Sample_faea69c49f

by malwarelabrobot on April 22nd, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: faea69c49ffb25161c0475e4a7320dd0
SHA1: e3785d065be9f71b962dc8eee41e80052337f32b
SHA256: 0012d225d7aa7401949074fb6c332121ea1cfa72efdfdb341df09719266024cf
SSDeep: 49152:kNjKEhegFjRO3RGMRvHTWINhw65CYTxaaToY:hEhljRO3RvRlw65CYwaToY
Size: 2002144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PC Drivers HeadQuarters
Created at: 2012-04-25 04:16:29
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

csc.exe:2468
csc.exe:1424
MSIEXEC.EXE:212
ochelper.exe:1372
cvtres.exe:2448
cvtres.exe:2764
MSI4C8C.tmp:580
%original file name%.exe:384

The Malware injects its code into the following process(es):

Offercast2802_PCD_.exe:2276
Offercast2802_PCD_.exe:2500
MsiExec.exe:2588

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process csc.exe:2468 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSCB569.tmp (700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.dll (4930 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.out (120 bytes)

The process csc.exe:1424 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.dll (4258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSCB672.tmp (700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.out (240 bytes)

The process Offercast2802_PCD_.exe:2276 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\CRPrimary-ext[1].png (1801 bytes)
C:\Users\"%CurrentUserName%"\Documents\APNSetup.exe (6657 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.exe (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\orchestrator1[1].htm (923 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\APNAnalytics.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scrolltext.xml (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IEPrimary.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\pipcore-min[1].js (37170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\ochelper[1].exe (2309 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\scrolltext[1].xml (2969 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\APNAnalytics[1].xml (297 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CRPrimary-ext.png (10 bytes)
C:\Users\"%CurrentUserName%"\Documents\APNSetup1.exe (6657 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\IEPrimary[1].png (1803 bytes)

The process Offercast2802_PCD_.exe:2500 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\orchestrator.html (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\objectmodel.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\rules.js (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\v7tb.png (10 bytes)

The process MSIEXEC.EXE:212 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\Installer\MSI450B.tmp (512335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4BB0.tmp (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_65128B3C2E64A999469787910011EEC0 (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI74c7c.LOG (3844 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4C8C.tmp (7596 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIADFE.tmp (8281 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIB9F1.tmp (14988 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_65128B3C2E64A999469787910011EEC0 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4C2E.tmp (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIBD6B.tmp (14988 bytes)

The process ochelper.exe:1372 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.dll (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.dl_ (14 bytes)

The process cvtres.exe:2448 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RESB673.tmp (3950 bytes)

The process cvtres.exe:2764 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RESB57A.tmp (3950 bytes)

The process MSI4C8C.tmp:580 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Offercast2802_PCD_.exe (129587 bytes)

The process %original file name%.exe:384 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 3.5 SP1 (Windows Feature).prq (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0410.ini (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 2.0 SP1 (IA64).prq (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Setup.INI (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0409.ini (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~2E11.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 2.0 SP1 (x64).prq (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\1033.MST (1937 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x040c.ini (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x040a.ini (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\_ISMSIDEL.INI (22060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~2E22.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 2.0 SP1.prq (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0407.ini (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0416.ini (808 bytes)

The process MsiExec.exe:2588 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\_isres_0x0409.dll (23352 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\IsConfig.ini (329 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.cmdline (362 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.0.cs (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.cmdline (687 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIBD6B.tmp (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4C2E.tmp (147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\ISBEW64.exe (6705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\ISRT.dll (13792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIB9F1.tmp (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\ISRT.dll (13792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\setup.inx (13381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.out (770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.0.cs (22900 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\ISBEW64.exe (6705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5D6D605B-E4B7-490B-A794-9284BC3D2A8B}\_isconfig.xml (127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIADFE.tmp (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4BB0.tmp (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\String1033.txt (6868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\setup.inx (13381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\IsConfig.ini (329 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\String1033.txt (6868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5D6D605B-E4B7-490B-A794-9284BC3D2A8B}\EULA.rtf (102000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.out (445 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\_isres_0x0409.dll (23352 bytes)

Registry activity

The process Offercast2802_PCD_.exe:2276 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\APN PIP\PCD]
"PIP_UI_Ready" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\APN PIP\PCD]
"PIP_Top" = "239"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionTime" = "24 E3 E3 96 B2 7B D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "52 47 30 95 B2 7B D0 01"

[HKCU\Software\APN PIP\PCD]
"PIP_SkipAll" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\APN PIP\PCD]
"PIP_Toolbar_Selection" = "hp:true|ds:true|oi:true"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\APN PIP\PCD]
"PIP_UI_Complete" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKCU\Software\APN PIP\PCD]
"PIP_Left" = "606"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"PIP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Offercast2802_PCD_.exe -rb"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\APN PIP\PCD]
"PIP_Exit_Code"
"PIP_UI_Ready"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\APN PIP\PCD]
"PIP_Offers_Launched"
"Top"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\APN PIP\PCD]
"PIP_Offers_Selection"
"Show_UI"
"PIP_Toolbar_Launched"
"PIP_Top"
"PIP_SkipAll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKCU\Software\APN PIP\PCD]
"Left"
"PIP_Toolbar_Exitcode"
"PIP_Toolbar_Selection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\APN PIP\PCD]
"Cancel_PIP"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\APN PIP\PCD]
"PIP_Offers_Exitcode"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\APN PIP\PCD]
"Start_Install"
"PIP_UI_Complete"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\APN PIP\PCD]
"PIP_Left"

The process Offercast2802_PCD_.exe:2500 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\APN PIP\PCD]
"PIP_Exit_Code"
"PIP_UI_Ready"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\APN PIP\PCD]
"Show_UI"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\APN PIP\PCD]
"Start_Install"
"PIP_UI_Complete"
"PIP_Offers_Launched"
"Top"
"Cancel_PIP"
"PIP_Offers_Exitcode"
"Left"
"PIP_SkipAll"
"PIP_Toolbar_Exitcode"
"PIP_Toolbar_Launched"
"PIP_Offers_Selection"
"PIP_Top"
"PIP_Toolbar_Selection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\APN PIP\PCD]
"PIP_Left"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process MSIEXEC.EXE:212 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "52 47 30 95 B2 7B D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process MSI4C8C.tmp:580 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process %original file name%.exe:384 makes changes in the system registry.
The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"%IS_PREREQ%-Driver Detective"
"%IS_PREREQF%-Driver Detective"

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
" ISSetupPrerequisistes"

The process MsiExec.exe:2588 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\APN PIP\PCD]
"Left" = "606"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\APN PIP\PCD]
"Top" = "239"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\APN PIP\PCD]
"Show_UI" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\MsiExec_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Dropped PE files

MD5 File path
aa3cf23ec4d00ec8885807a7570f8259 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\ochelper[1].exe
135fb44681e6b409dc378960cfcb7a76 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Offercast2802_PCD_.exe
f1e14b066f078bf8f91c4ae5fea4281a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\APNSetup.exe.tmp
e8245fadab2278ad63c147ad6e1407b2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4C8C.tmp
1affd4b7e687f2caa3a62a09b7f35814 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.dll
aa3cf23ec4d00ec8885807a7570f8259 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.exe
f1e14b066f078bf8f91c4ae5fea4281a c:\Users\"%CurrentUserName%"\Documents\APNSetup.exe
f1e14b066f078bf8f91c4ae5fea4281a c:\Users\"%CurrentUserName%"\Documents\APNSetup1.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PC Drivers HeadQuarters
Product Name: Driver Detective
Product Version: 8.1
Legal Copyright: Copyright (C) 2009 PC Drivers HeadQuarters
Legal Trademarks:
Original Filename: InstallShield Setup.exe
Internal Name: Setup
File Version: 8.1
File Description: This installer database contains the logic and data required to install Driver Detective.
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 929067 929280 4.57147 b2e6465308e6857a116cdbdb0dc54c40
.rdata 933888 204268 204288 3.30051 85171aa4179d7f4afec4302c929554e9
.data 1138688 35656 10752 3.15828 f0272d79af07cde9705c963653bf45d4
.rsrc 1175552 312864 313344 4.41878 c6872616fc39662edaaf8d235190cb3e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
446d526261785c7aad69ab2d7de4f637
e197828cae703bc2fb62391f70a6764a
fbf37a32f1a41c250516d26670c16ba3

URLs

URL IP
hxxp://a52.dscg10.akamai.net/Driver Detective.msi
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1e2fb7996d56742c
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEEu1uHVrr/uBz4xsjvTmEAY=
hxxp://e3432.g.akamaiedge.net/static/partners/PCD/APNAnalytics.xml
hxxp://www103.apnpartners.com/PIP/Server.jhtml?partner_id=PCD&language=en&version=2.8.0.2
hxxp://e3432.g.akamaiedge.net/static/resources/ochelper/2.9.1.0/ochelper.exe
hxxp://e3432.g.akamaiedge.net/static/resources/ui/html/orchestrator1.html?PIPPID=PCD&PTBPartnerID=PCD-SP&STBPartnerID=&tbType=vanilla&version=2.8.0.2
hxxp://e3432.g.akamaiedge.net/static/resources/ui/js/pipcore-min.js?vers=1124
hxxp://e3432.g.akamaiedge.net/static/partners/PCD/images/IEPrimary.png
hxxp://e3432.g.akamaiedge.net/static/partners/PCD/scrolltext.xml
hxxp://e3432.g.akamaiedge.net/static/partners/PCD/images/CRPrimary-ext.png
hxxp://webservices.drivershq.com/2011/12/MiscService.asmx 64.49.225.72
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f207920a3dc5ddab
hxxp://a1363.dscg.akamai.net/media/toolbar/everest/7.9.0/APNSetup.exe
hxxp://a52.dscg10.akamai.net/AskToo~1.cab
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/ThawtePremiumServerCA.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEAll8qxyNsfhvcpE7RObJzo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEAccnCzHkryxnIBMNlXU3h8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id=PCD&language=en&version=2.8.0.2 199.36.100.103
hxxp://apnmedia.ask.com/media/toolbar/everest/7.9.0/APNSetup.exe 87.245.216.33
hxxp://c4213550.r50.cf2.rackcdn.com/AskToo~1.cab 23.14.92.121
hxxp://c4213550.r50.cf2.rackcdn.com/Driver Detective.msi 23.14.92.121
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.57.107.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.216.33
hxxp://ak.pipoffers.apnpartners.com/static/resources/ui/html/orchestrator1.html?PIPPID=PCD&PTBPartnerID=PCD-SP&STBPartnerID=&tbType=vanilla&version=2.8.0.2 23.223.235.37
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.57.107.27
hxxp://ak.pipoffers.apnpartners.com/static/resources/ui/js/pipcore-min.js?vers=1124 23.223.235.37
hxxp://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEAccnCzHkryxnIBMNlXU3h8= 23.57.107.27
hxxp://crl.thawte.com/ThawtePremiumServerCA.crl 23.57.101.163
hxxp://ak.pipoffers.apnpartners.com/static/partners/PCD/images/IEPrimary.png 23.223.235.37
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.216.33
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= 23.57.107.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.216.33
hxxp://ak.pipoffers.apnpartners.com/static/partners/PCD/scrolltext.xml 23.223.235.37
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.57.107.27
hxxp://ak.pipoffers.apnpartners.com/static/resources/ochelper/2.9.1.0/ochelper.exe 23.223.235.37
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1e2fb7996d56742c 87.245.216.19
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.57.107.27
hxxp://ak.pipoffers.apnpartners.com/static/partners/PCD/images/CRPrimary-ext.png 23.223.235.37
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= 23.57.107.27
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.216.33
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEAll8qxyNsfhvcpE7RObJzo= 23.57.107.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.57.107.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEEu1uHVrr/uBz4xsjvTmEAY= 23.57.107.27
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= 23.57.107.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f207920a3dc5ddab 87.245.216.19
hxxp://ak.pipoffers.apnpartners.com/static/partners/PCD/APNAnalytics.xml 23.223.235.37


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=539439, public, no-transform, must-revalidate
Last-Modified: Mon, 20 Apr 2015 03:30:31 GMT
Expires: Mon, 27 Apr 2015 03:30:31 GMT
Date: Mon, 20 Apr 2015 21:44:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
0033031Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
.....|G#(.}&......W.._..vp/[email protected]%.od.'...|g........j....
..k..d.^.y.U.._n...AM{$.../...S....f8.8{%.........y...\nZk...{.J.z.i.`
F=..#...Q.Y6%.....W....e.m.H.n.,x=.C...........fx.1.......^......$.P.&
*..5....6% ...... #.-.7....@(^.P....s;....O....o......#0...0...0......
....r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign
, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at http
s://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing
 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....V
eriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use 
at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Co
de Signing 2009-2 OCSP Responder0.."0...*.H.............0.............
m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V
7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*...
.{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.
i~rl..<..krS..8.B..o][email protected]
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H......
<<< skipped >>>


GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=394
Expires: Mon, 20 Apr 2015 21:49:42 GMT
Date: Mon, 20 Apr 2015 21:43:08 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00008C6E..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=465
Expires: Mon, 20 Apr 2015 21:49:42 GMT
Date: Mon, 20 Apr 2015 21:41:57 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00008C6E..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


POST /2011/12/MiscService.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.1)
Content-Type: text/xml; charset=utf-8
SOAPAction: "hXXp://webservices.drivershq.com/2011/12/miscservice/ValidateThirdPartyInstall"
Host: webservices.drivershq.com
Content-Length: 1140
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:so
ap="hXXp://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="hXXp://VVV.w
3.org/2001/XMLSchema-instance" xmlns:xsd="hXXp://VVV.w3.org/2001/XMLSc
hema"><soap:Header><DefaultHeader xmlns="hXXp://webservice
s.drivershq.com/2011/12/miscservice"><AffiliateID>Driver Dete
ctive</AffiliateID><ResellerID xsi:nil="true" /><WhiteL
abelID xsi:nil="true" /><OperatingSystem xsi:nil="true" /><
;/DefaultHeader></soap:Header><soap:Body><ValidateTh
irdPartyInstall xmlns="hXXp://webservices.drivershq.com/2011/12/miscse
rvice"><xml><?xml version="1.0" encoding="utf-16"?><
installValidationMessage xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-i
nstance" xmlns:xsd="hXXp://VVV.w3.org/2001/XMLSchema"><thirdPart
yAppID>4</thirdPartyAppID><currentStatus>3</currentS
tatus><operatingSystem>65536</operatingSystem><opera
tingSystemServicePack>1</operatingSystemServicePack><insta
lledRam>0</installedRam><driveFreeSpace>0</driveFree
Space></installValidationMessage></xml></ValidateThi
rdPartyInstall></soap:Body></soap:Envelope>

HTTP/1.1 200 OK


Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Date: Mon, 20 Apr 2015 21:40:39 GMT
Connection: Keep-Alive
X-Powered-By: ASP.NET
Content-Length: 449
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:so
ap="hXXp://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="hXXp://VVV.w
3.org/2001/XMLSchema-instance" xmlns:xsd="hXXp://VVV.w3.org/2001/XMLSc
hema"><soap:Body><ValidateThirdPartyInstallResponse xmlns=
"hXXp://webservices.drivershq.com/2011/12/miscservice"><Validate
ThirdPartyInstallResult>15</ValidateThirdPartyInstallResult>&
lt;/ValidateThirdPartyInstallResponse></soap:Body></soap:E
nvelope>....



GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=372
Expires: Mon, 20 Apr 2015 21:50:32 GMT
Date: Mon, 20 Apr 2015 21:44:20 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00009BF1..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=337
Expires: Mon, 20 Apr 2015 21:50:16 GMT
Date: Mon, 20 Apr 2015 21:44:39 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
0000969F..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=389
Expires: Mon, 20 Apr 2015 21:49:55 GMT
Date: Mon, 20 Apr 2015 21:43:26 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding



GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=494
Expires: Mon, 20 Apr 2015 21:49:42 GMT
Date: Mon, 20 Apr 2015 21:41:28 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00008C6E..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=340
Expires: Mon, 20 Apr 2015 21:49:42 GMT
Date: Mon, 20 Apr 2015 21:44:02 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00008C6E..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=580524, public, no-transform, must-revalidate
Last-Modified: Mon, 20 Apr 2015 14:59:52 GMT
Expires: Mon, 27 Apr 2015 14:59:52 GMT
Date: Mon, 20 Apr 2015 21:44:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
0145952Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150420145952Z....20150427145952Z0...*.H........
.....V.s.:U]#!i-......awW2!...=!z.P=.ry.ZpLz..(.....< uJ...}h.....&
lt;...:.p.Z....N.......}..KD.......>..#..s...V0...e.2.4...X:..p.. .
}.u...H...*..b.D..a.vg..Co..'.tp.....!...]C.....|:V.*.......g.E.$S}...
..}..).............(....}.......'.O....{[email protected].....#0...0.
..0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.........m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d.
..nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F
*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."
...:.C.Q.i~rl..<..krS..8.B..o][email protected]
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>


GET /static/partners/PCD/APNAnalytics.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32
Last-Modified: Fri, 02 May 2014 23:26:22 GMT
ETag: "8287f-9d5-4f8731c072380"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1069
Content-Type: application/xml
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:13 GMT
Connection: keep-alive
...........V.n.6.}/..`[email protected]}..6p...&@...)..,.$.....;..R.t..h...
...J..n..'*$.y..^.#.'|..U..*m....._B...7B...SA.).dC.D.38..>1^...s..
.Z=..E.O...rO.N.F.....b.nC.....'4....B.._.lL%;.W.Vk.u.a.';.w.T..4.....
}.....h4.}..C.......Tb......Fw......d.p3.]..x..D...t.......l.X"...".0.
.?B......B.(.MD..G..T.^.7~....V..J..Xz...1....i....ph:.C`..B.J..IB....
V.,... ......D..X..7[.m<..\.s......%...v...Br....*......k-...}`.^..
.... #..$ .{.xB2j.U.?;.....8;nmm..R$4...U=<..... F....;..d..S.#a..v
.J.........:..P.EF..KW.......9.A...l6.....x~9..Xp..3A.....}..g...y.#.R
).To8...).$.H.).&.....JP......zts..Q..=/.1.f.@...*..(.X..b..&. ..byI=t
..6%.h.9D..,..d...8.:..}'L``..z.h......yP.E.....d0.......`..G}.JS)K'l.
->1.*..n....._5....... ..x..Z..}....{/b.x\..=n.#..h.d..}.. ........
.....'...r#2#....i..d.}m.l...V..Z.[......3./ .......0RLe..H %H.af.c..:
...1"E!..7....V...hQ*.s.v..V....,...Wj..GUI.y...v*h.4....30.$.........
j.#G.I...z../(....0....4A..^;.p.....'...:........Fk..r.q.....~t|BU.m[.
.-...cp.........y.QE.K$.....T.?......`..o..1...f..-0..~...A.....k..r..
...n._N_...0..P...w?i...cy.....HTTP/1.1 200 OK..Server: Apache/2.2.22 
(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32..Last-Modifie
d: Fri, 02 May 2014 23:26:22 GMT..ETag: "8287f-9d5-4f8731c072380"..Acc
ept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip..Cont
ent-Length: 1069..Content-Type: application/xml..Cache-Control: max-ag
e=86400..Date: Mon, 20 Apr 2015 21:40:13 GMT..Connection: keep-alive..
...........V.n.6.}/..`[email protected]}..6p...&@...)..,.$.....;..R.t..
<<< skipped >>>

GET /static/resources/ochelper/2.9.1.0/ochelper.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32
Last-Modified: Wed, 12 Nov 2014 02:16:18 GMT
ETag: "7601b-6738-5079ffb212080"
Accept-Ranges: bytes
Content-Length: 26424
Content-Type: application/x-msdownload
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:14 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........Pz.d>).
d>).d>)...).d>).d?).d>)...).d>)...).d>)...).d>)Ri
ch.d>)........................PE..L.....bT.....................D...
...~........ [email protected].....@............
......................!..x....@..(9...........N..8............ .......
........................................ .............................
..text...:........................... ..`.rdata....... ...............
.......@[email protected][email protected]...(9...@...:.
.................@[email protected][email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..L$...t!..D$.i.......SW.|$............._[.D$...T$....3...t.V.q.......
w.k...D.......u.^.U....0....e..SW... @.j.j.............tZh,.........j.
P.o............PW......,..........9.....t.......PW.f.....u..........E.
W... @..E._[..U..QQWd.......$.E..u..e..j.j.... @.....t j.j..E.P.u.W...
 @...u.!E.W... @..E._..U........SV.54 @.Wj .u.3.3....u.......P..0 @...
....P.., @.j_Yf..E....j [email protected]..( @......t~S.
E.P.u..]..u.V..$ @.V... @..E.9E.uM.E.P.E.P.E.P.E.P......P.]...x @.
<<< skipped >>>

GET /static/resources/ui/html/orchestrator1.html?PIPPID=PCD&PTBPartnerID=PCD-SP&STBPartnerID=&tbType=vanilla&version=2.8.0.2 HTTP/1.1


Accept: application/x-ms-application, image/jpeg, application/xaml xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32
Last-Modified: Wed, 30 Apr 2014 20:45:11 GMT
ETag: "386b7-3244-4f8489fe8a3c0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4244
Content-Type: text/html
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:14 GMT
Connection: keep-alive
...........[[email protected].:16k.!(.._....Ir{..pH
..]U]]].TU...../?..?.....o..Nb7..#.z.N.F....\J........OW._........%...
|..8.....f...%.kt..fJ.Hb%b.i.4..t #..AJ..nW|...4B.FMU.....\*..|%cPr...
.j.w2.H.$.D N...8...#...'.>.mx\T.'.z..4...B.....i./NO..j..j......\.
.j].(h...:.F5.L.....u.5[[email protected]....,.|..3...q.z..N
.UI..~...0....8zOk...(..,. ...$........g|.~n. ..`Z].........*.!-...Cp.
.YK.=........6%[email protected]::......#o...?~M..:L^........W...Wt.
.......<..yx...Qw...Q. .r. ..8l..p..cox...?~....L."...D.&.. #.n,\..
.....H.FE"N...&...K6w.c..........Sy........^.A.......`x..p....s.n..m..
^......6&.'..S.{[email protected].!..B?.Q...$.tS..x......}..J.A~ V.#..KO.k.
D...s..b!.0.1.tP...D .............KW.....`B:gC..63...S..X....U..U.....
.........r:..d.;.e9.F.X...u...r;.)ha4t.......f. ....80. z....HP......d
.M.!..w.y...b.k..i.:..A....d......&.73.)... ...,.'*J..2.'.,.LexQ8.4...
.V.-...L...V....8_..<...{[%. .e.........eb_.S3 ... .V..*.Y..h.....d
.ua..bt....?.6.....I.......b...{@b.j.....#..#,...R?...........VK..q..*
.K...,.....Ns...)[email protected].....&....g..(;8j...-.y.ie:...n...B!
.Ba &.~Ob...z:1...X..vg.r,... ...p...>#t...c@%.0...||'f.. .Q.......
.@98.[.%. .C...M...-.......NE.1W=.9...u......2.0"...p.*26.R....`....vE
j1..f)#..qx...:...........][email protected].,.HG.q.4...
..tF.3Q.GP......Z..d..5.Fi[k...".....l..r..]I.<.!.B8A.}.....5c.....
Q...J.......B..!.&OM\...L.zH.j%...[...;4.D2..T..'>..h.k..5.....j..l
.'.Nm....k..A..q..Su..3...J..m....u...>...;.5r.dx]rx;T.z..M(.w.
<<< skipped >>>

GET /static/resources/ui/js/pipcore-min.js?vers=1124 HTTP/1.1


Accept: */*
Referer: hXXp://ak.pipoffers.apnpartners.com/static/resources/ui/html/orchestrator1.html?PIPPID=PCD&PTBPartnerID=PCD-SP&STBPartnerID=&tbType=vanilla&version=2.8.0.2
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32
Last-Modified: Thu, 04 Dec 2014 02:25:38 GMT
ETag: "6816c-fe23-5095aad044c80"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 14120
Content-Type: application/javascript
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:14 GMT
Connection: keep-alive
...........}k[...._q..'..V..h...\)[email protected]........~ft..k..}.>.
.!6.4.F...h4.S..1'.........(.(..O.?..{...u...x.m]].{......>.....R.6
.....;.k...n......j....//M......\................~........<.R..LE.e
......Y..ww.....:...tLC..3....Cu.r.%.|$dj......3.k....,..1U.....y.kw..
......:....tV4.a......X......}Q....c..M=k)..|i:ss).~,f.c:.S........=..
Rc...&.dce.;.Q/.]...6Yh...n.Q)]=..I..:1..-.3./.......r...tS.!..1....{.
.7.....{......\.....[H...r._....^...|..-M}....o{..Q._.$.,....O..M..{..
.*...#..{?V...L..wG...l.<>..F.31.........h....C6~l|...W!.%].....
[email protected]...`.~bX.l-.C@n..#...,..`X..{.M...w..j.......{D_
.\[email protected][email protected]$6......O.......i)...p.9./..5
...0kW......c_......_................:.....J0-=x4.......(I..H.s...|6.W
......{N....Y.E..Z...E.....W...:.&..X......$'.U|..h..J"....4....kr."d.
....2.....[....C7M...W0Q..$..3...I?3N........v..x.....o..>o.T..|.m.
U"^<[email protected]...........=.|/....*....y.f-.HqJ.....T>..#-..?4.;K..
..t.%p..4......@n.]...-....F..1\.....;....b......8..7.......-.s..K....
.....M..i;.9\...A..T. [email protected].~|Ha. ....I..z.....?}p-].u
.[.y8sA.y8...,L..C.Y$..g..........0:.(.c.X..OcX.Q.f.0...f.F|....\m.Om.
.. ..r\.>.,.Q..D.D.......*&.j...p.....B.{Mc.. A..|.....*..C.!.P%.b.
.1...TD...ceX (.8 ......._....6..:^.A.I.I...Q<.=...g.S....u...b1q`.
...........`.Y[<..;....p..u.J.U.T*.TJk..$.~..7a.z.&{.7.vz.7......`.
..9..^.'#..\.... rz3.1."..T2.C...T .D3.. P.G.......R.z.......a....nW..
..p..[.Z!...%.z...s....FoLDz.......:...J...*/.j.*..". A.WR....H2..
<<< skipped >>>

GET /static/partners/PCD/images/IEPrimary.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32
Last-Modified: Sat, 28 Jun 2014 08:36:14 GMT
ETag: "4036-2954-4fce1519e1b80"
Accept-Ranges: bytes
Content-Length: 10580
Content-Type: image/png
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:15 GMT
Connection: keep-alive
.PNG........IHDR.......:.....1..8....PLTEF..:.....7..Oy....#c.........
....\.....Q..............B..w......................................{z}
W..............-/0.........k...........;[email protected]..
..z..c...........S..Y.....J..5v.^.....3m.........................8w...
..w....x..e.....)Ts.......o.......H..............O..m...w.............
...I..<W.x..ghj\..{..Pl.J!*i..l...D8h..E..?..QRT......T..[..q...i..
k\!........5.....][email protected]..........|...<.......1..........
...........9]..rZ....F..........}.:........N\m=.. ........m.....s..{..
......fr.............R........X.....[.......5v../L....#.....\iw......%
........=......z.......!l...........................p........K........
...wE..................OH.............................................
............!x.....u...n...........|...l..q..a.....&.IDATx...Oo.H....E
X.`.k.....83...,<.l.#Y.W.............b.:........6..../..2...5.....}
...R9$..V/...F.R...~y.Jd............\~......._.lll. .>...(......r..
......R...........R9B.E.)8..#E..d.....P.W..H..&......K.?.N....z..x..8.
.$~TA..u._J5.!..C.....S......<J..q...#.rt....8.&.]....?}*qA.....6a.
 q..I..;qA..#..N.D...(Z\`.....8%.......?!?3..Q]...nUU.......xW*.....!.
x...g....n...8.*...I.QI..L..%..HL.D.........z!x....B...L..57p.U....Aw!
...G.}..y.>.I..%........x.iTGH%[6.7...1{^W].o1.... .Mc...>.99I..
\.......uiT..R.C.a.t{.y.s6.....I/...S.Wk<\[..Eq..$....y...x.x.Z....
...Z...5..W=.RE...mjz....J.,..G....?.K. ..H"....1qdU|S..OF.....r...'3.
..r....H.7......\.V....sW.w.../%../'p.M.ggg......G.. ~.1.W.....m..
<<< skipped >>>

