?....o.{.}.=..j...-....@.......?$....J..Q..T...}.g
.....q..k.......6... ... ?p..y&...k......].=.(..W&...b..P..DM.p....gY.
.H...p^.&.....y(.|..s...P.._]:..].X.DI......`.{.......f.,.e..9..P".F.e
.....9..R..ac..c.....W.i*..E//.^}..f....z>..2.H..*<j^.....v.).Z.
q=#..KW...ib B.....U 8....M...Q.....2 8..F......pE^r.......B.[..2.....
....q..`.I>;o....... .!.......m..P60I.bK.lG..V.......s....Qy.8....#
.^. ..G......7.Ze8c.sfrr..SJI...1.:.\YW..j3..H%...........e.c.7...[.n.
..-{[email protected].=..jR....]....xz.`.<.....}..*`.\..8.u.B
vc.ue.S[].EV...4...)......JUZ.vb..\.....7....%f..26#.H].r.u...~....../
.-.x[{5 ....,.<.[....6.T.[..r..l.ZX...[E.m.o>?U..c.[.v.....$e../
~8^..xJ....R..... H..iq......H..4.5h.j<..l..ucc.....Jj....-3.W(...U
8u..kF..a%`]3..C.`..a7.X.......-.$:[email protected]".u...TjC.J~.Ym5..%
[email protected] ...!NY...Qy...*..5..MN....x~1T..Qz.T.e.J...M[.....Y?e]S
[email protected][0..G..y..
<<< skipped >>>


GET //offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: srv.dmdataserver.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Mon, 02 Mar 2015 01:48:12 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 11954
Connection: keep-alive
<html>.    <head>.      <title>5 - NonProduct (Downl
oad Manager)</title><script type='text/javascript'>var _ga
q = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.push([
'_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker', tru
e]);..                                            _gaq.push(['_trackPa
geview']);..                                            (function() {.
.                                              var ga = document.creat
eElement('script'); ga.type = 'text/javascript'; ga.async = true;..   
                                           ga.src = ('https:' == docum
ent.location.protocol ? 'hXXps://' : 'hXXp://')   'stats.g.doubleclick
.net/dc.js';..                                              var s = do
cument.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga
, s);..                                            })();</script>
;<style type='text/css'>body      {          width:100%; height:
100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-s
ize:12px;}   .divLeadpName      {         border-bottom-style:groove;b
order-bottom-width: thin; padding-left:61px; padding-top:9px; font-siz
e:font-family:helvetica; font-style:italic; font-size:25px;           
      font-weight:bold; color:black; position:absolute;   width: 100%;
 background-color: #fff; ba}   #divTop         {display: none}  #divMi
ddle      {background-color: #efecec; height: 100%;} #middle    {backg
round-color: #fff;} .divOnNext      {          position:absolute; 
<<< skipped >>>


GET /Installer/Track?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&reqid=236255255&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: serv.the-app-data.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Mon, 02 Mar 2015 01:48:24 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html
; charset=utf-8..Date: Mon, 02 Mar 2015 01:48:24 GMT..Server: Microsof
t-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Po
wered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....



GET /offers/images/Theme12/topComp.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Mon, 02 Mar 2015 01:48:20 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/bgImg.jpg HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Mon, 02 Mar 2015 01:48:21 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/nextCase.jpg HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Mon, 02 Mar 2015 01:48:21 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>..HTTP/1.1 404 Not Found..Date: Mon, 02 Mar 2015 01:48:21 GMT..Co
ntent-Type: text/html..Content-Length: 1245..Connection: keep-aliv
<<< skipped >>>


