Sample_6370fab243

by malwarelabrobot on April 21st, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6370fab243594f9a469c66fe6f14eeb3
SHA1: 51eeabf89ea1332a16e1ae16a705c14cdf3baec5
SHA256: 1d154e2c7506ab7c712fe716cc9a72825282622887a83586999a2545c9dd64ad
SSDeep: 24576: xGPhqy1fkXC6jWqMPP8iJUFN1aJ0gt6UKqicrN7L6:D5qrC35JMmh5Li2dL6
Size: 1079304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2013-10-13 11:19:32
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

aff_setup.exe:2456
thirdpartyinstaller.exe:2104
f17163569e4a465daf3b6da720d89cfd453527.exe:3016
%original file name%.exe:544
pm-standalone-setup.exe:2384
pm-standalone-setup.tmp:3036
6370fab243594f9a469c66fe6f14eeb3.tmp:1912
OLBPre.exe:1996
pc-mechanic.exe:2092

The Malware injects its code into the following process(es):

pc-mechanic.exe:1464

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process aff_setup.exe:2456 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1631.pdf (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_7303.dat (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f17163569e4a465daf3b6da720d89cfd453527.exe (70731 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8278.tmp (7055 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_5491.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)

The process thirdpartyinstaller.exe:2104 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (159 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)

The process f17163569e4a465daf3b6da720d89cfd453527.exe:3016 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
%Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
%Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\AccessControl.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe (35833 bytes)
%Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
%Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB2.tmp (53436 bytes)

The process %original file name%.exe:544 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4UT2U.tmp\6370fab243594f9a469c66fe6f14eeb3.tmp (50 bytes)

The process pm-standalone-setup.exe:2384 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1H51R.tmp\pm-standalone-setup.tmp (50 bytes)

The process pm-standalone-setup.tmp:3036 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\is-DO5B8.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-GQQ2S.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4809N.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-TC6LJ.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-VIO38.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-MT98U.tmp (1281 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SCO1H.tmp (11 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-JQ4AC.tmp (28498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-HM56Q.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-P9UK8.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8MS6Q.tmp (197872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-48GAC.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-5C6PO.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-63GPD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-NQ169.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L6MCH.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-NUFSC.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-NA0D6.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-H6F47.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-O9S12.tmp (112 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0HCFP.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-GNJ87.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-KOCF3.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-89JUT.tmp (20504 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-UA41N.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-B3VTK.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5KR80.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-IAB01.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SL1JH.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-I4BQB.tmp (524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-5F093.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1HFMO.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4922V.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-NC1C1.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-98M57.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-F6R1G.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-S6O40.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-KCV9H.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-0FK39.tmp (114305 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-374C7.tmp (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0VG09.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-340GT.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-DD808.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-HBFA9.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #002.txt (455577 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-KQIUT.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-NQ7OO.tmp (601 bytes)

The process 6370fab243594f9a469c66fe6f14eeb3.tmp:1912 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\pm-standalone-setup.exe (103056 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\windows8_with_innovation.bmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (5514 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\pcmechanicpm-standalone-setup[1].exe (1515154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\aff_setup[1].exe (18697 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #001.txt (23254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\checkmark_10x8.bmp (310 bytes)

The process OLBPre.exe:1996 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\OLBPre\state.jdat (428 bytes)
%Program Files% (x86)\OLBPre\aff.jdat (140 bytes)

The process pc-mechanic.exe:1464 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (7006 bytes)

The process pc-mechanic.exe:2092 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (2183 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6125 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes)

Registry activity

The process f17163569e4a465daf3b6da720d89cfd453527.exe:3016 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayVersion" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayName" = "MyPC Backup"
"DisplayIcon" = "%Program Files% (x86)\OLBPre\uninst.exe"
"Publisher" = "MyPC Backup"
"HelpLink" = "http://support.mypcbackup.com"
"URLInfoAbout" = "http://www.mypcbackup.com"
"UninstallString" = "%Program Files% (x86)\OLBPre\uninst.exe"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process pm-standalone-setup.tmp:3036 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Icon Group" = "Uniblue\PC Mechanic"

[HKCR\pc-mechanic]
"URL Protocol" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"NoModify" = "1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"EstimatedSize" = "62107"
"InstallDate" = "20150420"
"Comments" = "Uninstall PC Mechanic"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"UnitID" = "4250"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MinorVersion" = "0"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"EcommercePlatform" = "cleverbridge"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)" = "pc-mechanic.exe,1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Deselected Tasks" = ""