GET /static/partners/PCD/scrolltext.xml HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32
Last-Modified: Sat, 19 Jul 2014 00:24:03 GMT
ETag: "5c6c6-609b-4fe80e419aec0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 8789
Content-Type: application/xml
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:15 GMT
Connection: keep-alive
...........\[s.H.~.....~i;B.]5=.=./K.U...n.].G!.P...]......%S)..g.6b_.
...'O..w...dh.......F....q.~6..?x4.S\}...?-.ie.6......Y..uZ.f...CeKs.&
6...oJkw6.......*21.e S....M%c..X...1]2..'..2 .d.boWf.b.......h...Ed..
..)Js.Tx6.Y..9..x...g.Wu.e....`..Av...bf...V3.k.R......)5?`.z....._S..
.........L.d...k.."[.%.)7.|....o........,... s:7...\....q..G....[]..s.
...w."M....?..K........bU.;.s...i.b...... ....E........t.z..........h[
1d.......k.R4......1i..).R0[:......f.......C.SJ.....H-3~.....Z........
LsKdZ.Z.......!...A#~..-qfW.R...i.....{m..)m.6*^.?76'r.GB.8.l..C'.....
s.......qR.O.?K.....3.....7.G....HIW..B....<w.3.BZ.........*]......
.I9...;.....,.@L>r.,.>......n._....R.x.<.^..../...o5.uz..x#..
.y..!...-. pl.T..e...*.....Y7%_..&e.....M........Uv...$..zF.*.J..^.6..
...W{..{*q.........!.DHl.fY..5.mG.l..4.07yB..,.....7....J.......$.4..g
....V../X.4..:n.....l[..>.Xg.^o.FL........3....b.T.......#:.......:
......\........L...M.y............Ae^.>.....F.^'.t.*..s\..Y..S._%q^
u......6I.i.C.....U.Q.].|v....Ho.hQ/".<.Q5.Yv.t]g........d..[...lB.
CX.....E.lE"H..D.|..a..diXl.=.-..9.y..=sW.Z.....@,.....Oq...!..`.u..ps
....:Mz.....y..A...xY4....S......SgB.....B...Ix..Kz...X.gUa........./.
...Y.......,{.V.u...(.....k....W..'^..~.(t.;...6.{h...cW...Z.y..d.*..|
.....eJ.>....,...`.z.N._....'8./j..r.9...6F..."q=!....~........O...
.Sw.%[..u.-....E.#........J....$......][email protected].... .~2jx...J.=......^
c.}vb.d.N...0{.*.u...A.o.....:"...X0......"3..f./...3<[email protected]@K"
.....2;.q....B.....*..<../\...."..5.._...:^F..I..Q.b......V...!
<<< skipped >>>

GET /static/partners/PCD/images/CRPrimary-ext.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o DAV/2 mod_jk/1.2.32
Last-Modified: Sat, 28 Jun 2014 08:36:14 GMT
ETag: "62060-2781-4fce1519e1b80"
Accept-Ranges: bytes
Content-Length: 10113
Content-Type: image/png
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:15 GMT
Connection: keep-alive
.PNG........IHDR.......:.....1..8....PLTEQ...S....j....M...#c.yxzG.K..
.......)Tsr......$(........................s....................hu....
...788......V.................k..............;[email protected]......
N.z..c...........S...w....Y.....J..^.....3m................c..B.....8w
....x..;..Oy............................7.....E..m..O.....L.I....hS...
......I...F;x..fgg.....SJ!*[email protected].....[
..=....$...Ql..74..................].....|........QRS...q..u..........
.......w........[.....{..SZf...>.Q...X.....?..b..[........M.....j..
..................`m}.........,u...........<................^.....Y
es9.........Q;...e.e.........2.2...............Gw..#w....06...........
..hd...g..........se.?...../.........B........".....xRS...............
...........................Z0l.........bs`...c..O..$<IDATx....k.J..
pc.4l..8Kc^.M.23;..L;...C.'..F.X.c,..C....b_l|Z....q...rl.....O.:.s...
..]~.Z._....>.R....O...R...I.......r.....G..y.srrr.|.x.S......W....
.2R,. ...........Zm..........q.......}.X.."..6q$.../^.......[..{.....{
...kH".\..R.....Pq*q..X.........y\.=d......x".D...xy....J\...pr.M..J..
~~3.D\....<..8.K.0....8.*p.......?r.....q1.K%...iZ.z45....Z......I5
.G.tM....]EQ\..du.:-...).i...]..).........[....q!. .k-..a_.#W[./......
.=zT....'.]...O......._./>....`...f..A....V...bc....i.qQ.."..?...#.
.\......B\.q.73?.......z..<5..6...a......\..!...'.4.......X........
.f...f...14.wh....si..Q..n..-4........1.l.I...8.*.....L.....j..W.yWI..
..?]&.k|.s5wT-} m....V.....3.g..........RI.........G......wt.E....
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Mon, 20 Apr 2015 21:40:45 GMT
Connection: keep-alive
....


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT
If-None-Match: "dde36a309c58d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
ETag: "dde36a309c58d01:0"
Cache-Control: max-age=900
Date: Mon, 20 Apr 2015 21:40:45 GMT
Connection: keep-alive
....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT
If-None-Match: "cf2633d6957d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
ETag: "cf2633d6957d01:0"
Cache-Control: max-age=900
Date: Mon, 20 Apr 2015 21:40:45 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache
-Control: max-age=900..Date: Mon, 20 Apr 2015 21:40:45 GMT..Connection
: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEAccnCzHkryxnIBMNlXU3h8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=345649, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 21:45:26 GMT
Expires: Fri, 24 Apr 2015 21:45:26 GMT
Date: Mon, 20 Apr 2015 21:44:37 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015041
7214526Z0s0q0I0... ...................F....0.yV......{&.K......&......
....,......L6U.......20150417214526Z....20150424214526Z0...*.H........
.....O....?.x.U_;F$"..v...U...<[email protected]_.e<_......S".V.R1
......47..A...T/.....r.....%....G.P.......eu:.%FZ*....(.C....0.<...
.W..e...>..x.f...........f..h.....a.q....v-..d980....$^....X.jv.!.^
...q..M..NG.-.'......E.4.*...z}[email protected].. _..A.C=....0..
.0...0............F...I]A([email protected]...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of
 use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 
Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.
0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1Ver
iSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............
0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f
....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.
p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b.
.L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0..
.0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www
.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS
 incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0.
..U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.
H..............-..^.........f.P`...s.....8.....V.......... .... B.
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?f207920a3dc5ddab HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Mon, 20 Apr 2015 21:40:45 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..C
ache-Control: max-age=604800..Date: Mon, 20 Apr 2015 21:40:45 GMT..Con
nection: keep-alive..



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 438486457400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 20 Apr 2015 21:44:35 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...



GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1e2fb7996d56742c HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Mon, 20 Apr 2015 21:40:10 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Mon, 20 Apr 2015 21:40:10 GMT..Conn
ection: keep-alive..



GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=392
Expires: Mon, 20 Apr 2015 21:50:16 GMT
Date: Mon, 20 Apr 2015 21:43:44 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding



GET /Driver Detective.msi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:49 GMT
ETag: c1c6ca70953b55e1112e6e074bee86c3
X-Trans-Id: tx5c2c751e01f04b6ca2dd4-0054f6eac4ord1
Content-Length: 7969280
Accept-Ranges: bytes
X-Timestamp: 1379961828.04995
Content-Type: application/x-msdownload
Cache-Control: public, max-age=524
Expires: Mon, 20 Apr 2015 21:48:53 GMT
Date: Mon, 20 Apr 2015 21:40:09 GMT
Connection: keep-alive
........................>...................z...............8......
..6...................................................................
......................................................................
......................................................................
........................................................ ... ...!...!.
.."..."..."...#...#...$...$...%...%...&...'...'...(...(...)...)...)...
*...*... ...,...,...,...-.........../.../...0...0...1...1...2...2...3.
..3...4...4...5...5...6..........;....................................
...........................................................#..........
......... ...!..."...%...$.../...&.......(...)...*... ...,...-.......5
...0...1...2...3...4...7...6...P...A...M...:...<.......=.......?...
@...5-..B...C...D...E...F...G...H...I...J...O...L...R...........U...Q.
..a.......T....<..V...W...Z...Y....<..[...\...]...^..._...`...c.
..b...o...d...e...f...g...h...i...j...k...l...m...n...q...p.......r...
s...t...u...v...w...x...y...z...{...|...}...~...........R.o.o.t. .E.n.
t.r.y.................................................................
...........F................E...9.............S.u.m.m.a.r.y.I.n.f.o.r.
m.a.t.i.o.n...........................(...............................
................................@H.?.C.A.E.D1H........................
......................................................................
........X...........@H.?dA/B6H........................................
..................................................................
<<< skipped >>>


GET /PIP/Server.jhtml?partner_id=PCD&language=en&version=2.8.0.2 HTTP/1.1
User-Agent: APNPIP
Host: pipoffers.apnpartners.com


HTTP/1.1 200 OK
Date: Mon, 20 Apr 2015 21:40:13 GMT
Server: Apache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/xml;charset=UTF-8
1ff8..<?xml version="1.0" encoding="UTF-8"?><root><Owne
rInformation><owner><name>APN</name><organizat
ion>APN Toolbar</organization></owner></OwnerInforma
tion><GeneralParameters><Height>390</Height><W
idth>503</Width><bgcolor>efebdf</bgcolor><dlg_
transparency>255</dlg_transparency><defaultLanguage>en&
lt;/defaultLanguage><ShowOfferScreensOnly>false</ShowOffer
ScreensOnly><MessageUser>false</MessageUser><Balloon
IconPath>hXXp://ak.pipoffers.apnpartners.com/static/partners/{partn
erid}/images/install.ico</BalloonIconPath><TrayTipTime>200
0</TrayTipTime><PreviousX>250</PreviousX><Previou
sY>37</PreviousY><NextX>169</NextX><NextY>3
7</NextY><CancelX>88</CancelX><CancelY>37</
CancelY><CancelDeclinesOffer>true</CancelDeclinesOffer>
<RetryTimeout>300</RetryTimeout><NumberOfSecOffersToSho
w>0</NumberOfSecOffersToShow><Orchestrator>hXXp://ak.pi
poffers.apnpartners.com/static/resources/ui/html/orchestrator1.html?PI
PPID=PCD&PTBPartnerID=PCD-SP&STBPartnerID=&tbType=vanilla&
amp;version={version}</Orchestrator><CBID>AFU</CBID>
<TrackID>default</TrackID><geo>UA</geo><Hid
ePrevious>false</HidePrevious><optintextsize>12</opt
intextsize><PartnerKey>154</PartnerKey><Progress
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEAll8qxyNsfhvcpE7RObJzo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=463823, public, no-transform, must-revalidate
Last-Modified: Sun, 19 Apr 2015 06:30:15 GMT
Expires: Sun, 26 Apr 2015 06:30:15 GMT
Date: Mon, 20 Apr 2015 21:44:36 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015041
9063015Z0s0q0I0... ...................F....0.yV......{&.K......&......
..e..r6....D...':....20150419063015Z....20150426063015Z0...*.H........
.....E..,.......l;n.$3...s...qY....wVaM.68..5R.Q.=.........r^.*..._..*
G.;..}.Z..Y,[email protected])...(.:9_gytM.*.`.K...#{..h%...bpF.X.HyC..
........u=..........PE=...........B.(......\?L....zC. D......%...'..[.
........;..*..?..\[email protected]`........nM1....0...0...0......
......F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....VeriSign
, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at http
s://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing
 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....Ver
iSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 
3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q&
lt;...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d
.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..
;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o.
.{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.
0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.co
m/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by 
reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0
... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H...........
...-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=407268, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 14:45:04 GMT
Expires: Sat, 25 Apr 2015 14:45:04 GMT
Date: Mon, 20 Apr 2015 21:40:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015041
8144504Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150418144504Z....20150425144504Z0...*.H.....
........cG..0.<.3....Z}.. .A.D.c.O.l5.%9|.;q..E..{d...3u~....4....H
w....,w..p.<H.I ....0..M....V...|DY....&.nP.sD..B......,D0.{....Bp.
....'j......C1.7[..N..........]..w.R....^......`F..sd.i.....A....._.j.
.\.9.j..gV)e..nv8..<...|..Y....x.J.S.{ ..W......7...yC~..vnP....0..
.0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006
 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 
3 Public Primary Certification Authority - G50...141202000000Z..151216
235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Syman
tec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder C
ertificate 30.."0...*.H.............0...............2&..PL...,..2....:
..tH...`JG.%..*...s.c%[email protected]"1.5?..
s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2
$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'...
.f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E
....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://w
ww.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0....
..0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0.
..U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEEu1uHVrr/uBz4xsjvTmEAY= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=492001, public, no-transform, must-revalidate
Last-Modified: Sun, 19 Apr 2015 14:14:58 GMT
Expires: Sun, 26 Apr 2015 14:14:58 GMT
Date: Mon, 20 Apr 2015 21:40:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015041
9141458Z0s0q0I0... ...................F....0.yV......{&.K......&......
.K..uk.....l.........20150419141458Z....20150426141458Z0...*.H........
.....'v8..0.rd..P.i.?p.....Y.....l....#O...d.......P....x.-.G.L... .LH
..{..#.x.'.^....M.."..g.4.d!9..b.....z.F..`... ....}...l\..Fb...[.'..t
.2../..\..|n.[.4o.Q.l.8.....O...=/v....\&f..p.D$.........P....o.....Ow
.....H6........gz.h..p.s.q.I......?..H%.v..!......*....0...0...0......
......F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....VeriSign
, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at http
s://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing
 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....Ver
iSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 
3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q&
lt;...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d
.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..
;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o.
.{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.
0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.co
m/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by 
reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0
... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H...........
...-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf....
<<< skipped >>>


GET /ThawtePremiumServerCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.thawte.com