GET /offers/images/Theme12/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Mon, 02 Mar 2015 01:48:20 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/bodyImg.png HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 02 Mar 2015 01:48:20 GMT
Content-Type: image/png
Content-Length: 1914
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT
ETag: "36dd864c691ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Mon, 09 Mar 2015 01:48:20 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM
..z&..............u0...`..:....p..Q<...0PLTE.......................
.........................{.......IDATx......:..`..p..J.4.ty.:......)v.
.\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..].
.8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.
\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._.
.d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..&
gt;).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../
..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o
..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F
]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W
7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8..
......KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y.
.)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z
%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y.
..... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S..
...W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>[email protected])e
M.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J..
.,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.
*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.
J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....
X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*
<<< skipped >>>

GET /offers/images/Theme12/bottomLine.jpg HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Mon, 02 Mar 2015 01:48:21 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/button_over.png HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 02 Mar 2015 01:48:21 GMT
Content-Type: image/png
Content-Length: 921
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT
ETag: "f072da2a092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Mon, 09 Mar 2015 01:48:21 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...;IDATx..Z;o.1..Y.D...W."$=D..*[email protected].
...........;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.s
h..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[[email protected].
...y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?
7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.
......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K.....
...YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\
D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........
Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N.......
.*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..t
svP!.U0.q.......9z.e [email protected]............. .>=...{WVim...
.f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o
[email protected].^......IEND.B`.....


GET /offers/images/Theme12/button.png HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24829&leadp=23217&countryid=262&sysbit=32&imgurl=&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&dfb=0&hb=2&isagg=1&version=6.0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 02 Mar 2015 01:48:21 GMT
Content-Type: image/png
Content-Length: 458
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT
ETag: "1b5642f092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Mon, 09 Mar 2015 01:48:21 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi.......
.../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f.
..p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C......
.$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....
-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^
.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`.HTTP/1.1 200 O
K..Date: Mon, 02 Mar 2015 01:48:21 GMT..Content-Type: image/png..Conte
nt-Length: 458..Connection: keep-alive..Cache-Control: max-age=604800.
.Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT..ETag: "1b5642f092ce1:0"
..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..Expires: Mon, 09 Ma
r 2015 01:48:21 GMT..X-Cache: HIT..Accept-Ranges: bytes...PNG........I
HDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx.
..1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<...
.....R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr...
.bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. ...
..%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u
.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._...
...rU.<Z`..d..E.|.0.......B.....IEND.B`...
<<< skipped >>>


GET /Installer/Flow?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&version=6.0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: serv.the-app-data.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Mon, 02 Mar 2015 01:48:22 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 26977
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8/$.Fmkcsez_oajgRvjdo
"8..'.PbaJay 5..% O_fGew1,.3 .&!NenjjoG_j_!6" '.
KkmaobpIB.2 % >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7  .Ev`MME 7.!(
"Cs]PKJ/.9."*.;jfk^hcHil`.5. ).NbfcmMME 7.gptn5'*lps(cid
_oYn^ps_q*cmh'*hdc_qo/Btf\fg`IebepN[m^ck9nbfcma_63#^hotg_5--6/3%he
__h8 1/ 6"cmpfokwf^<.60!ktl`fn</2$debnpi7%_omfa`ipl^t_tl\e`
6?aiaa DgYna.Mf`uep!\a[;- g^=0!anZed70"vcmkdhl:0-,&csl`kl^f&l
t;,"*.J\mc.4,-, <\_brfim]lB\l\.8.. .AloaqbprmdoRcbC`rq.4!., KY
thsq.9)1*.=a_c`nhre 5%,% MlniordgiK_q_!6-/'.?bq`ldlal^qMZrb.9)1*.K
g^cm;epepDfnm_if!60*.Ndkrr[kKfd`j>hkj[m`Lgi].3 .&!?alMmi:q@bd_k
`jp.3rood("PpfDg?daqasqdn`Blpn`hlcm.5. ).QqnGiJ``si[qEnqoYgeco.9.
"*.Hm^Cu_QassglO^pj.9."*.Hm^Cu_QassglQZjr_!6" '.Khq
q?waRcnmgmRbll.: .$.ImpnDteP`kperS[kqe 5..% MirpRcbC`r1/.9."*.Hjl
rO_fGew1,.3 .w w"Njko>vb.9."*.Hm^Cu_!6" '.>hk
mimanrOqk^ 7* .Mmiaobx^nhknRth`l 7.01"*.J``Ibs!6"FF=TXJL=@H_
K<;CBLB.RKFRR9M>ZYph)vg`oNhdqq`neZWnd&tf_vdpz.t.AIBS^HOA<
[email protected]>LDX\ktkoZpqmd]racKj_rt[qa\Zhqnm_onraap^`ciz.v..HI@Q
ZEM@;K[M?>@DGC.MNBTU<J@UZpqdat kYb^Ql`ssap`TWlub_s)p_b]ciz.v.DKC
TWGHA>F^IAACAI>.PIEPW?M=WUub\roe_m[c^qPiepw_m]WUub\roe_m[c^qej{.
|.CC@R]IIB=L]H9>AGK?.OODOO<KCYVning]gs^qPiepw_m]WUmjhh^ov`kciz.v
.DKCTWGHA>F^IAACAI>.PIEPW?M=WUmjcf]-ngmnLmcnv]rcWTjfgd[,llsn`k.*
.LdcKct./.8.BJAY]GG>:J\G@?HGI=.LMCNV=RCWTqb scdsSmalrZpbV[ri qa
<<< skipped >>>