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe /SILENT"
"DisplayVersion" = "1.0.5.0"
"URLUpdateInfo" = "http://uniblue.com/software/pcmechanicpm/updates/"
"UninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe"

[HKCR\pc-mechanic]
"(Default)" = "URL:PC-Mechanic Protocol"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MajorVersion" = "1"
"DisplayName" = "PC Mechanic"
"Publisher" = "Uniblue Systems Limited"
"HelpLink" = "http://www.uniblue.com/support/manuals/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallDate" = "2015-04-20"

[HKCR\pc-mechanic\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe --serial=%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Setup Version" = "5.5.4 (u)"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl" = "http://www.uniblue.com/cm/crosspath/pcmechanicpm/pcm_de02/purchase/"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"URLInfoAbout" = "http://www.uniblue.com/support/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"lang" = "en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\PC-Mechanic"

The Malware deletes the following value(s) in system registry:

[HKCR\pc-mechanic]
"URL Protocol"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)"

[HKCR\pc-mechanic]
"(Default)"

[HKCR\pc-mechanic\shell\open\command]
"(Default)"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl"
"InstalledLocation"

The process 6370fab243594f9a469c66fe6f14eeb3.tmp:1912 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallerBuiltWithOffers" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "54 05 B2 0D F8 7A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process pc-mechanic.exe:1464 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

The process pc-mechanic.exe:2092 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

Dropped PE files

MD5 File path
e5cc3997457cd365e43c19f0f9110148 c:\Program Files (x86)\OLBPre\LinqBridge.dll
bb96c55079ead70a35746ad4f8509bab c:\Program Files (x86)\OLBPre\OLBPre.exe
660605e24b0cf1068bfbb4a4ec647652 c:\Program Files (x86)\OLBPre\uninst.exe
2ae42712f67f30dfeb9b7ae8798e1c29 c:\Program Files (x86)\Uniblue\PC-Mechanic\InstallerExtensions.dll
6de5c66e434a9c1729575763d891c6c2 c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcp90.dll
e7d91d008fe76423962b91c43c88e4eb c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcr90.dll
5434e18b933e03f274d8da59fda4c676 c:\Program Files (x86)\Uniblue\PC-Mechanic\icudt.dll
28888738b5521923a244fac763767db4 c:\Program Files (x86)\Uniblue\PC-Mechanic\libcef.dll
a681d994fefa6865b181937c97688c96 c:\Program Files (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe
718355a4c81fdae7e890292ed04c0dac c:\Program Files (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe
5bf98032f3b5ac20ed8160d9a183baff c:\Program Files (x86)\Uniblue\PC-Mechanic\unins000.exe
8261a06c2664ace68b763ab096fcaca8 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\aff_setup[1].exe
6843e5f8e199b000decdb9ef0cb74b3f c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\pcmechanicpm-standalone-setup[1].exe
8261a06c2664ace68b763ab096fcaca8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe
89a093e37ca6953ebbe96f59310e11b7 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\f17163569e4a465daf3b6da720d89cfd453527.exe
2ae42712f67f30dfeb9b7ae8798e1c29 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\InstallerExtensions.dll
526426126ae5d326d0a24706c77d8c5c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_setup64.tmp
92dc6ef532fbb4a5c3201469a5b5eb63 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_shfoldr.dll
6843e5f8e199b000decdb9ef0cb74b3f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\pm-standalone-setup.exe
62efa7b730eb0523a026ea4325403b77 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Uniblue Systems Limited
Product Name: PC Mechanic
Product Version: 1.0.5.0
Legal Copyright: Copyright (c) Uniblue Systems Limited
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.0
File Description: PC Mechanic Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 61740 61952 4.43024 3a126e478661f20816f9d9285615f98e
.itext 69632 2884 3072 3.97317 ba48b9b17b3dd8b92da3bd93f20ddb34
.data 73728 3208 3584 1.55702 d7fd5f4b562d7961758f3d6a8c834fd0
.bss 77824 22196 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 102400 3536 3584 3.44625 93d91a2b90e60bd758fc0c4908856ae1
.tls 106496 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 110592 24 512 0.14174 3dffc444ccc131c9dcee18db49ee6403
.rsrc 114688 240000 240128 3.69358 e4a89d11d280d5a8143e7f337ebee43a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 166
595f1fc6db9af2f5b74feffe71c7a123
a63983b8148a9dbb51de498d3831e142
4f7921744d1b44754678161fb41c27bf
56f58db64e07dbb9fb549fe0b74f0bd9
284f9c42d36b49cd82841c128630f385
68f7cea38bac51f19c9bf5e9f720a88c
036ab1a2b116104300bdcf47c73661cb
3bfba3c8c3687d344b2f1ac1885f48c2
07c2c6d77dead8e72846174d8f034016
07cb679acc810aa050cc2353509e5393
8643014e30fccffd0048979713cb7001
eb2d058ca6921e2c6d56f35f5502a4d4
e3b5bd3126a441609fa77f52a36ae298
b49995f511e0b27eba38a7e2b08de623
c0c14fd4f291d6001d09993c25e3825b
5906a85cd27be3d0508bc3f1ec5e62de
8f0dd6d56f6866b5ed1effe628d7c71b
b153399713231db375646f1d0f00ab81
ed1a11d0c026c535c9400af0cc285c8d
a4db7fea7fc4bc8ddca8f616d1b44968
a31c60775ffa14da852aebac7b20b350
8be396cd92a8dcc0aa3cb8034507ee02
1f22d7f81ed540bd5af17738eadaf9d6
f56a7328f430b18efa42246422615699
eaee4be2373fe1db7128b7367bcab4ca