HTTP/1.1 200 OK
Server: Apache
ETag: "9cb8d0774970ba44db75b20559ee66ef:1429564251"
Last-Modified: Mon, 20 Apr 2015 21:10:51 GMT
Date: Mon, 20 Apr 2015 21:44:31 GMT
Content-Length: 7587
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U.
...Cape Town1.0...U....Thawte Consulting cc1(0&..U....Certification Se
rvices Division1!0...U....Thawte Premium Server CA1(0&..*.H........pre
[email protected]!....T..W...p
.[..%...100322161038Z0!....hx.....k...7....130919164724Z0!...!P..6{.lS
[email protected]!...Da\v..........%..130920062728Z0!...>.e..-
...s[.2I...140418142220Z0!....dU...(...=...*..140801114607Z0!........d
.{#E..9`...130926061856Z0!....6..q.'tT..1.Q...130926062249Z0!.........
...>..i....130528164218Z0!..........#.P.......130716072254Z0!.....%
.......R......100801221434Z0!.....M..HK.....x....130926060355Z0!....k.
"..z......64..130919082450Z0!...W..._....%..I....130926063253Z0!..._._
~gq.I.)[email protected]!.....=X>...][email protected]!...
 .(........n.S...130923202627Z0!.....:...B..=]Hsx_..130920011556Z0!...
.>.ITt.Aw%*I.....130918091937Z0!....-.U.BC{#...x....120301162056Z0!
...U...z7.....UK.n..150330151829Z0!..........1S..Pp....130925105017Z0!
.......x.G.....=....130926064912Z0!....d....... ..=....130911111649Z0!
.....|...x._....wH..100510135256Z0!.....f.....F."E.....100527143439Z0!
.......B...Y..;..S..130925185558Z0!..........G.1.......100624153158Z0!
...3...$o~...w.t3...140304192649Z0!...=.;...........`..130924105544Z0!
....e..8..3...h1[|..130905162920Z0!...d.[,tpLq..o.; ...100528183707Z0!
...c.$.?.._..4..O...130905193529Z0!......V..T].Y..:|...130304224528Z0!
....Xy..MnW.G..f.t..130810133109Z0!.....c.8..vX....ue..13093018594
<<< skipped >>>


GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=441
Expires: Mon, 20 Apr 2015 21:49:36 GMT
Date: Mon, 20 Apr 2015 21:42:15 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding



GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=370
Expires: Mon, 20 Apr 2015 21:48:43 GMT
Date: Mon, 20 Apr 2015 21:42:33 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00008B5B..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=507
Expires: Mon, 20 Apr 2015 21:50:06 GMT
Date: Mon, 20 Apr 2015 21:41:39 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00008C6E..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


HEAD /media/toolbar/everest/7.9.0/APNSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: apnmedia.ask.com


HTTP/1.1 200 OK
Server: Apache
ETag: "f1e14b066f078bf8f91c4ae5fea4281a:1402695766"
Last-Modified: Fri, 13 Jun 2014 21:37:11 GMT
Accept-Ranges: bytes
Content-Length: 543640
Content-Type: application/octet-stream
Date: Mon, 20 Apr 2015 21:40:49 GMT
Connection: keep-alive
....


GET /media/toolbar/everest/7.9.0/APNSetup.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 13 Jun 2014 21:37:11 GMT
User-Agent: Microsoft BITS/7.5
Host: apnmedia.ask.com


HTTP/1.1 200 OK
Server: Apache
ETag: "f1e14b066f078bf8f91c4ae5fea4281a:1402695766"
Last-Modified: Fri, 13 Jun 2014 21:37:11 GMT
Accept-Ranges: bytes
Content-Length: 543640
Content-Type: application/octet-stream
Date: Mon, 20 Apr 2015 21:40:49 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........|.../.../
.../.V./.../.../.../.../.../.../.../.../.../.V./.../.../.../.../.../..
./.../.../.../Rich.../................PE..L......S....................
.^.......-............@.......................................@.......
.......................................[...........2...........N..@...
................................@.......................@.............
.......text............................... ..`.rdata...?.......@......
............@[email protected]...`.... ...([email protected]....[....
...\...<..............@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................j.h..E.d.....PV..-G.3.P
.D$.d......t$..D$......D$....P.. &F..P.......F..D$...D$$...P.8....L$(.
..j.j.....F..D$,j.j.Q.F..F......F.........E..F...u...`.E..F..D$...D$..
...P........I........P.B....D$......D$ ....H........J........P.B......
L$.d......Y^...........V........D$..t.V..........^.....V...F... &F...t
.P....E..F.....H........J........P.B....F.....H........J^........P.B..
...........j.h,.E.d.....P..B...H`....-G.3...$.B..SUVW..-G.3.P..$.B..d.
......$.B.....D$..F..D$...3.;.......j8.L$<SQ..<..h......$...
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=547094, public, no-transform, must-revalidate
Last-Modified: Mon, 20 Apr 2015 05:40:05 GMT
Expires: Mon, 27 Apr 2015 05:40:05 GMT
Date: Mon, 20 Apr 2015 21:44:31 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`[email protected]
0054005Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.%Qq.........w.O.....20150420054005Z....20150427054005Z0...*.H........
.....jBq`.<.. . ...FG--&.......b..}&..."[email protected]..$%.........T
......A...G&S...v.o..k./&.....BJ.C...z..Nu:...y....HT...1H.#n....1.E0.
...{".........M...X.}..GT..%..=..a....)2...v .!....)E....]'..O'.....d,
........ ......t...g..O.{h..1(..y..i...w$...Y=.q?...C.....0...0...0..y
.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Thawte
, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..1506012
35959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code Sig
ning CA - G2 OCSP Responder0.."0...*.H.............0............).Z...
....O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.j.U
.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......{b.
bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y...........
.8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U.%.
.0... .......0...U........0... .....0......0"..U....0...0.1.0...U....T
GV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~..7
#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Yu.o
.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]...y.
.L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t....&
gt;.....j....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=578164, public, no-transform, must-revalidate
Last-Modified: Mon, 20 Apr 2015 14:15:22 GMT
Expires: Mon, 27 Apr 2015 14:15:22 GMT
Date: Mon, 20 Apr 2015 21:44:46 GMT
Connection: keep-alive
0..........0..... [email protected]
0141522Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150420141522Z....20150427141522Z0...*.H.....
...........u......../:.......r).rF;..."?89....)..../Y..I...KBb...J_{|.
-...m......8.!..Ia..Mp....e....F...\.8.$y.6..&"r.......N....~X1a...,.#
....Y..0..*.=.U[/.B.[o.h.....b..2..... ...^N..."...,..q.4}.....}i5.N..
V 0n...|u.n{.]...8...T..%%..{Rop....y_.U...N,.g.h.... ...50..10..-0...
.......y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority 
- G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...
U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U.
...US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1
?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0.
..*.H.............0..........6..]......w';.r........I..c..4.... ......
...TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....
i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I..
.4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...
Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. ......
...hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rp
a0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0
...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(.
/.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f...3I..
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=345944, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 21:49:58 GMT
Expires: Fri, 24 Apr 2015 21:49:58 GMT
Date: Mon, 20 Apr 2015 21:44:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....2015041
7214958Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#.
...M....=....x..":...K.....20150417214958Z....20150424214958Z0...*.H..
...........y...eJ.K&.u&..HV..M'.m6K.,........N.Ou.{..#.Z.....GZ s.?.{.
.....%..;m....N........u.p.>....T.Ez.......X..a...K..XU....)'......
.e...F.5..7.}..VH....[...........^]...].Q..QH...*...'...G`....*...S...
...U....C.. ?.....l......|6.U)Z..a.wz.o...6.Sq...D.%Q..U........0...0.
..0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Cod
e Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0..
.U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSi
gn Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..
........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:.
.R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (..
......%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..
8=?..z.:..T..-.8R..



GET /AskToo~1.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: c4213550.r50.cf2.rackcdn.com


HTTP/1.1 200 OK
Last-Modified: Mon, 23 Sep 2013 18:43:45 GMT
ETag: 759ae9f637b47107851d05af93664db7
X-Timestamp: 1379961824.56190
Content-Type: application/vnd.ms-cab-compressed
X-Trans-Id: tx9cbd6b8fec1148089f017-005506e213ord1
Cache-Control: public, max-age=412
Expires: Mon, 20 Apr 2015 21:49:42 GMT
Date: Mon, 20 Apr 2015 21:42:50 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
00008C6E..MSCF............D...............W...............`...........
c...#...pU.........C(h .installask.exe...... ..[.... Vcq...b.4".`...^.
.{.m.m.........Z...3U.43..-..3..Ju.5"!g.......z|............,..O...@..
..02eu#.p`........w.....$.'O>.$.lg.X^...w..........r...)....Ur.EZX.
V([email protected] .l..U......yr............""(* ....._.....&.b&}`....."..(.
.Fb.Gu=.I.R.....?0pa.|P..s................vP`...E-.{...z..qHh.N:=..M.B
..i.5......i@:...=t:>..d#.1....[..5......R ......t.A. ....;.X.{..".
D..Z....c..w......f.B.r..v...JC.l....I.?pW."8Y....0T:..Lm..}^....SG.]]
/.N.s....LD.J..~.<.&F..]..=B....l#..0...?v|.[......-dpk8..N.7..E...
-....k.......A..C..!.k..X........*....YS..\...7C.AEUU9Fd....9lD:.[....
...................P.z%.y C.h. Q......Y..A.......&.................S&l
t;......UB.i...c....>.0.E,..rD'C2DT8P..).....7.%.AH...:Gs...IU.....
..d.(;P.U#3]..r*.."...tp8.).k XHD.]....]/..(...B9!...d..]..P}..f.m..D.
[email protected]/..#.SJ...N....L,|3>3.;...7%N.X7...!O,.{......e....uj.
.....z..E..1..q.X.D..*..f$.\s.s..-....x.dDO{>p...h.;..A...IR00..g..
.d.>.._$.5...F..!...2....U.p.c\....u...m../..AX."..z@'.{...{I....9U
..Gm>F...IZ.?`....n..GR.Q.....I.RsJ....0.......H...I.Z..5]q....!=.4
...R..............0eZU..ejV4........?..cG...EA.F.L.35..|.....W.M.X..-.
.dM:<.A........];s.C8...My.....u.............",...q.. ..o...:....5.
.D.R..,.;U.$...?..B......eK.z,S}.(..Zq....h..;....,..o.\U.4.c.^i%B..!.
.M=I..{q.........a.%0.M.E.."...44Qy.avA.`.....p...L..X#.z.Eq.......a4H
.{.Q.?.R6.A.S'.]....*3..)..Cz8d.3.D..gq.}@..7.%j....ft...{.k.....A
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=378603, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 06:50:09 GMT
Expires: Sat, 25 Apr 2015 06:50:09 GMT
Date: Mon, 20 Apr 2015 21:44:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015041
8065009Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150418065009Z....20150425065009Z0...*.H........
..........3..9..A..A....kqk......".R.P.....A.......A.7.......WT...=p.m
.b...az.K..#..`.j\...g...._..v.OV...Z.......yr...m..bi..}."......O.."3
..4.......... l...e.[Y....6p..yh.....u..r]A....j...U..z...ae..'.7.'.7 
..../.......`|....$..DU.p......n. :.:.........n.-......0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=424743, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 19:40:18 GMT
Expires: Sat, 25 Apr 2015 19:40:18 GMT
Date: Mon, 20 Apr 2015 21:44:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
8194018Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150418194018Z....20150425194018Z0...*.H........
.......$c.!|..m..L.Z..N....u."%x..'.9.R...C.ZU3F.F:.J7.....F...X..?8..
).H34< .-...q..w.F...%.*........1.b#GA`U*....H.e.p-.r....5..oK.1r..
.S.. *..H/83.b.1...`..(....c4.f...d\.>....aO>.4.%...a...`.;/....
.hO%......"...O.......7............p.......4|U...p....s.P;.....#0...0.
..0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.........m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d.
..nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F
*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."
...:.C.Q.i~rl..<..krS..8.B..o][email protected]
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>






The Malware connects to the servers at the folowing location(s):







%original file name%.exe_384:




.text
`.rdata
@.data
.rsrc
SSSh|LN
SSShlLN
tBSSSSh0u
SSSSh0u
SSWSShxZN
t SSh
t%SSh
SShpeN
SSh\eN
PSSSSSSh
SSSSH
uDPj
L$.Qf
vSSSh
It.It It!It
FTPjK
FtPj;
C.PjRV
AUu.AUu FUuL
setup.exe
CertFreeCertificateContext
CertAddSerializedElementToStore
CertCompareCertificate
CertSerializeCertificateStoreElement
WTHelperGetProvCertFromChain
{7E76A8D6-33D1-0032-16C3-4593092861D0}
{E7E2C871-090A-C372-F9AE-C3C6A988D260}
{6741C120-01BA-87F9-8734-5FB9DA8A4445}
ISSetup.dll
msi.dll
EvalMarker.dat
BetaMarker.dat
.rdata
.debug
ShellExecuteExW
RegOverridePredefKey
GetSystemWindowsDirectoryW
Kernel32.dll
SHFileOperationA
SHFileOperationW
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
FtpFindFirstFileA
InternetCanonicalizeUrlW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestW
HttpQueryInfoW
InternetCreateUrlW
InternetCrackUrlW
InternetOpenUrlW
CertFreeCertificateChain
CertGetCertificateChain
CertAddCertificateContextToStore
CertFindCertificateInStore
CertCloseStore
CertSaveStore
CertOpenStore
CertGetIssuerCertificateFromStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CryptImportPublicKeyInfo
CryptMsgClose
CryptMsgGetParam
CertNameToStrW
CertOpenSystemStoreW
CryptDestroyKey
CryptExportKey
CryptImportKey
CryptDeriveKey
-x
skin.ini
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
ADVAPI32.DLL
qR.Rd
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Prerequisites_Unicode\setupPreReq.pdb
VERSION.dll
COMCTL32.dll
GetProcessHeap
GetWindowsDirectoryW
KERNEL32.dll
MsgWaitForMultipleObjects
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
GetCPInfo
GetConsoleOutputCP
ExitWindowsEx
EnumChildWindows
SetViewportExtEx
SetViewportOrgEx
RegCreateKeyW
RegOpenKeyW
RegEnumKeyW
.?AVhttp_file@is@@
.?AVftp_file@is@@
.?AV?$CComObject@VCScriptInitProgressHandler@@@ATL@@
.?AVCScriptInitProgressHandler@@
.?AUIDownloadProgressHandler@@
.?AVPasswdDlg@@
zcÁ
&&&4-)82,777
=ID)f
0F.eW
%CW9]
11111118
222222222
7777@@@@
2222222
222222222222
22222222222
2222222222
''''~~~~
777@7@@@
--$$#!!!!
7777777
111118111
22222222
FFFrCrTrTTTTTTTTTTTTTTTTTrTrTrrrrrrrFrrbFbbbFbbbbbbbbbbbbbbbbbooooooooooooooooo
!!##$$$$#
.....zzbF
...zzbFF)
0000000
11111111
1111111
|||:||||
,6,6,666
))):||||
2222222222222
222222222222222
):::||||
;{;{;;3;
{;{{;;{;
6,66,,,,
6,,666,,,
>>>///>///>>>
,6,,6,,,
>>/>//>/
>//>/>>>
///>>/>/>
#$)))'--'-..1/..1...,,. ',  (& &(,&&(,&,&(&,& ',&,(,&,,, ,046782
#!#&))-&--1'...   ,,,&&(,&&(& (,&'(,&'(&,&'&(&(&'&'&(&&',&,,0465
$#!)))'&--'*. (,(,,(,&(,&'(,&&(&',&&'&,'&',&,&,& (,&,& (,&,& &.5.
#$!)))-)-*-,&  & &'& (&&,&(',&&,&&',&'&,&(&'(&&(&&&'&(&(&(&'(,&,,
$$!#&)&&'& ,&&(&(,(,&& (&,& &',&',&',&'& ',&,&,&,(,&,&,& &,&,',& 
#$)!))&',&,&,',&,&'& (,&& &'&''&'&'&'&&&''&'&&'(&'&'&'(&'(&&'&&',&
$$!#*'*'* ,&&',&&'&&&&'"&&&&!&
!&&'&'(&(&&&'(&'&&'&'&((& &
#&&'&'&'&'&&&!&&!&
&&&',& &,(,&,&,(,&,&,& &(&
#!&&''!&&!&
!& (&(&(&'&'&&&'&'&((&'(& &
!)&,&&&!&
&'& &',&(,&,(,&,&,& &,&,(&
#!&&',&&&&!!
&&' ',&& &'&'&'(&'(&(&&'&'&
!& ,', (,&(,&,&,&,&,& (,&,&,
$!!)&& &',&''&&"!
!!)&!''.,//,/',&&'(&'(&&&'&(&(&'&'
!$!)'&- /,///.01021//,',&,&,&,',(,&,&,&,&&
'&&&&!&!$
$#!&))&.'./10/4222442420/, &'(&&'&(&'&&'&'&'(,&
&&'&'&/#
&&'"%"%!!
!&&"&&&"%&!%!$!$!))&'-. 1/22244447474442//'&,&,&,&,& (,&,&,&&'&'
)"&"&"&"'&"&&"&!&&&&---.//2224447464474420, (&'(&&'&(&&'&'(&',&,&
!&"'&&&,& &',06878787440 ,&,& &,(,& (,& (,&,& (,& 
!&&&'(,&(&(&& 478878470.,'&(&(&&'&(&(&('(&&&'(&'&(
&"'&(&(& &'&&/47787745 ',&,& (,&,&,& &,& (,&,&,&'
$'&&(&&&,&(&&&&.7877460 (&'&(&&'(&&'&(&&'(&'&&'&,&
&&'&&'(&&(&'&& .478854,,&,&,& (,& (,& (,&,&,(,&,&(
&'&,(& (,& &'&&,,68764,,&&'(&(&'&(&(&&(&(&&'&'(&'&
!)&'. /.,/ &(,&& &&',,0744.('(&'&&'&(&&'&'&(&(&&'&'(&'&
$!)&&- .,//2/// ,&&'(&,& &(,.40.,&'(&&'&'(&'(&(&&'&(&'(&'(&&'
#!&)'*. ../2//2, & (& &'&(& &,45 ((,& (,&,&,&,& (,&,&,&,&,& (&
#$!)&- . /10/2///'(&&&'(,&,&(,,.., '&(&(&(&'&(&'(&'(&'&(&&'(&,&
!#&)'. //1/02300, &&(,&&&'&',&,,,,&(,&,& &,',&,&,&,&,&,& (,&&'&
!)&- .,/010202/ '(&&&,(,&,&&',,&,&&&'&(&(&&&'&&'(&&'&'(&&& (,&
! ! !!&'- .0/102240.'(&&(&'&'(&(,&,',& (,&,& &,(,&,&,& (,&,& (,&&&'
! "!!&& //.202440.,,'(&&&(,& &'&(&'&(&&'&(&'(&''((&(&(&'(&('(&'(,&
" ! "!&& /.2024.440'&&&'&,&(&(,&,&,&,& (,&,&,&,&,& & &,&,&,& &,',&'
! "!"! !'/1244420,'&'&&&'(&&',&,&,& (,& (,&,&,&,& & &,(,&,&,& (,&,
'.42442, (&&(&(&(&,&&'&(&'(&'&(&&&'&&(&'(&(&&&'&&(&'(&'(&
"! !!!&/24445 &&'&&&'&&'(,&,&,&,&,&,& (,&,&,&,&,& (,&,&,&,&,& &
"! ! ! &,0472.'(&&&'(&(&(&'(&(&'&&&'&((&'((&'&&'&((&'((&'&&'&((&
! " "!"! " 0440,'&&&'&&&&(&',& &,',(,&,& &,& &,(,&,& &,& &,(,&,& &
"! " !&'.445''&'"&'(&&&&(&&(&(&&'&(&'((&'(&&'&(&'((&'(&&'&(&'(&
!! "! "!&"&,24.(&&&&'&'&(&(&(,& & (,& &,& &,& (,& &,& &,& (,& &,& 
!" ! ""& .5,'&"'"&&&'&'& &(&((&((&((&((&((&((&((&((&((&((&((&('
!"!&"&"'..,'&&&''&'&&'&',& & & & & & & & & & & & & & & & & & &
! &"   "&& &&'&&'&&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'(
&[[[[FKEEEC?953).ILSPPRRPSTVVWYYZZZ[[[[[[Q&
####'"""!
7<##''(,,-28!
##''((,-6!
X#MSGF
%Dv )Fz
3333333
version="1.0.0.0"
name="InstallShield.Setup"
<description>InstallShield.Setup</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
NO_KEY_VALUE
_ISMSIDEL.INI
explorer.exe
Folder=%s
File=%s
CmdLine
installfromweb:
show_err_msg_invalid_identity
show_err_msg
show_beta_msg
show_eval_msg
Supported
cmdline
ErrorReportURL
hXXp://VVV.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s
CompanyURL
ShowPasswordDialog
Failed to read setup package: %s name from Setup.ini
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\diskaction.cpp
Reading setup.ini from %s
hXXps://
hXXp://
PTF://
Referer: %s
0xx
wintrust.dll
crypt32.dll
Forcing item moniker %s into ROT...
CLSID\%s
lFailed to load ISSetup.dll
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cpp
Launching InstallScript engine: %s, %s, %d
Could not find entry point in ISSetup.dll
setup.ini
C:\CodeBases\isdev\src\Runtime\Shared\Setup\IsPreReqDlg.cpp
Software\Microsoft\Windows\CurrentVersion\RunOnce
%%IS_PREREQ%%-%s
Software\Microsoft\Windows\CurrentVersion
DownloadFiles: %s
XXXXXXXXXXXXXXXX
StartStopProgress - Fallback - %d of %d
Default.prq
%s: %s
%s.%s
MSI or .NET rebooting before prerequsite
Prerequisites need elevation; launching elevated with arguments: %s
Setup.iss
Software\InstallShield\ISWI\7.0\SetupExeLog
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%%IS_PREREQCMD%%-%s
Advertising installation with parameters: %s
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\IsSetup.cpp
Software\Microsoft\Windows\CurrentVersion\Run
show_reboot_msg
This setup was created with an EVALUATION VERSION of %s, which does not support extraction of the internal MSI file. The full version of InstallShield supports this functionality.
NoSuppressRebootKey
SETUPEXENAME
SETUPEXEDIR
CertKey
I>>> Fatal %s
Reason: %s
passed an invalid handle.
passed an invalid parameter.
passed a bad SQL syntax.
4.70.0.1300
WinInet.dll
%s /g %s /g %s
%s /g %s /g %s /s
Software\Microsoft\Windows\CurrentVersion\RunOnceEx
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
*.mst
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp
dotnetredist.exe
dotnetfx.exe
dotnetredistSp3.exe
Software\Microsoft\Active Setup\Installed Components\%s
{1C370964-514B-321C-7237-2B4FD86D8568}
{021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}
{F1B13231-13BE-1231-5401-486BA763DEB6}
{F279058C-50B2-4BE4-60C9-369CACF06821}
{78705f0d-e8db-4b2d-8193-982bdda15ecd}
{9B29D757-088E-E8C9-2535-AA319B92C00A}
Software\Microsoft\Windows\CurrentVersion\Installer
Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x
.mst"
"%s" /c:"msiinst /delayrebootq"
"%s" /quiet /norestart
"%s" /q
2.0.2600.0
Installing MSI engine %s
lExtracting resource: %s
Template summary for current package: %s
Status returned obtaining PID_TEMPLATE property: %d
Status returned from summary info: %d
SupportOS
SupportOSMsi12
SupportOSMsi30
Msi.DLL
{lX-X-X-XX-XXXXXX}
DownloadFiles: downloading %s
Move failed, attempting to copy and delete file, last error %d
Moving file %s to %s
Cab%d
Caching skin %s to %s
Caching ini file %s to %s
Caching transform %s to %s
Failed to cache file, last error %d, prompting for alternate location
Copying file for cache to %s
SHFolder.dll
vjredist20-LP.exe
vjredist-LP.exe
langpack20.exe
langpack.exe
dotnetfxsp1.exe
Error opening package '%s' for Costing: %d
Error applying transform '%s' for Costing: %d
Error opening database '%s' for Costing: %d
Getting file from source, '%s'
Getting file from setup.exe
Getting file from web download
Getting file from web install
Getting file from temp location, '%s'
File to get to '%s'
GetFile: file '%s', ini section '%s', full path '%s', location %d
Could not extract isconfig.ini from current issetup.dll
Extracting resources for '%s' to '%s'
ISConfig.ini for current issetup.dll does not contain TempPathGuid.
IsConfig.ini
Microsoft(R) .NET Framework
J#CmdLine
/jscmd:
/langcmd:"/q:a /c:\"
DotNetFxCmd
DotNetLangPackCmd
vjredist20.exe
vjredist.exe
dotnetfx20.exe
isnetfx.exe
3.0.0.0
2.0.0.0
Reboot needed: %s
Got file '%s' for MSI engine install
instmsi30.exe
Attempting to get file '%s' for MSI engine install
WindowsInstaller-KB893803-x86.exe
Failed to execute query on Binary table, error: %d
Failed to query Binary table, error: %d
Error opening MSI database: %d
MsiAction::Reboot command line %s
"%s" %s /l%d /t"%s" /e"%s" /v"%s" %s
"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s
Failed to get UI DLL from setup.exe for billboard support. This installation will run without billboards.
Failed to load UI DLL, last error %x, install will run without billboards
lLoading ISExternalUI.dll from '%s'
ISExternalUI.dll
First time install uses billboard support
/passive
Attempted unloaded of msi.dll: %d
Failed to locate ISSetup.dll (%s)
%s /a "%s"%s
%s /f%s "%s" %s
%s /j%s "%s" %s
%s /x "%s" %s
/p"%s" %s
%s /p "%s" %s
%s /i "%s" %s
%s="%s" %s="%s"
ISSCRIPTCMDLINE="
ISSCRIPTCMDLINE
Installing silent prerequisites for features: %s
Windows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit.
4.05.0.0
InstanceId%d
/n %s
:InstanceId%d.mst
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
DataCabInSetupExe
Data.Cab
Setup.bmp
CEvalMarker.dat
D1.20.1827.0
2.9.0.0
Extracting setup.ini...
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp
%s/%s
%s"%s"
0xx.ini
Extraction of '%s' failed
Extracting '%s' to %s
This setup was created with a EVALUATION VERSION of %s
This setup was created with a BETA VERSION of %s
This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please rebuild the setup to run it again. The setup will now exit.
Upgrade check: obtained package code %s from machine, current package code is %s
Upgrade check: checking product code %s
PASSWORD
Using language transforms from setup.exe location
Default language: %d, got code page %d
%s=%s
Password
Section: %s
Dumping setup.ini...
DSetup.INI
INSTMSIA.EXE
INSTMSIW.EXE
MSIEXEC.EXE
setup.isn
CloneSetupExe
Setup returning %d
%s /q"%s" /tempdisk1folder"%s" %s
%s\x.mst
%s\0xx.ini
key%d
%s %s
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp
InstallShield setup.exe (Unicode) started, cmdline: %s
DC:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPrereqMgr.cpp
Transform list: %s
Skipping prerequisite '%s' because it was installed before the reboot
Marking prerequisite '%s' for install during ADMIN install
Features match for prerequisite '%s'
Features do not match for prerequisite '%s'
Prerequisite '%s' scheduled before feature selection
Checking setup prerequisite '%s'
Prerequisites returning %d
%%IS_PREREQF%%-%s
Running setup prerequisites (%s)...
SOFTWARE\Microsoft\Windows\CurrentVersion
C:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPreRequisite.cpp
[WindowsFolder]
%s,%s,%s,%s,%s,%s
[SETUPEXEDIR]
[SETUPEXENAME]
Launching MSI prerequisite %s, command line %s
CSetupPreRequisite::ExecuteMsiWithProgress
cmdlinesilent
AltPrqURL
operatingsystemcondition
[WindowsFolder]Wininit.ini
PendingFileRenameOperations
SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Reboot required - %s key added
Wininit.ini rename
FileRenameOperations
Could not launch prerequisite, last error: %d, ShellExecute: %d
Prerequisite process exited with return code %d
Creating new process for prerequisite, launching command line %s [%s] %s
CSetupPreRequisite::ExecuteGenericPrerequisite
Return Code from EXE: %d
Attempting to execute prerequisite: %s
CSetupPrerequisite::ExecutePrerequisite
N%s,%u
%u.%u.%u.%u
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp
System\CurrentControlSet\Control\Windows
%d: %s
Launch result %d, exit code %d
Attempting to launch: %s
Launch result %d
Attempting to launch (no wait): %s
"%s" %s
WShell32.dll
kernel32.dll
Advapi32.lib
advapi32.dll
.DEFAULT\Control Panel\International
.Default\Control Panel\desktop\ResourceLocale
mlang.dll
KERNEL32.DLL
portuguese
oleaut32.dll
Windows Server 2003
Windows Vista / Server 2008
Windows 7 / Server 2008 R2
Windows 8 / Server 2012
Windows XP
Windows 95
Windows 98
Windows Me
Windows NT 4.0
Windows 2000
shell32.dll
%d%s%d%s%d%s%d
Ntdll.dll
psapi.dll
PSTORES.EXE
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExe: %ls
%s%s%d.%s
NRange: bytes=%d-
Range: bytes=%d-
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
RPAWINET.DLL
wininet.dll
NWinTrust.dll
Crypt32.dll
Advapi32.dll
1.2.840.113549.1.9.1
2.5.4.10
2.5.4.11
2.5.4.3
%hx.rra
123.tmp
uxtheme.dll
%d,%d,%d
%d,%d
mscoree.dll
Ndest%d
source%d
Software\InstallShieldPendingOperation
InstallShieldPendingOperation
WININIT.INI
InstallShield.log
%s[%s]: %s
%s[%s]: %s -- File: %s, Line: %d
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Setup.INI
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}
c:\%original file name%.exe
@10550,10551;1;0;;0,128,128
Do you wish to install %s?
This software has not been altered since publication by %s. To install %s, click OK.
Caution: %s affirms this software is safe. You should only continue if you trust %s to make this assertion.
The identity of this software publisher was verified by %s.
&Always trust software published by %s.
@10650,10651;1;0;;0,128,128
You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.
Please enter the password
Password:
%sc%1 Setup is preparing the %2, which will guide you through the program setup process. Please wait.!Checking Operating System Version%Checking Windows(R) Installer Version
Configuring Windows Installer
Configuring %s
Setup has completed configuring the Windows Installer on your system. The system needs to be restarted in order to continue with the installation. Please click Restart to reboot the system.
The installer must restart your system to complete configuring the Windows Installer service. Click Yes to restart now or No if you plan to restart later.DThis setup will perform an upgrade of '%s'. Do you want to continue?XA later version of '%s' is already installed on this machine. The setup cannot continue.
Setup has detected an incompatible version of Windows. Please click OK and verify that the target system is running either Windows 95 (or later version), or Windows NT 4.0 Service Pack 6 (or later version), before relaunching the installation'Error writing to the temporary location
-Error extracting %s to the temporary location'Error reading setup initialization file
Installer not found in %s
File %s not found#Internal error in Windows Installer
IError populating strings. Verify that all strings in Setup.ini are valid.
RestartQSetup needs %lu KB free disk space in %s. Please free up some space and try again
/V parameters to MsiExec.exejWindows(R) Installer %s found. This is an older version of the Windows(R) Installer. Click OK to continue.
ANSI code page for %s is not installed on the system and therefore setup cannot run in the selected language. Run the setup and select another language.
Setup requires Windows Installer version %s or higher to install the Microsoft .NET Framework version 2.0. Please install the Windows Installer version %s or higher and try again.
xThis setup does not contain the Windows Installer engine (%s) required to run the installation on this operating system.
'Unable to install %s Scripting Runtime.8Unable to create InstallDriver instance, Return code: %d;Please specify a location to save the installation package.
Unable to extract the file %s.
Downloading file %s.LAn error occurred while downloading the file %s. What would you like to do?
/sec&Failed to verify signature of file %s.
Estimated time remaining:  %d %s of %d %s downloaded at d.d %s%s
Unable to save file: %s Failed to complete installation.
/UA<url to InstMsiA.exe>
/UW<url to InstMsiW.exe>
/UM<url to msi package>
/US<url to IsScript.msi>8Setup Initialization Error, failed to clone the process.:The file %s already exists. Would you like to replace it?
_Could not verify signature. You need Internet Explorer 3.02 or later with Authenticode update.hSetup requires a newer version of WinInet.dll. You may need to install Internet Explorer 3.02 or later.}You do not have sufficient privileges to complete this installation. Log on as administrator and then retry this installation=Error installing Microsoft(R) .NET Framework, Return Code: %dZ%s optionally uses the Microsoft (R) .NET %s Framework. Would you like to install it now?
Setup has detected an incompatible version of Windows. Please click OK and verify that the target system is running either Windows 95 (or later version), or Windows NT 4.0 Service Pack 3 (or later version), before relaunching the installation\%s optionally uses the Visual J# Redistributable Package. Would you like to install it now? - (This will also install the .NET Framework.)
Setup has detected an incompatible version of Windows. Please click OK and verify that the target system is running Windows 2000 Service Pack 3 (or later version), before relaunching the installationw%s requires the following items to be installed on your computer. Click Install to begin installing these requirements.
Installing %sDWould you like to cancel the setup after %s has finished installing?
The files for installation requirement %s could not be found. The installation will now stop. This is probably due to a failed, or canceled download.XThe installation of %s appears to have failed. Do you want to continue the installation?
Skipped7The installation of %s has failed. Setup will now exit.gThe installation of %s requires a reboot. Click Yes to restart now or No if you plan to restart later.8%1 optionally uses %2. Would you like to install it now?
&Patch an existing instanceWThis installation requires Windows Installer version 4.5 or newer. Setup will now exit.
Authenticity Verified;The identity of this software publisher was verified by %s.lCaution: %s affirms this software is safe. You should only continue if you trust %s to make this assertion.'&Always trust software published by %s.UThis software has not been altered since publication by %s. To install %s, click OK.
%s - InstallShield Wizard
Setup has detected one or more instances of this application already installed on your system. You can maintain or update an existing instance or install a completely new instance.MSelect the instance of the application you want to &maintain or update below:
x%s Setup is preparing the InstallShield Wizard, which will guide you through the rest of the setup process. Please wait.
Error Information:3An error (%s) has occurred while running the setup.
Please make sure you have finished any previous setup and closed other applications. If the error still occurs, please contact your vendor: %s.
&Report}There is not enough space to initialize the setup. Please free up at least %ld KB on your %s drive before you run the setup.{A user with administrator rights installed this application. You need to have similar privileges to modify or uninstall it.tAnother instance of this setup is already running. Please wait for the other instance to finish and then try again.
The origin and integrity of this application could not be verified. You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.
The origin and integrity of this application could not be verified because it was not signed by the publisher. You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.
The origin and integrity of this application could not be verified. The certificate used to sign the software has expired or is invalid or untrusted. You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.jThe software is corrupted or has been altered since it was published. You should not continue this setup.0This setup was created with a BETA VERSION of %s7This Setup was created with an EVALUATION VERSION of %s
This setup was created with an EVALUATION VERSION of %s, which does not support extraction of the internal MSI file. The full version of InstallShield supports this functionality. For more information, see InstallShield KB article Q200900.
This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s days after they were built. Please rebuild the setup to run it again. The setup will now exit.3This setup works until %s. The setup will now exit.
The path to the installation contains unsupported characters. Try moving the installation to a location that does not have special characters, and then try relaunching it.iThis setup requires administrative privileges that appear to be unavailable. Would you like to try again?
InstallShield Setup.exe
19.0.160