GET /Installer/Flow?pubid=18082&distid=24829&productid=23217&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=FREESO010Zdccb8bc73dcff2d0a8884af7d221c4da&cookieproductname=65-100-111-98-101-32-70-108-97-115-104-32-80-108-97-121-101-114&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=&downloadtime=&version=6.0&nipids=-13298-12929-24443-24263-26109&secondcall=1&reqid=236255255 HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: serv.the-app-data.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Mon, 02 Mar 2015 01:48:24 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 28893
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8/$.Fmkcsez_oajgRvjdo
"8..'.PbaJay 5..% O_fGew1,.3 .&!NenjjoG_j_!6" '.
KkmaobpIB.2 % >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7  .Ev`MME 7.!(
"Cs]PKJ/.9."*.;jfk^hcHil`.5. ).NbfcmMME 7.gptn5'*lps(cid
_oYn^ps_q*cmh'*hdc_qo/Btf\fg`IebepN[m^ck9nbfcma_63#^hotg_5--6/3%he
__h8 1/ 6"cmpfokwf^<.60!ktl`fn</2$debnpi7%_omfa`ipl^t_tl\e`
6?aiaa DgYna.Mf`uep!\a[;- g^=0!anZed70"vcmkdhl:0-,&csl`kl^f&l
t;,"*.J\mc.4,-, <\_brfim]lB\l\.8.. .AloaqbprmdoRcbC`rq.4!., KY
thsq.9)1*.=a_c`nhre 5%,% MlniordgiK_q_!6-/'.?bq`ldlal^qMZrb.9)1*.K
g^cm;epepDfnm_if!60*.Ndkrr[kKfd`j>hkj[m`Lgi].3 .&!?alMmi:q@bd_k
`jp.3rood("PpfDg?daqasqdn`Blpn`hlcm.5. ).QqnGiJ``si[qEnqoYgeco.9.
"*.Hm^Cu_QassglO^pj.9."*.Hm^Cu_QassglQZjr_!6" '.Khq
q?waRcnmgmRbll.: .$.ImpnDteP`kperS[kqe 5..% MirpRcbC`r1/.9."*.Hjl
rO_fGew1,.3 .w w"Njko>vb.9."*.Hm^Cu_!6" '.>hk
mimanrOqk^ 72 .Mmiaobx^nhknRth`l 7.0)9  %,2 /*!("P`_F^w.4!., M]bD
cv03.: .$.KcmiqpN_h].3 >PN., Kjj]s`nH@"8,$.:jt[xoOda]m.8-&
!EsU\ao?moCmot_gd.3/).DteSMD.3 .&!AxcPJG  7.!("AjehZlaFhje 5.
.% L`earSMD.3 ensl:-*kmo,agc]t_n]moco(bkm-*ga_com.@yl\ed\Mc`dnSam]`g=l
`earg_5/,/#jh`s;, -26* 1527(*/-20'1024.._bqqcc9223*4.jb[cl=0.*,0$`
itjtpta_603,%oyq]ao61/ bkoid]kkmaobpn_h]8:bl\d.Fj\kc.Ni[xar$_^]6.#ba92
$dk\`e: %repnajg;3(/"evo]mg_i7/., MYo^ 7'0("?_\dmglh`hD_
oY.3 .-158 ,*4 7*,3041(*/ 40. .AloaqbprmdoRcbC`rq.4!., KYthsq.9)1*
<<< skipped >>>