URLs

URL IP
hxxp://backupgrid.jdibackup.netdna-cdn.com/aff_setup.exe
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/collect
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe
hxxp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe 54.230.45.7
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/pm/version.txt?from=1.0.5.0
hxxp://api.uniblue.net/v1/geo/country-code 54.228.215.241
hxxp://s3-1-w.amazonaws.com/latest_updates/application.txt
hxxp://uniblue.com/api/v1/geo/country-code 54.247.66.171
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/track
hxxp://track.backupgrid.net/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe 184.154.139.137
hxxp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe 184.154.139.131
hxxp://backupgrid.jdibackup.netdna-cdn.com/MyPCBackup_ppi_Setup.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1735fb5d02dddd2d
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?40cd6cf25a6e9807
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?40cd6cf25a6e9807 87.245.216.19
hxxp://tracking.uniblue.com/v1/track 54.246.127.16
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.216.57
hxxp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt 54.231.10.57
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.216.57
hxxp://tracking.uniblue.com/v1/collect 54.246.127.16
hxxp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe 94.31.29.237
hxxp://www.uniblue.com/api/v1/geo/country-code 176.34.97.132
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.216.57
hxxp://update.uniblue.com/pm/version.txt?from=1.0.5.0 54.243.120.72
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.51.123.27
hxxp://download.uniblue.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe 54.243.120.72
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= 23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.216.57
hxxp://cdn.backupgrid.net/aff_setup.exe 94.31.29.237
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= 23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1735fb5d02dddd2d 87.245.216.19


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY Python-urllib/ Suspicious User Agent

Traffic

GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: track.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 301 Moved Permanently
Date: Sun, 19 Apr 2015 23:25:10 GMT
Server: Apache
Set-Cookie: SESSID=u5vgl1fc5an4fir3seo975ttd6; path=/; domain=.backupgrid.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:10 GMT; path=/; domain=.backupgrid.net
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:10 GMT; path=/; domain=.backupgrid.net
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.backupgrid.net
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.backupgrid.net
location: hXXp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 141
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.third_party_offer_not_shown","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:05 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:05 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 131
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_completed","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:12 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:12 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..



GET /api/v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: uniblue.com
Connection: close
User-Agent: Python-urllib/2.7


HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Sun, 19 Apr 2015 23:25:09 GMT
Location: hXXp://VVV.uniblue.com/api/v1/geo/country-code
Server: ngx_openresty
Content-Length: 178
Connection: Close
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>....



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=360157, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 03:30:03 GMT
Expires: Fri, 24 Apr 2015 03:30:03 GMT
Date: Sun, 19 Apr 2015 23:29:19 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`[email protected]
7033003Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.%Qq.........w.O.....20150417033003Z....20150424033003Z0...*.H........
......<.t.72.....&.Rtn....} ....-G....... ...9...E...M.I.E..:...M.=
.8v..*.b.Ê[email protected]....[(j..K.
t.d.....!.....j.....(f.C*. I.......N.....rU.x.U..9.9$..L..|(t.w-aR<
.0,(..'L$ ...L..[.......v.......w{{.w)s...i.d~.....M...;~....0...0...0
..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Tha
wte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..1506
01235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code 
Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z
.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.
j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......
{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y........
....8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U
.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U..
..TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~
..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Y
u.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]..
.y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t..
..>.....j....
<<< skipped >>>


GET /api/v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: VVV.uniblue.com
Connection: close
User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK
Cache-Control: max-age=7200
Content-Type: text/plain
Date: Sun, 19 Apr 2015 23:25:10 GMT
Server: ngx_openresty
Content-Length: 3
Connection: Close
UA...



POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 132
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_included","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:10 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:10 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 130
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_shown","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:27 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:27 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 133
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_accepted","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:33 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:33 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 142
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_started","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:34 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}....


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 142
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_download_initiated","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:45 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:45 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}..



POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 132
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_accepted","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:01 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:01 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 143
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_download_initiated","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:13 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}....



POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 123
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:10 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:10 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 129
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_shown","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:27 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:27 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 122
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:33 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:33 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 144
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_completed","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:35 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:35 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....



GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1735fb5d02dddd2d HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Sun, 19 Apr 2015 23:28:42 GMT
Connection: keep-alive



GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
....


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT
If-None-Match: "dde36a309c58d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
ETag: "dde36a309c58d01:0"
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT
If-None-Match: "cf2633d6957d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
ETag: "cf2633d6957d01:0"
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache
-Control: max-age=900..Date: Sun, 19 Apr 2015 23:29:13 GMT..Connection
: keep-alive..



GET /v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: api.uniblue.net
Connection: close
User-Agent: Python-urllib/2.7


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Date: Sun, 19 Apr 2015 23:28:46 GMT
Location: hXXp://uniblue.com/api/v1/geo/country-code
Server: nginx/1.1.19
Content-Length: 161
Connection: Close
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.1.19</c
enter>..</body>..</html>....



GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: download.uniblue.com
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Date: Sun, 19 Apr 2015 23:24:57 GMT
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe
Server: openresty/1.5.8.1
Content-Length: 166
Connection: keep-alive
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>openresty/1.5.8.1&
lt;/center>..</body>..</html>..HTTP/1.1 302 Moved Tempo
rarily..Content-Type: text/html..Date: Sun, 19 Apr 2015 23:24:57 GMT..
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcme
chanicpm-standalone-setup.exe..Server: openresty/1.5.8.1..Content-Leng
th: 166..Connection: keep-alive..<html>..<head><title&g
t;302 Found</title></head>..<body bgcolor="white">..
<center><h1>302 Found</h1></center>..<hr>
;<center>openresty/1.5.8.1</center>..</body>..</h
tml>....



GET /MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: cdn.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Sun, 19 Apr 2015 23:24:51 GMT
Content-Type: application/octet-stream
Content-Length: 1120161
Connection: close
x-amz-id-2: 6hUdvPx7FH7Yn0RQuWLnIKsEq/a4YnTzlbjOJCC 22WLHMJ7WoJPCGzbjqZgGzXUM7hvvJH4WDo=
x-amz-request-id: 478165AF27847D6C
Last-Modified: Sun, 19 Apr 2015 20:57:17 GMT
ETag: "89a093e37ca6953ebbe96f59310e11b7"
Server: NetDNA-cache/2.2
X-Cache: HIT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.P.......................................................p............
......................................................................
.............................text....a.......b.................. ..`.r
data...............f..............@[email protected]..........
[email protected]........
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ...Pj.h.[[email protected].@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Connection: Keep-Alive
Host: d21bsqatndqkg8.cloudfront.net


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 18839984
Connection: keep-alive
Date: Wed, 18 Mar 2015 10:47:04 GMT
Cache-Control: max-age=86400, public
Last-Modified: Wed, 18 Mar 2015 10:32:55 GMT
ETag: "6843e5f8e199b000decdb9ef0cb74b3f"
Accept-Ranges: bytes
Server: AmazonS3
Age: 4469
X-Cache: Hit from cloudfront
Via: 1.1 640d3bc78d87dcf13f5ba92e326ec5e8.cloudfront.net (CloudFront)
X-Amz-Cf-Id: NZ_Db36sruc6A7B2jZY-yonP_yCIxtNcED7dl3AFOm14yr-KKOPdLw==
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....WZR............
......................... [email protected]............
[email protected]`..h.......
......................................................................
...............text...,........................... ..`.itext..D.......
.................... ..`.data........ [email protected]..
...V...0...........................idata..............................
@....tls.....................................rdata....................
..........@[email protected]................ ..............@..@................
....................@..@..............................................
......................................................................
[email protected]............
@...string([email protected]......@...............................@.....
.... 9@.([email protected]@[email protected]@[email protected]@..9@.,[email protected]@[email protected].%..A....%..A.
...%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..
A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%
h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A...
.%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A.
..S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....
<<< skipped >>>