MSIEXEC.EXE_212:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
ole32.dll
msi.dll
CUu,CUu.AUu;AUu
PSSSSSSh
t%SSWV3
ntdll.dll
RegOpenKeyExW
RegCreateKeyExW
ReportEventW
RegCloseKey
RegDeleteKeyW
RegEnumKeyW
RegEnumKeyExW
RegGetKeySecurity
MsgWaitForMultipleObjects
_acmdln
_amsg_exit
msiexec.pdb
name="MSIExec"
version="4.0.0.0"
<description> Windows installer setup service </description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
> >$>(>,>4>8><>
Msi.dll
Software\Microsoft\Windows\CurrentVersion\Installer
passive
Kernel32.dll
FIsKeyLocalSystemOrAdminOrTrustedInstallersOwned: Could not get owner security info.
PurgeUserOwnedSubkeys: Could not open subkey: %s
PurgeUserOwnedSubkeys: Could not enumerate subkeys.
PurgeUserOwnedSubkeys: Could not delete SubKey tree.
PurgeUserOwnedSubkeys: %s not owned by System, Admin or Trusted Installers. Deleting key   subkeys.
PurgeUserOwnedInstallerKeys: Could not delete tree.
PurgeUserOwnedInstallerKeys: Key '%s' not owned by System, Admin, or Trusted Installers. Deleting key   subkeys.
PurgeUserOwnedInstallerKeys: Could not open key '%s'
OpenProcessToken failed with %d
OLEAUT32.dll
Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
SetInstallerACLs: Could not create Secure Installer sub key.
SetInstallerACLs: Could not delete Installer key tree.
SetInstallerACLs: Installer key not owned by System or Admin. Deleting key   subkeys and re-creating.
SetInstallerACLs: Could not create Installer key.
Wait Failed in MsgWait.
kernel32.dll
APPID\%s
%s\DefaultIcon
%s\CLSID
CLSID\%s
CLSID\%s\ProgId
Msi.Package
Windows Installer Package
Msi.Patch
Windows Installer Patch
MsiExecCA32
{lX-0000-0000-C000-000000000046}
MsiRegMv.Exe
ISMIF32.DLL
%d.%d.%.4d.%d
REINSTALL=ALL REINSTALLMODE=%s
Error: %d. %s.
Software\Policies\Microsoft\Windows\Installer
Failed to connect to server. Error: 0x%X
FDeleteRegTree: Unable to delete subkey: %s
TRANSFORMS="C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\1033.MST" SETUPEXEDIR="c:" SETUPEXENAME="%original file name%.exe"
Windows
5.0.7601.17514 (win7sp1_rtm.101119-1850)
msiexec
msiexec.exe
Windows Installer - Unicode
5.0.7601.17514

MsiExec.exe_2588:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
ole32.dll
msi.dll
CUu,CUu.AUu;AUu
PSSSSSSh
t%SSWV3
ntdll.dll
RegOpenKeyExW
RegCreateKeyExW
ReportEventW
RegCloseKey
RegDeleteKeyW
RegEnumKeyW
RegEnumKeyExW
RegGetKeySecurity
MsgWaitForMultipleObjects
_acmdln
_amsg_exit
msiexec.pdb
name="MSIExec"
version="4.0.0.0"
<description> Windows installer setup service </description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
> >$>(>,>4>8><>
Msi.dll
Software\Microsoft\Windows\CurrentVersion\Installer
passive
Kernel32.dll
FIsKeyLocalSystemOrAdminOrTrustedInstallersOwned: Could not get owner security info.
PurgeUserOwnedSubkeys: Could not open subkey: %s
PurgeUserOwnedSubkeys: Could not enumerate subkeys.
PurgeUserOwnedSubkeys: Could not delete SubKey tree.
PurgeUserOwnedSubkeys: %s not owned by System, Admin or Trusted Installers. Deleting key   subkeys.
PurgeUserOwnedInstallerKeys: Could not delete tree.
PurgeUserOwnedInstallerKeys: Key '%s' not owned by System, Admin, or Trusted Installers. Deleting key   subkeys.
PurgeUserOwnedInstallerKeys: Could not open key '%s'
OpenProcessToken failed with %d
OLEAUT32.dll
Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
SetInstallerACLs: Could not create Secure Installer sub key.
SetInstallerACLs: Could not delete Installer key tree.
SetInstallerACLs: Installer key not owned by System or Admin. Deleting key   subkeys and re-creating.
SetInstallerACLs: Could not create Installer key.
Wait Failed in MsgWait.
kernel32.dll
APPID\%s
%s\DefaultIcon
%s\CLSID
CLSID\%s
CLSID\%s\ProgId
Msi.Package
Windows Installer Package
Msi.Patch
Windows Installer Patch
MsiExecCA32
{lX-0000-0000-C000-000000000046}
MsiRegMv.Exe
ISMIF32.DLL
%d.%d.%.4d.%d
REINSTALL=ALL REINSTALLMODE=%s
Error: %d. %s.
Software\Policies\Microsoft\Windows\Installer
Failed to connect to server. Error: 0x%X
FDeleteRegTree: Unable to delete subkey: %s
Windows
5.0.7601.17514 (win7sp1_rtm.101119-1850)
msiexec
msiexec.exe
Windows Installer - Unicode
5.0.7601.17514

MsiExec.exe_2588_rwx_001C0000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

ochelper.exe_1372:




.text
`.rdata
@.data
.rsrc
@.reloc
_ReportResult@0
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExW
USER32.dll
SHLWAPI.dll
SHELL32.dll
SETUPAPI.dll
C:\Jenkins\workspace\OC_HELPER\Release\BootStrap.pdb
ochelper.dll
.OP@x
5"5*50565
Global\4442DC16-8108-42F8-A300-EA2B80F8B6C1
%s /r %d

MsiExec.exe_2588_rwx_00980000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

MsiExec.exe_2588_rwx_00AE0000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

Offercast2802_PCD_.exe_2500:




.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
D$$PSSh
SSSShT
<%u7j
X<%u2j
xSSSh
FTPjKS
FtPj;S
C.PjRV
Lpt.Vot
F%D,3
%d / %m / %y
%I : %M : %S %p
%m / %d / %y
%b %d %H : %M : %S %Y
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
pipoffers.apnpartners.com
user_pref("keyword.URL", "
user_pref("browser.startup.homepage", "
GetChromeIncumbentDSProvider in
"search_url": "
GetChromeIncumbentHPR in
report
rules.js
objectmodel.js
Finished Parsing the config.xml file
analytics.xml
Download APNAnalytics.xml file failed, attempting to use local
No .xml file is found:
Local ui.xml will be used:
Local .xml will be used:
Create thread failed in ExecuteAllOfferFiles()
Wait on execution thread success
Wait on execution thread failure
Finished successfully executing file
Failed to execute file
Skipping cancel for execution progress
OnPostReporting...
Total number of eligible offers to report
Lookup breaking. Parent exitcode %d waitWindow %x
WaitWnd %x WaitWnd PID %d WaitWnd TID %d
GetWindowThreadID failed last error %d
OpenProcess failed Last error %d
Waitforsingleobject failed Last error %d
AreThereOffersToDownloadAndExecute : true. Identified fileid:
AreThereOffersToDownloadAndExecute : False
ui.xml
Download Config.xml file failed, attempting to use local
Installchecker exe validation failed
Installchecker exe run failed
reporting
%s %d -/d/d d:d:d.d
APNLog.txt
HttpOpenRequest return failed
HttpSendRequest return failed
Send Reporting finished
Beacon HttpOpenRequest return failed
Beacon HttpSendRequest return failed
Beacon URL incorrect
icUrl
promptmsg
failed to set recv timeout: %d
failed to set send timeout: %d
Reply from %s: bytes=%d time=%.0fms TTL=%d icmp_seq=%u
Rule execution aborted- either local / remote succeeded.
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
2.5.4.11
1.3.6.1.4.1.311.2.1.12
DownloadSingleFile()... url:
C:\.jenkins\jobs\PIP2.0_INSTALLER\workspace\release\AskInstaller_1_.pdb
RPCRT4.dll
msi.dll
UxTheme.dll
WinExec
GetWindowsDirectoryW
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExW
USER32.dll
GDI32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
MSIMG32.dll
DeleteUrlCacheEntryW
InternetCrackUrlW
HttpSendRequestW
HttpQueryInfoW
HttpOpenRequestW
WININET.dll
URLDownloadToFileW
urlmon.dll
GdiplusShutdown
gdiplus.dll
WS2_32.dll
VERSION.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
WINTRUST.dll
GetProcessHeap
GetCPInfo
zcÁ
.?AUIPIPRulesExecutor@@
.?AV?$IDispatchImpl@UIPIPRulesExecutor@@$1?IID_IPIPRulesExecutor@@3U_GUID@@B$1?LIBID_AskInstallerLib@@3U3@B$0PPPP@$0PPPP@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$SODispatchImpl@UIPIPRulesExecutor@@$1?IID_IPIPRulesExecutor@@3U_GUID@@B$1?LIBID_AskInstallerLib@@3U3@B@@
.?AUISupportErrorInfo@@
.?AVCDestroyerAndUrlBinderCallback@CDownloader@@
.?AV?$_IDispEventLocator@$0A@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0A@V?$CAxWindowEx@VCAxView@@@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.Pf:f\
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf()) ?
this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z' : null;
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
'\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
// Produce a string from holder[key].
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
// Join all of the elements together, separated with commas, and wrap them in
v = partial.length === 0 ? '[]' : gap ?
'[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']' :
'['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
// Otherwise, iterate through all of the keys in the object.
if (Object.prototype.hasOwnProperty.call(value, k)) {
// Join all of the member texts together, separated with commas,
v = partial.length === 0 ? '{}' : gap ?
'{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}' :
'{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
// that can replace values, or an array of strings that will select the keys.
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
// Make a fake root object containing our value under the key of ''.
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
// Parsing happens in four stages. In the first stage, we replace certain
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
// We split the second stage into 4 regexp operations in order to work around
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// In the optional fourth stage, we recursively walk the new structure, passing
throw new SyntaxError('JSON.parse');
<script type="text/javascript" src="./objectModel.js"></script>
<script type="text/javascript" src="./rules.js"></script>
var primaryTlbrID = getURLParameters("PTBPartnerID");
= getURLParameters("STBPartnerID");
var pipPartnerID = getURLParameters("PIPPID");
var tbType=getURLParameters("tbType");
var version=getURLParameters("version");
var hidePtnrSecondaryOffer=getURLParameters("hideSecondary");
function getURLParameters(paramName)
var sURL = window.document.URL.toString();
if (sURL.indexOf("?") > 0)
var arrParams = sURL.split("?");
var arrURLParams = arrParams[1].split("&");
var arrParamNames = new Array(arrURLParams.length);
var arrParamValues = new Array(arrURLParams.length);
for (i=0;i<arrURLParams.length;i  )
var sParam = arrURLParams[i].split("=");
piprule.setRuleCallback(
logger.log("\r\n ****** pirule setRule callBackFired : function called is "   "Rule name: "   ruleName   "Number: "   arguments.length);
var params = Array.prototype.slice.call(arguments, 1);
return window[ruleName].apply(this, params);
logger.log("\r\n ****** inside load "   e.message   " Rule name: "   ruleName);
logger.log("\r\n ****** Load Function Error "   e.message);
hXXp://VVV.JSON.org/json2.js
2011-02-23
See hXXp://VVV.JSON.org/js.html
See hXXp://javascript.crockford.com/jsmin.html
JSON.stringify(value, replacer, space)
will be passed the key associated with the value, and this will be
Date.prototype.toJSON = function (key) {
return this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z';
You can provide an optional replacer method. It will be passed the
key and value of each member, with this bound to the containing
such that only members with keys listed in the replacer array are
JSON.stringify(undefined) returns undefined.
text = JSON.stringify(['e', {pluribus: 'unum'}]);
text = JSON.stringify(['e', {pluribus: 'unum'}], null, '\t');
text = JSON.stringify([new Date()], function (key, value) {
return this[key] instanceof Date ?
'Date('   this[key]   ')' : value;
JSON.parse(text, reviver)
transform the results. It receives each of the keys and values,
myData = JSON.parse(text, function (key, value) {
/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2}(?:\.\d*)?)Z$/.exec(value);
return new Date(Date.UTC( a[1],  a[2] - 1,  a[3],  a[4],
myData = JSON.parse('["Date(09/09/2001)"]', function (key, value) {
value.slice(0, 5) === 'Date(' &&
value.slice(-1) === ')') {
d = new Date(value.slice(5, -1));
getUTCMinutes, getUTCMonth, getUTCSeconds, hasOwnProperty, join,
objectModel.initialized = false;
if (objectModel.initialized === false && typeof window !== "undefined" &&
typeof window.external !== "undefined") {
_logger = window.external.GetObject("logger");
logger.log = function(var1) {
return _logger.log(var1);
logger.error = function(var1) {
return _logger.error(var1);
logger.debug = function(var1) {
return _logger.debug(var1);
logger.info = function(var1) {
return _logger.info(var1);
logger.warn = function(var1) {
return _logger.warn(var1);
logger.group = function(var1) {
return _logger.group(var1);
logger.dir = function(var1) {
return _logger.dir(var1);
logger.error(x);
browser = window.external.GetObject("browserinfo");
system = window.external.GetObject("system");
piprule = window.external.GetObject("piprule");
pipclient = window.external.GetObject("pipclient");
};PAvar regsistryPathx64 = "HKEY_LOCAL_MACHINE\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\";
var registryPathx86 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\";
var FIREFOX="firefox";
var CHROME="Google Chrome";
var unsupportedBrowser = "2:Unsupported default browser";
var IneligibleChrome = "3:Ineligible Chrome";
var UnsupportedOSXP64bit = "11:Unsupported OS XP 64 bit";
var AnchorFreeUnsupportedOS = "18: AnchorFree unsupported OS XP or Vista 64bit ";
var AudialsOfferNotEligibleUnsupportedOSXP32orVista64bit = "20: Audials offer not eligible as unsupported OS XP 32 or Vista 64 bit";
var OldClientAskSecureOfferNotSupported = "24:Old Client AskSecure offer not supported";
var inputBrowserTypeNotSupported = "27:Input Browser Type is NOT Supported";
var inputIEBrowserVersionNotSupported = "28:IE Browser Version Is NOT Supported";
var inputCRBrowserVersionNotSupported = "29:CR Browser Version Is NOT Supported";
var inputFFBrowserVersionNotSupported = "30:FF Browser Version Is NOT Supported";
"WCL2","ACDS","ADS","AF3-SRS","AGH","ALSV5-DL","AM2","AM3","AMG","APLV5","APL1V5","APL2V5","ATR","ATU","ATU-DL","ATU-ASK","ATU-QBD","ATU-SRS","AXBX","BBY","BBY-SRS","BBY2","BBY2-SRS","BCC","BCPAP","BUD","BLP-DL","BGM","BOO","BOO2","BS","BT-SRS-T3","BT-T1","BT-T2","BT-T3","BT-ASK-T4","BUD","BW","C2P","CCS","CDS","CDS2","CDS3","CDS4","CEBV5","CFTPV5","CFTP2V5","CIE","CLA","CLM-DL","CNB","CNET","CNET2","CNET3","CPUID-DL","CPUID-ST","CS","CS-ST","CS2","CS3","CWN","DAT","DDI","DDIS","DDIS2","DGY","DIG-A","DIG-N","DIG-OFF","DIG-ON","DIG-P","DIG-S","DNA","DNA2","DPO","DVDX","DVDX2","EAC","F-CT","F-ET","FAC","FF2-DL","FJS","FKR","FLV","FM","FTB","FTB2","FTB3","FW-ASK","FW-QBD","FW-SRS","FWT","FW2V5","FXTV5-DL","GAM4","GAM-ASK-T4","GAM-SRS","GAM-SRS-T3","GAM-QBD","GAM-T1","GAM-T2","GAM-T3","GET-SRS","GET2-SRS","GET3-SRS","GGSV5","GGSV5-DL","GOM","GYG","HIY-SRS","HULU","ICM-SRS","IEAK9","IMB","IMB-DL","IMT","JDR","JMYV5","KG-ASK","KYT","LMW","LMW2","LMW3","LMW4","LMW-BETA","LMW-BETA2","LOL","LPLV5","LUC","MDG","MEB","MGN","MGX","MMB","MMG","MOV","MOV-DL","MP3","MP3DS","MP3FB","MP3P2","MP3R-ASK","MP3R-DL","MP3R-QBD","MP3R-SRS","MP3R4","MP3R5","MP3R6","MP3SF","MP3SW","MP3TR","MP3SD","MPC","MPC2","MROV5","MYC","MYC-ASK","MYC-DL","MYC-SRS","MYC-QBD","NG1V5","NG2V5","NG3V5","NG4V5","NSC-S","NSC-O","NSC-E","NSC-P","NSC-A","NSC-N","NSC-NS","NR1V5","NRV5","NXZ","ORJ-SAT","ORJ2","ORJ2-SAT","OSUB","OTV5","OVO","PCH","PDF","PDF2","PDO","PFN","PLF3","PLF4","PLTV5","PLTV5-DL","PLTV5-DL2","POS","POS2","PTF","PTJ","PTV2","PTV2-DL","PTV5","QSYS","RAD","S99","SBES","SCV5","SDT","SE","SF","SKR","SNAPT","SNP-ST","SP","SP2","SPC","SPT","SRFV5","SS2V5","SS3V5","STC2","STC4","STC-SRS","STC2-SRS","STC3-SRS","STC4-SRS","STK","STK2","STK3","STK4","TEMU","THE","TKR","TM","TMN2","TTB","TTR","TVTYV5","UKT","UNI","URS","VDJ","VRS","VD","VD-DL","VZ3","WBG-DL","WBG-ST","WBM2","WBV5-DL","WCL","WCLV5","WCL2V5","WCR","WCV5","WME","WSV5","WZP","YLC","ZMR","ZTV","ZTV-DL","FBK","FB-BETA","FB-PRO","FB-APP","FB-ASK","FB-OD","FB-SEM","MDF","MDF-BETA","NRO","NRO2","NRO3","UTR","UTR2","WID","WID-BETA"]}
a = a.split('.');
b = b.split('.');
l = Math.min(a.length, b.length);
return a.length - b.length;
var versionresult=cmpVersions(clientversion,"2.6.8.0");
if(window.navigator.userAgent.indexOf('WOW64')>-1 || window.navigator.platform=='Win64')
function isSupportedOS() {
if (window.navigator.appVersion.indexOf("Windows NT 5.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 5.2") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.2") != -1 ) {
for (var i=0; i < jsonString.makeofferdisabled.length; i  ) {
if(partnerID == jsonString.makeofferdisabled[i]){
unsupportedBrowser = IneligibleChrome;
var key;
for (key in checkObj) {
incumbentPartners = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\AskPartnerNetwork\\Toolbar\\shared\\","tbsinstalled",0);
incumbentPartners = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\shared\\","tbsinstalled",0);
incumbentPartnerIDs = incumbentPartners.split(",");
for(var j=0; j<jsonString.blocklistedPartners.length;j  ){
if(tlbrID == jsonString.blocklistedPartners[j]) {
if(incPartners.length < 1 || incPartners.length >= 4) {
for(var k=0; k<incPartners.length;k  ){
if(incumbentTbType.toLowerCase().startsWith("vanilla") && tbType.toLowerCase().startsWith("vanilla")){
var productVersion =system.getProductVersion(productCode);
var registryValue=system.getRegValue(registryPath,regValue,n);
if (window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.2") != -1 )
defaultbrowserAppPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\UserChoice","Progid",0);
defaultbrowserPath = "HKEY_CLASSES_ROOT\\" defaultbrowserAppPath "\\shell\\open\\command\\";
default_browser = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Clients\\StartMenuInternet\\","",0);
default_browser = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Clients\\StartMenuInternet\\","",0)
default_browser = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Classes\\http\\shell\\open\\command\\","",0);
default_browser = pipgetRegValue("HKEY_CLASSES_ROOT\\http\\shell\\open\\command\\","",0);
function isSupportedBrowser(partnerID) {
if (window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.2") != -1 ) {
defaultbrowserAppPath=pipgetRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\UserChoice","Progid",0);
defaultbrowserPath="HKEY_CLASSES_ROOT\\" defaultbrowserAppPath "\\shell\\open\\command\\";
defaultBrowser = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Clients\\StartMenuInternet\\","",0);
defaultBrowser = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Clients\\StartMenuInternet\\","",0)