GET /Installer/OperaBrowser/OperaChecker25-6.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.download4desktop.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 02 Mar 2015 01:48:18 GMT
Content-Type: application/octet-stream
Content-Length: 50225
Connection: keep-alive
x-amz-id-2: uKDjQ2KUsCQZWsO PzkXE 1WAq9Yn7xotVubQrOpTk6sbGEbvYnefEfk 1UZhiJI
x-amz-request-id: 6756A252B393ABF8
Last-Modified: Wed, 25 Jun 2014 14:41:23 GMT
ETag: "10ffabc748d68c40b68f883058c9b932"
Server: NetDNA-cache/2.2
Content-Disposition: attachment
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......PC..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..PC.......D...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_1928:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cdcabfhjcbb.exe 5-3-1-5-3-8-5-9-2-6-4 Kk1IPzopMyc2LBwqUFQ9TUE/NC4aK0lCU1JMSkZAQjctGyxDRFBMRDs7LDAzLzgbLDtEOzsqHCpNUUpBTT5LXUNAOC8yLS4vGyZRP05RQlFaUkpHNGZucGs3LipwXW1tLG5kYCpga20lX1hyWypka2VqHSc Q0c9R0RBPBssPCw0KyscKkExOCopGyZCLTkoLh8qQSw4JC8aKz8yPCguGCpHUElAUEBTWk1KRE0/PVU4HS5LT0c/TEFOW0BSSzw6GCpHUElAUEBTWks5SDw7O2BqX2QgLyhBY19tZCAvL0tpWXRccBorQFVEWlJKRzRmbnBrNy4qbV4pW2pdcmRxLV5sZSpqLSwrLSxoX21eKF1wX2FubC8sLXJfWmFcNF1gNi5hW2FdMF4sXDU3MzFZYS5iLC4sYDNfXiVqbHInMS9hLy1fKTJbMDA0XjQtMDQqMzAyKywoYGdtbGVgJGdebGEsMS01LDMvKzAzMTUxNCpZX2ZgXylhaWBuZSVrY19zYW0rZHNiGCo8Vj9bPkpDR0ZGQDQeKURKUFNaP0pKTlE/TjgvHypRQDxFSVNLUFxUTUk1Y2tyajYqLHNjXmZmaixgbmBicmpjbG5rbWxhLStiamonZGViX3QpbWdrPFxoNGRsYWBqb202JmFpY19vamNzbnFnbVwsXWtoI29mdDVBSUM/T0pDU05RR008QUlJIW1mOD5calljHy4rQ2tccGAgKS5KaFx2ZG0jZ2I0UD9SQEtUQCNhaWpyW2hnYnE4NmFeZmw3LhssVUg6KhsmQk0tOENRQEJLSicvKlZfYGJdNVpeLjFeX2FjMV8tWTMvNi5dYTRjLS8pXitiWxwqT1RJUUFIPF1RQUdATkhCQUg4RT9RTUk8GyxBTlZQT0pPRkxAOmxtbGMaK01CU1BPRkRFRVlRTkJRWkE5VEo7LBwqRUg/QlA4KB4pRU5