GET /aff_setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: cdn.backupgrid.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 19 Apr 2015 23:24:48 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
x-amz-id-2: OavKHu0NQHzBLxdBIk3icse05Fm1ln40bMEXB8jjyGu8aUqtsgBSJMtcpkYTerjhnKifA0ZyjYY=
x-amz-request-id: F6085267AA27BD8A
Last-Modified: Sun, 19 Apr 2015 23:21:32 GMT
ETag: W/"8261a06c2664ace68b763ab096fcaca8"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Encoding: gzip
500a..............{|T..?...0...$. ...........@&....2...1..3.$f.....8..
..k{l....4...z...b....$(*...........i.......L@O{....{?..'......Z.Y.m=.
.w..yV0..`DPUA..........F..[^.-.........&.................u..q..A..V.Z
..vY..Uzg...d.....e.<&V...&..........o...J<'.}.z ..y.'..... D...
....%.$a....J...f.(]. <......y.........zm...t.C...*D...8....*....2.
=AA.K..A..."./...a...G..$.&.....Cx=....1.g...f5T.K.........U......,.L.
<.z.Da*.&.......U..<.....`........4.m.Z$...............%.....`c.
Y..o..H....2-J..b..Zdt..E.SU..f.x..D.@2\n%....c...(Z...._.9R...Z^)....
..OP&..P7 ..y_.r.>...R.S...f..:..C.../.....P..Y.}KK./.3C...JPc.....
r..%..p....L.}.Q.aG.3T<.f,B7AG.1.Hwj.......UNWO........7...|r.*y..s
..%...A..DiL..<]...M][email protected]".QOk....s.TQxt.r3*y..(...N
.ID..Ym.<z..EP.d...........P[.GY.7...K.........(./P..>J..B.I1.t.
%...I..Fi....-G%k.2.i.G).....Pg{/.Y.D5....X....F..^.L)1...W.P.2....5|.
.....J.i.^..[.*%g.X.*2.ep$........LSx.N1..)>.r.SP..Fy.@.]2....N...g
....$jA9....."G...`.. }.l.....R.=.....8.5xT.Zj..7L..m x.....I.aF.i.(..
...6.....|cH2..b...!}Q............R.HZ..!Hn.s..G.O(....c.v&7Sz(.}.C.!j
.......&.....%...w..x.x....?...U..M.V:.s.......MGx..7..{_J....A#.hm...
..c6.Ja..%[email protected]..^..X"[email protected]......".....:.........V...:.i..F
{Ql.".m./.3.% U...%]xd.....Sx..e.m.e..s...S.......i....4~..Y.VP.[c.#..
4.....jX5.....2$...s.sT!DM.2....&O.....U..S_.T).QJ.*.).A..>..R:?N1.
..........`..............*2.WV..3..2..gv.}..`:zV...G.......WPQ..V.r.r.
[.t.iPS5....[6hn.j...a....#..}.*d.o.[\D.[..n............T\}.....z7
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=376305, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 08:00:00 GMT
Expires: Fri, 24 Apr 2015 08:00:00 GMT
Date: Sun, 19 Apr 2015 23:29:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
7080000Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
.....A..`.............Q.q..M....mq'.9.*..u..Y....TU..!T..J...i.Apu.q.e
,.9.v...D......i...-.;.a.....e..z.)Et....x..4\j..<.....B[.........3
......}..@<.6..:B"...^.....%.H.u4........{.B.M..].b....*..Q.8......
.._....C.fg.....Zs3.r....n|..t'..t..F...o....T.p...*3:..!...#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


POST /v1/track HTTP/1.1
Accept-Encoding: identity
Content-Length: 111
Host: tracking.uniblue.com
Content-Type: application/json
Connection: close
User-Agent: Python-urllib/2.7

{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_completed", "client_id": ""}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:49 GMT
Server: ngx_openresty
Content-Length: 20
Connection: Close
{.  "status": "OK".}..



GET /latest_updates/application.txt HTTP/1.1
Accept-Encoding: identity
Host: pm.uniblue.com.s3.amazonaws.com
Connection: close
User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK
x-amz-id-2: smCvET7EKdGL90gPQyS9ZYJV0oNnHzbqj5Br1xKWF4rjIH8UlcOmmOAZfaNZC9DP15rF9uRGt7g=
x-amz-request-id: 38C8E0ECA58FFA75
Date: Sun, 19 Apr 2015 23:25:10 GMT
Cache-Control: max-age=86400, public
Last-Modified: Tue, 24 Mar 2015 09:46:29 GMT
ETag: "7afc8227ca4783a30e4f834d1815a2fe"
Accept-Ranges: bytes
Content-Type: text/plain
Content-Length: 7
Server: AmazonS3
1.0.5.0..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=395989, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 13:24:57 GMT
Expires: Fri, 24 Apr 2015 13:24:57 GMT
Date: Sun, 19 Apr 2015 23:29:32 GMT
Connection: keep-alive
0..........0..... [email protected]
7132457Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150417132457Z....20150424132457Z0...*.H.....
........Y.4.<..&r.....&.>'.TqX.E...*...............Lp3.p.MU..^..
...!e4.xN..1u.#.ox.....5.....j....&.....E...H=}..S....l..5{.........BO
.......8[.~2:[}..W.SVd.y..%\f.x.op...]uE..W0.......}.. .S..Fp..".....:
Iw ....M.....9l.>G.........;.#.>.B..... h...&.4.dARH..8(...r...5
0..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certificatio
n Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized us
e only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959
Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Tr
ust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certifi
cate 30.."0...*.H.............0..........6..]......w';.r........I..c..
4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....
e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<
./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I.
..B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0
R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.sy
mauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U.
...0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i
..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.
<<< skipped >>>


HEAD /aff_setup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: cdn.backupgrid.net


HTTP/1.1 200 OK
Date: Sun, 19 Apr 2015 23:24:13 GMT
Content-Type: application/octet-stream
Content-Length: 159277
Connection: keep-alive
x-amz-id-2: OavKHu0NQHzBLxdBIk3icse05Fm1ln40bMEXB8jjyGu8aUqtsgBSJMtcpkYTerjhnKifA0ZyjYY=
x-amz-request-id: F6085267AA27BD8A
Last-Modified: Sun, 19 Apr 2015 23:21:32 GMT
ETag: "8261a06c2664ace68b763ab096fcaca8"
Server: NetDNA-cache/2.2
X-Cache: HIT
HTTP/1.1 200 OK..Date: Sun, 19 Apr 2015 23:24:13 GMT..Content-Type: ap
plication/octet-stream..Content-Length: 159277..Connection: keep-alive
..x-amz-id-2: OavKHu0NQHzBLxdBIk3icse05Fm1ln40bMEXB8jjyGu8aUqtsgBSJMtc
pkYTerjhnKifA0ZyjYY=..x-amz-request-id: F6085267AA27BD8A..Last-Modifie
d: Sun, 19 Apr 2015 23:21:32 GMT..ETag: "8261a06c2664ace68b763ab096fca
ca8"..Server: NetDNA-cache/2.2..X-Cache: HIT..



GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: track.mypcbackup.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 301 Moved Permanently
Date: Sun, 19 Apr 2015 23:25:11 GMT
Server: Apache
Set-Cookie: SESSID=mmciag1jukjensg51tfbgv4nn7; path=/; domain=.mypcbackup.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: 748a7624422584634822bd3a2bf604ae=11a7adb1cd6b23f5b5ad8f60b8254981; expires=Mon, 17-Aug-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: intc=1; expires=Mon, 20-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
P3P: CP="We do not have a P3P policy"
location: hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe
Set-Cookie: aff_id=67333; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_name=MaxiDisk1; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_id=97175; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hash=5729abc4979b2fa22c9189cabaf59842; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: tid=PC-Mechanic; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: 9bf5853aunique=true; expires=Sat, 18-Jul-2015 23:25:11 GMT; path=/; domain=mypcbackup.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=458565, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 06:50:09 GMT
Expires: Sat, 25 Apr 2015 06:50:09 GMT
Date: Sun, 19 Apr 2015 23:29:17 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015041
8065009Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150418065009Z....20150425065009Z0...*.H........
..........3..9..A..A....kqk......".R.P.....A.......A.7.......WT...=p.m
.b...az.K..#..`.j\...g...._..v.OV...Z.......yr...m..bi..}."......O.."3
..4.......... l...e.[Y....6p..yh.....u..r]A....j...U..z...ae..'.7.'.7 
..../.......`|....$..DU.p......n. :.:.........n.-......0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=504664, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 19:40:18 GMT
Expires: Sat, 25 Apr 2015 19:40:18 GMT
Date: Sun, 19 Apr 2015 23:29:17 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
8194018Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150418194018Z....20150425194018Z0...*.H........
.......$c.!|..m..L.Z..N....u."%x..'.9.R...C.ZU3F.F:.J7.....F...X..?8..
).H34< .-...q..w.F...%.*........1.b#GA`U*....H.e.p-.r....5..oK.1r..
.S.. *..H/83.b.1...`..(....c4.f...d\.>....aO>.4.%...a...`.;/....
.hO%......"...O.......7............p.......4|U...p....s.P;.....#0...0.
..0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.........m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d.
..nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F
*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."
...:.C.Q.i~rl..<..krS..8.B..o][email protected]
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>