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rc64.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cdcabfhjcbb.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cdcabfhjcbb.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rc64.exe
nsisunz.dll
1.2.2
Extract: %f
%u byte%c
(%u byte%c)
%d.%d%d Ë%c
inflate 1.2.2 Copyright 1995-2004 Mark Adler
GetProcessHeap
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
\|.qfw
.SLT,S
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
nsd2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cdcabfhjcbb.exe 5-3-1-5-3-8-5-9-2-6-4 Kk1IPzopMyc2LBwqUFQ9TUE/NC4aK0lCU1JMSkZAQjctGyxDRFBMRDs7LDAzLzgbLDtEOzsqHCpNUUpBTT5LXUNAOC8yLS4vGyZRP05RQlFaUkpHNGZucGs3LipwXW1tLG5kYCpga20lX1hyWypka2VqHSc Q0c9R0RBPBssPCw0KyscKkExOCopGyZCLTkoLh8qQSw4JC8aKz8yPCguGCpHUElAUEBTWk1KRE0/PVU4HS5LT0c/TEFOW0BSSzw6GCpHUElAUEBTWks5SDw7O2BqX2QgLyhBY19tZCAvL0tpWXRccBorQFVEWlJKRzRmbnBrNy4qbV4pW2pdcmRxLV5sZSpqLSwrLSxoX21eKF1wX2FubC8sLXJfWmFcNF1gNi5hW2FdMF4sXDU3MzFZYS5iLC4sYDNfXiVqbHInMS9hLy1fKTJbMDA0XjQtMDQqMzAyKywoYGdtbGVgJGdebGEsMS01LDMvKzAzMTUxNCpZX2ZgXylhaWBuZSVrY19zYW0rZHNiGCo8Vj9bPkpDR0ZGQDQeKURKUFNaP0pKTlE/TjgvHypRQDxFSVNLUFxUTUk1Y2tyajYqLHNjXmZmaixgbmBicmpjbG5rbWxhLStiamonZGViX3QpbWdrPFxoNGRsYWBqb202JmFpY19vamNzbnFnbVwsXWtoI29mdDVBSUM/T0pDU05RR008QUlJIW1mOD5calljHy4rQ2tccGAgKS5KaFx2ZG0jZ2I0UD9SQEtUQCNhaWpyW2hnYnE4NmFeZmw3LhssVUg6KhsmQk0tOENRQEJLSicvKlZfYGJdNVpeLjFeX2FjMV8tWTMvNi5dYTRjLS8pXitiWxwqT1RJUUFIPF1RQUdATkhCQUg4RT9RTUk8GyxBTlZQT0pPRkxAOmxtbGMaK01CU1BPRkRFRVlRTkJRWkE5VEo7LBwqRUg/QlA4KB4pRU5c
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
00000000
1.1523.78.0

cdcabfhjcbb.exe_252:

.text
`.rdata
@.data
.rsrc
@.reloc
9>t.hLWJ
.CGy,
<9%u3
FTPj
YPSSSh
,4,56,789
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
X:X:X:X:X:X
\Google\Chrome\Application\chrome.exe
%d/%d/%d %d:%d:%d
3.7.16.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
Error %u in WinHttpQueryDataAvailable.
Error %u in WinHttpReadData.
Error %d has occurred.
F%D,3
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpWriteData
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpSetOption
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WINHTTP.dll
PSAPI.DLL
GetProcessHeap
KERNEL32.dll
EnumChildWindows
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
GetCPInfo
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
too many references to "%s": max 65535
%s.%s.%s
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
.?AVCWebPage@@
zcÁ
{A0386B19-B7E7-4BE7-B567-ABF77CBB6E60} = s `ATLExecServer'
`ATLExecServer.EXE'
val AppID = s {BCCC2C7F-1383-417B-944F-1677DF428E44}
ForceRemove {FA20B59B-21AA-44FC-8A68-450979B7CC90} = s 'CBrowserExternals Class'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{D14931FB-8313-4BCC-91EB-62F4EF2A8FC4}'
ForceRemove {622D38AD-B4A9-4170-8192-5B865C6A5DCE} = s 'CBrowserExternalImp Class'
ForceRemove {D14931FB-8313-4BCC-91EB-62F4EF2A8FC4} = s 'CBrowserExternal Class'
stdole2.tlbWWW
~cmdWd
OpenUrlW
urlWd
method OpenUrl
Created by MIDL version 7.00.0555 at Tue Jan 20 14:30:53 2015
<BUTTON onclick='window.external.OnClick(theBody, "red");'>Red</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "green");'>Green</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "blue");'>Blue</BUTTON>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
55]5{5
2 2$2(2,20242>2
0$0@0\0!1
3!3%3)3-3
>!>%>)>->1>5>9>=>
1$1(1,1014181<1@1
2(2/24282<2]2
2&3,3034383
3)424>4{4
:!:%:):-:
7 7$7(7,707
: :$:(:,:0:4:8:<:
=,=4=<=\=
: :(:0:8:\:|:
6 6@6\6`6
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
SERVER_URL
EXE_URL
EXE_CMDLINE
THANKYOU_URL
RUNTIME_WELCOMEIMAGEURL
exeurl
execmdline
a\Microsoft\Windows\Cookies
a\Mozilla\Firefox\Profiles
\Mozilla\Firefox\Profiles
sqlite
cookies.sqlite
Chrome_WidgetWin_1
a\..\Local\Google\Chrome\User Data\Default\
\..\Local Settings\Application Data\Google\Chrome\User Data\Default\
SELECT value,last_access_utc FROM cookies WHERE host_key LIKE '%
a\Opera\Opera\
\..\..\Local Settings\Application Data\Opera\Opera\
cookies4.dat
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
OLEACC.DLL
places.sqlite
SELECT url FROM moz_places WHERE url LIKE '%
\..\Local\Google\Chrome\User Data\Default\
SELECT urls.url FROM urls WHERE urls.url LIKE '%
AMozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
\default.html
virtualoffercmd
CHROMEVERSION
&chromev=
&welcomeimgurl=
firefox
chrome
opera
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
ChromeHTML
FirefoxHTML
IE.AssocFile.HTM
Opera.HTML
http\shell\open\command
Opera.exe
Safari.exe
SOFTWARE\Mozilla\Mozilla FireFox
Software\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
aSoftware\Mozilla\Mozilla Firefox
*.txt
@@exeurl
OfferURL
ExeURL
ExeURL2
RegKey
ReportName
PreExe
PostExe
RegKey64
AntivirusesRegKeys
PreExeResultTerm
PreExeResultValue
PostExeResultTerm
PostExeResultValue
PostRegKey32
PostRegKey64
RegKey32
{BCCC2C7F-1383-417B-944F-1677DF428E44}
OLEAUT32.DLL
Mscoree.dll
888816666554443
6666554443
!6666554443
WinHttpClient
VIRTUALOFFERCMD
VirtualOfferCMD
VirtualOfferCmd
virtualoffercmd:
n2d.exe
RTURL=
load.exe
downoad.exe
HMozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
LKERNEL32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cdcabfhjcbb.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
2015.22.718.6
2015227186.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GI15X10700.exe:1436
    wmic.exe:312
    %original file name%.exe:1928

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\81425260898.txt (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\button[1].png (458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\button_over[1].png (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\dc[1].js (2195 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe (8690 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\DynamicOfferScreen[1].htm (2083 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\81425260898\GI15X10700.exe (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\bodyImg[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rc64.exe (433345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rc64.cdcabfhjcbb (9120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\7tm.dll (2528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cdcabfhjcbb.zip (61716 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now