POST /v1/track HTTP/1.1
Accept-Encoding: identity
Content-Length: 111
Host: tracking.uniblue.com
Content-Type: application/json
Connection: close
User-Agent: Python-urllib/2.7

{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_initiated", "client_id": ""}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:46 GMT
Server: ngx_openresty
Content-Length: 20
Connection: Close
{.  "status": "OK".}..



GET /pm/version.txt?from=1.0.5.0 HTTP/1.1
Accept-Encoding: identity
Host: update.uniblue.com
Connection: close
User-Agent: Python-urllib/2.7


HTTP/1.1 302 Found
Cache-Control: max-age=600
Content-Type: text/plain
Date: Sun, 19 Apr 2015 23:25:09 GMT
Location: hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt
Server: openresty/1.5.8.1
Content-Length: 69
Connection: Close
hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt.
.



GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?40cd6cf25a6e9807 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..C
ache-Control: max-age=604800..Date: Sun, 19 Apr 2015 23:29:13 GMT..Con
nection: keep-alive..



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 438486457400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:22 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=398696, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 14:10:10 GMT
Expires: Fri, 24 Apr 2015 14:10:10 GMT
Date: Sun, 19 Apr 2015 23:29:22 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
7141010Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150417141010Z....20150424141010Z0...*.H........
........c.8.c..d8..6_.S.O..~Q.0..biaE3.C......MY.W.J.'gu...5.U.X......
.....p..R.........7.ErNBD.....7.5..Z..k.8S.Y..=.h...]_.<...[t.?..D6
...6([email protected].../A".....:.v....'.._.'.thz.}.e..W...RC..5.1f/.Z..61
.~.7......F...>.FO...dw.G(5U'.[;;......T..`P. ... .......#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=487112, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 14:45:04 GMT
Expires: Sat, 25 Apr 2015 14:45:04 GMT
Date: Sun, 19 Apr 2015 23:29:23 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015041
8144504Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150418144504Z....20150425144504Z0...*.H.....
........cG..0.<.3....Z}.. .A.D.c.O.l5.%9|.;q..E..{d...3u~....4....H
w....,w..p.<H.I ....0..M....V...|DY....&.nP.sD..B......,D0.{....Bp.
....'j......C1.7[..N..........]..w.R....^......`F..sd.i.....A....._.j.
.\.9.j..gV)e..nv8..<...|..Y....x.J.S.{ ..W......7...yC~..vnP....0..
.0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006
 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 
3 Public Primary Certification Authority - G50...141202000000Z..151216
235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Syman
tec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder C
ertificate 30.."0...*.H.............0...............2&..PL...,..2....:
..tH...`JG.%..*...s.c%[email protected]"1.5?..
s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2
$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'...
.f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E
....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://w
ww.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0....
..0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0.
..U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=406544, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 16:24:47 GMT
Expires: Fri, 24 Apr 2015 16:24:47 GMT
Date: Sun, 19 Apr 2015 23:29:23 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015041
7162447Z0s0q0I0... ...................F....0.yV......{&.K......&......
.8....t..............20150417162447Z....20150424162447Z0...*.H........
.....`..yl....C...e..2V.h.{_....6..7x.~.,..r......_....:..G.'..!..>
*.....;..v.]..r...o.F..G....)..}.......n.....^P.=.....hIh_..........^.
..3...........c.B.}./.....h.`.f...1. ..._..................X..~....h..
...'mE.N:..........zA.....=k1..0...*..u..G..6 d6.t..v.....0...0...0...
.........F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....
VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Cla
ss 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0........
.q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../j
I.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/..
 ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o.
.o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U...
.0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign
.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. 
by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U......
..0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H........
......-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>


POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 130
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:05 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:05 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1


Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 129
Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:07 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Sun, 19 Apr 2015 23:28:07 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..







The Malware connects to the servers at the folowing location(s):







pc-mechanic.exe_1464:




.text
`.rdata
@.data
.rsrc
tCPV
USER32.dll
MSVCR90.dll
_amsg_exit
_acmdln
_crt_debugger_hook
GetProcessHeap
KERNEL32.dll
windows_exe
%s\%s
PYTHON27.DLL
zlib.pyd
ZLIB.PYD
<zlib.pyd>
Not enough space for new sys.path
no mem for late sys.path
PY2EXE_VERBOSE
PyImport_ImportModule
PyExc_ImportError
PyImport_AddModule
undefined symbol %s -> exit(-1)
Importer which can load extension modules from memory
s#sss:import_module
MemoryLoadLibrary failed loading %s
Could not find function %s
import_module
import_module(code, initfunc, dllname[, finder]) -> module
_memimporter
%Program Files% (x86)\Uniblue\PC-Mechanic\library.dat
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe
%Program Files% (x86)\Uniblue\PC-Mechanic
pc-mechanic.exe
library.dat
windows_exet
.logc
The logfile '%s' could not be opened:
See the logfile '%s' for details(
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt
zipextimportert
<install zipextimporter>R$
library.dats
app.main(
joint
__import__t
bootstrap_main.pyR$
332222##
%%cxaax
`>>>>=>`
\4544545454545444
C.yLF
<asmv3:windowsSettings
xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.VC90.CRT' version='9.0.21022.8' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b' />
<!--Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
1.0.5.0






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    aff_setup.exe:2456
    thirdpartyinstaller.exe:2104
    f17163569e4a465daf3b6da720d89cfd453527.exe:3016
    %original file name%.exe:544
    pm-standalone-setup.exe:2384
    pm-standalone-setup.tmp:3036
    6370fab243594f9a469c66fe6f14eeb3.tmp:1912
    OLBPre.exe:1996
    pc-mechanic.exe:2092
    

    2. 

  2. Delete the original Malware file.
    3. 

  3. Delete or disinfect the following files created/modified by the Malware:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1631.pdf (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_7303.dat (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\LogEx.dll (1597 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsRandom.dll (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f17163569e4a465daf3b6da720d89cfd453527.exe (70731 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8278.tmp (7055 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsJSON.dll (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\NSISdl.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_5491.txt (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (159 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)
    %Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
    %Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
    %Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
    %Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsRandom.dll (808 bytes)
    %Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\AccessControl.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\DotNetChecker.dll (1597 bytes)
    %Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
    %Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsExec.dll (14 bytes)
    %Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
    %Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB2.tmp (53436 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4UT2U.tmp\6370fab243594f9a469c66fe6f14eeb3.tmp (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1H51R.tmp\pm-standalone-setup.tmp (50 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-DO5B8.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-GQQ2S.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4809N.tmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-TC6LJ.tmp (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\license.en.rtf (26 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-VIO38.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-MT98U.tmp (1281 bytes)
    C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SCO1H.tmp (11 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-JQ4AC.tmp (28498 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\windows8_with_innovation.bmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-HM56Q.tmp (4545 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-P9UK8.tmp (1281 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-8MS6Q.tmp (197872 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-48GAC.tmp (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\InstallerExtensions.dll (715 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-5C6PO.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-63GPD.tmp (1281 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-NQ169.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe (49 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L6MCH.tmp (1281 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-NUFSC.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-NA0D6.tmp (75544 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-H6F47.tmp (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-O9S12.tmp (112 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0HCFP.tmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-GNJ87.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_setup64.tmp (6 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-KOCF3.tmp (1281 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-89JUT.tmp (20504 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-UA41N.tmp (3361 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-B3VTK.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5KR80.tmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-IAB01.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SL1JH.tmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-I4BQB.tmp (524 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-5F093.tmp (1281 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1HFMO.tmp (1281 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4922V.tmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-NC1C1.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-98M57.tmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-F6R1G.tmp (4 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-S6O40.tmp (601 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-KCV9H.tmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-0FK39.tmp (114305 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-374C7.tmp (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\printer.bmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0VG09.tmp (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-340GT.tmp (10 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\is-DD808.tmp (35285 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-HBFA9.tmp (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #002.txt (455577 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-KQIUT.tmp (601 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-NQ7OO.tmp (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\pm-standalone-setup.exe (103056 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\windows8_with_innovation.bmp (601 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe (98 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\printer.bmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\pcmechanicpm-standalone-setup[1].exe (1515154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\aff_setup[1].exe (18697 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_setup64.tmp (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\banner_icon.bmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\InstallerExtensions.dll (715 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\microsoft_partner.bmp (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\license.en.rtf (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #001.txt (23254 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\checkmark_10x8.bmp (310 bytes)
    %Program Files% (x86)\OLBPre\state.jdat (428 bytes)
    %Program Files% (x86)\OLBPre\aff.jdat (140 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (7006 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (2183 bytes)
    C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
    %Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
    C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
    C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now