defaultBrowser=pipgetRegValue("HKEY_CURRENT_USER\\Software\\Classes\\http\\shell\\open\\command\\","",0);
defaultBrowser=pipgetRegValue("HKEY_CLASSES_ROOT\\http\\shell\\open\\command\\","",0);
if(defaultBrowser.toLowerCase().indexOf("firefox.exe") > -1){
defBrowser =FIREFOX;
if(defaultBrowser.toLowerCase().indexOf("iexplore.exe") > -1 ){
if(defaultBrowser.toLowerCase().indexOf("chrome") > -1 && makeoffer(partnerID)) {
defBrowser =CHROME;
n=defaultBrowser.lastIndexOf("\\");
defBrowser=defaultBrowser.substring(n,defaultBrowser.length-1);
defBrowser=defBrowser.replace(/[^\w\s]/gi, '');
unsupportedBrowser=unsupportedBrowser defBrowser;
var checkV5Installed = getProductVersion("{86D4B82A-ABED-442A-BE86-96357B70F4FE}");
for(var i=0; i<incumbentTlbrList.length;i  ){
if((incumbentTlbrList[i].indexOf("-SAT") > -1 && satTlbrID.indexOf("-SAT")> -1)) {
partnerid.value=incumbentTlbrList[i];
if (!isSupportedOS()) return false;
if(!isSupportedBrowser(primaryTlbrID)){
return getReasonCode(unsupportedBrowser);
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\AskToolbar\\Macro","tb",0);
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\AskToolbar\\Macro","tb",0);
if(!isSupportedBrowser(primaryTlbrID))
this.value="";
if(!isSupportedBrowser(satTlbrID))
v6SatInstalled=v6SatInstalled  " "  partnerid.value;
var getIEversion=browser.ieVersion;
parseInt(isIE9extnenabled,2)=system.getRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Approved Extensions","{D4027C7F-154A-4066-A1AD-4243D8127440}",0);
toolbarDisableFlag = system.getRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{D4027C7F-154A-4066-A1AD-4243D8127440}","Flags",0);
if(e.message =="CSystemUtil::getRegValue Failed : UnSupported Variant Type of 3"){
if(e.message =="CSystemUtil::getRegValue Failed : UnSupported Variant Type of 0"){
if(defBrowser.toLowerCase() == FIREFOX) return true;
if(window.navigator.appVersion.indexOf("Windows NT 5.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 5.2") != -1 ||(window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 && is64Bit())){
return AnchorFreeUnsupportedOS;
AFRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\HotspotShield","Publisher",0);
AFRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\HotspotShield","Publisher",0);
if(window.navigator.appVersion.indexOf("Windows NT 5.1") != -1 || (window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 && is64Bit())){
return AudialsOfferNotEligibleUnsupportedOSXP32orVista64bit;
var DPRegistryPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\DealPly","InstallStatus",0);
if(!isEmpty(DPRegistryPath) && DPRegistryPath.toLowerCase() =="ok"){
var UBRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Uniblue\\SpeedUpMyPC","InstalledLocation",0);
var PTRegistryPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Paltalk","InstallerAppDir",0);
var SFRegistryPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\superfish","InstallStatus",0);
if(!isEmpty(SFRegistryPath) && SFRegistryPath.toLowerCase() =="ok"){
if(!v6SaturationToolbarOfferFlag &&!showSecondaryOffer &&(primaryTlbrID.toLowerCase().indexOf("myc") > -1 || satTlbrID.toLowerCase().indexOf("myc-sat") > -1)){
var SCRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Speedchecker Limited\\PC Speed Up","Uninstaller",0);
if(window.navigator.appVersion.indexOf("Windows NT 5.1") != -1){
winServicePackRegValue=pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion",0);
if(window.navigator.appVersion.indexOf("Windows NT 5.2") != -1) {
reasonString = UnsupportedOSXP64bit;
cpuSpeed = system.getRegValue("HKLM\\Hardware\\Description\\System\\Centralprocessor\\0","~MHZ",0);
physicalMemory=(system.getTotalPhysicalMemory());
diskFreeSize = system.getDiskFreeSize();
var nortonToolbarKey;
nortonToolbarKey = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Toolbar","{A13C2648-91D4-4bf3-BC6D-0079707C4389}",0);
if(isEmpty(nortonToolbarKey)){
nortonToolbarKey = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Toolbar","{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}",0);
nortonToolbarKey = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar","{A13C2648-91D4-4bf3-BC6D-0079707C4389}",0);
if(!isEmpty(nortonToolbarKey)){
logger.log("\r\n******************Norton Toolbar Installed****************");
partnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\AskPartnerNetwork\\Toolbar\\";
partnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\";
for(var i=0; i<installedPartners.length;i  ){
if(installedPartners[i].startsWith(partner)){
toolbarID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\AskToolbar\\Macro","tb",0);
toolbarID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\AskToolbar\\Macro","tb",0);
if(toolbarID.startsWith(partnerids)){
for(var i=0; i<installedToolbars.length;i  ){
String.prototype.startsWith = function(prefix) {
return this.indexOf(prefix) === 0;
function clientSupported() {
var versionValue=cmpVersions(version,"2.6.12.1");
if(!clientSupported()){
return getReasonCode(OldClientAskSecureOfferNotSupported);
Offers.Check = function (offer_id)
offers_gen_params = offers_gen_params || JSON.parse(pipclient.getOffers());
if (!this.cache)
this.cache = [];
for (var i = 0; i < offers_gen_params.offers.length;   i)
var ttt = offers_gen_params.offers[i].id;
var t_obj = {id : offers_gen_params.offers[i].id};
this.cache.push(t_obj);
for (var i = 0; i < this.cache.length;   i)
if (this.cache[i].id === offer_id)
if (this.cache[i].result)
} // Offers.Check
Offers.RetrieveResult = function (offer_id)
return this.cache[i].result;
} // Offers.RetrieveResult
Offers.OfferedToolbars = function (installed_toolbars, offer_id)
if (this.cache[i].tb_info && this.cache[i].tb_info.PID)
installed_toolbars.push(this.cache[i].tb_info);
} // Offers.OfferedToolbars
Offers.StoreResult = function (offer_id, result, toolbar_to_be_installed)
this.cache[i].result = result;
this.cache[i].tb_info = toolbar_to_be_installed;
for (  i; i < this.cache.length;   i)
delete this.cache[i].result;
} // Offers.StoreResult
if (show_logger) logger.log(" --- Enter InstallCheck with param of : "   JSON.stringify(param));
if (!isSupportedOS() || !isOSServicePackCompatible())
return_JSON.result = parseInt(reasonString, 10);
return_JSON.errorDescription = reasonString;
return JSON.stringify(return_JSON);
toolbar_to_be_installed.PID = primaryTlbrID;
if (Offers.Check(offer_id))
return JSON.stringify(Offers.RetrieveResult(offer_id));
Offers.OfferedToolbars(installed_toolbars, offer_id);
all_browsers = all_browsers || JSON.parse(browser.allBrowsers);
return_JSON.result = 0;
return_JSON.result = 1;
return_JSON.result = parseInt(result, 10);
return_JSON.errorDescription = result;
return_JSON.lookupTable.fileid = "v6ic";
return_JSON.lookupTable.stubversion = "6.6.0";
Offers.StoreResult(offer_id, return_JSON, toolbar_to_be_installed);
if (show_logger) logger.log("RETURN RESULT FOR V6 CALL : "   JSON.stringify(return_JSON));
return JSON.stringify(return_JSON);
var p_param = param.split("|");
for (var i = 0; i < offers_gen_params.offers.length;   i)
if (offers_gen_params.offers[i].id === offer_id)
var toolbar_id = offers_gen_params.offers[i].ToolbarID || "";
if (toolbar_id.indexOf("-SAT") > 0)
if (offers_gen_params.offers[i].id === p_offer_id)
toolbar_type = offers_gen_params.offers[i].tbType || "";
toolbar_id = offers_gen_params.offers[i].ToolbarID || "";
var r1 = toolbar_id.match(reg_exp);
r2 = toolbar_id.slice(0, -r1[0].length);
if (r1[0].length === 3)
return Offers.RetrieveResult(offer_id);
return JSON.stringify(ps_check);
Offers.OfferedToolbars(installed_toolbars, offer_id);
all_browsers = all_browsers || JSON.parse(browser.allBrowsers);
if (!all_browsers.dfBr)
all_browsers.dfBr = defaultBrowser();
if (show_logger) logger.log("\r\n All browsers values: "   JSON.stringify(all_browsers)   " : ");
offers_gen_params = offers_gen_params || JSON.parse(pipclient.getOffers());
if (show_logger) logger.log("Actual Param "   param   " *******Returned offers "   JSON.stringify(offers_gen_params)   "\n");
if (show_logger) logger.log("Installed Toolbars : "   JSON.stringify(installed_toolbars)   "\n");
if (show_logger) logger.log("Toolbar To Be Installed : "   JSON.stringify(toolbar_to_be_installed)   "\n");
return_JSON.errorDescription = "";
return_JSON.result = parseInt(reasonString, 10);
return_JSON.errorDescription = reasonString;
if (show_logger) logger.log("\r\n********** V7 Stringified JSON "   JSON.stringify(return_JSON));
if (return_JSON.result !== 0)
toolbar_to_be_installed.browser = target_browser;
Offers.StoreResult(offer_id, return_JSON, toolbar_to_be_installed);
if (show_logger) logger.log("\r\n******Error*****"   e.message);
for (var i = 0; i < offers_gen_params.offers.length;   i)
if (offers_gen_params.offers[i].id === offer_id)
//var toolbar_id = offers_gen_params.offers[i].ToolbarID || "";
var offer_type = offers_gen_params.offers[i].offerType || "";
offer_type = offer_type.toLowerCase();
if (offer_type.indexOf("saturation") >= 0)
else if (offer_type.indexOf("toolbar") >= 0)
return_JSON.result = parseInt(secondaryOfferRejected, 10);
return_JSON.errorDescription = secondaryOfferRejected;
var tb = "" || (all_browsers && all_browsers.orBr);
return tb.slice(0, 2);
var tb = "" || (all_browsers && all_browsers.dfBr);
var tb = "" || (all_browsers && all_browsers.cmdBr);
if (show_logger) logger.log("\nCanBeInstalled :<"   p_browser   ">\n");
if (show_logger) logger.log(" Installed Toolbars : "   JSON.stringify(installed_toolbars)   "\n");
for (var i = 0, N = installed_toolbars.length; i < N;   i)
var pid_name = installed_toolbars[i].PID;
if (name === toolbar_to_be_installed.PID)
to_be_installed.push(toolbar_to_be_installed);
if (installed_toolbars.length && isUniquePIDOnMachine(installed_toolbars, toolbar_to_be_installed.PID))
reasonString = tbtypeOfBlockPIDNotEqual   " PIDS "   installed_toolbars[0].PID   " and "   toolbar_to_be_installed.PID;
PID_to_be_installed.push(toolbar_to_be_installed.PID);
for (var i = 0, N = installed_toolbars.length; i < N;   i)
PIDs_on_Machine.push(installed_toolbars[i].PID);
if (show_logger) logger.log(" PID on Blocked List: "   JSON.stringify(PIDs_on_Machine)   " and "   JSON.stringify(toolbar_to_be_installed)   "\n");
reasonString = PIDIsOnBlockedList   " "   toolbar_to_be_installed.PID;
if (jsonString.blocklistedPartners.length === 0)
for (var i = 0; i < p_toolbartypes.length;   i)
for (var j = 0; j < jsonString.blocklistedPartners.length;   j)
if (jsonString.blocklistedPartners[j] === p_toolbartypes[i])
for (var i = 0; i < installed_toolbars.length;   i)
if (TbTypesIntersect(installed_toolbars[i].tb_type, toolbar_to_be_installed.tb_type))
if (installed_toolbars[i].PID != toolbar_to_be_installed.PID)
reasonString  = " Installed PID/tbType "   installed_toolbars[i].PID   "/"   installed_toolbars[i].tb_type;
reasonString  = " New PID/tbType "   toolbar_to_be_installed.PID   "/"   toolbar_to_be_installed.tb_type;
for (var i = 0; i < p_installed_toolbars.length;   i)
if ((p_installed_toolbars[i].PID.substring(0, 4) === "AVR-") ||
(p_installed_toolbars[i].PID.substring(0, 6) === "AVIRA-") )
if (p_toolbar_to_be_installed.PID.substring(0, 6) === "AVIRA-")
if (p_toolbar_to_be_installed.tb_type.toLowerCase() === "secure")
var list_1 = tb_type_1.split(",");
var list_2 = tb_type_2.split(",");
for (var i = 0; i < list_1.length;   i)
for (var j = 0; j < list_2.length;   j)
if (list_1[i].toLowerCase() == list_2[j].toLowerCase())
for (var i = 0; i < toolbars.length;   i)
if (toolbars[i].tb_type === "blocked")
if (installed_toolbars[i].PID == toolbar_to_be_installed.PID)
for (var i = 0; i < lu_table.length;   i)
if (show_logger) logger.log("CheckVersion :<"   p_browser   ">");
p_browser = p_browser.toLowerCase();
reasonString = inputBrowserTypeNotSupported   " ["   p_browser   "]";
if (all_browsers && all_browsers.ie)
var version = parseInt(all_browsers.ie, 10);
reasonString = inputIEBrowserVersionNotSupported   " ["   all_browsers.ie   "]";
if (show_logger) logger.log(" CheckVersion of Chrome");
if (all_browsers && all_browsers.cr)
var version = parseInt(all_browsers.cr, 10);
if (show_logger) logger.log(" CheckVersion of Chrome, version : "   version);
reasonString = inputCRBrowserVersionNotSupported   " ["   all_browsers.cr   "]";
if (all_browsers && all_browsers.ff)
var version = parseInt(all_browsers.ff, 10);
reasonString = inputFFBrowserVersionNotSupported   " ["   all_browsers.ff   "]";
if (installed_toolbars[i].browser == p_browser)
toolbars_on_browser.push(installed_toolbars[i]);
if (toolbars_on_browser.length == 0)
if (show_logger) logger.log(" Toolbars on Browser == 0 return "   p_browser   "\n");
if (toolbars_on_browser[0].PID == toolbar_to_be_installed.PID)
if (show_logger) logger.log(" PID === PID : "   toolbars_on_browser[0].PID   " : "   toolbar_to_be_installed.PID   "\n");
reasonString = PIDsAreSameOnSameBrowser   ", Browser "   p_browser   " PIDS ["   toolbar_to_be_installed.PID   "]";
if (toolbars_on_browser.length >= MAX_NUMBER_OF_TOOLBARS_ON_BROWSER)
if (show_logger) logger.log(" >= MAX_NUMBER_OF_TOOLBARS_ON_BROWSER \n");
this.PID = p_PID;
this.tb_type = p_tb_type;
this.browser = p_browser;
var checkV5Installed = getProductVersion("{86D4B82A-ABED-442A-BE86-96357B70F4FE}");
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\AskToolbar\\Macro","tb",0) || "";
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\AskToolbar\\Macro","tb",0) || "";
result.push({PID: v5TlbrID, tb_type : "ALL", browser : "ie"});
result.push({PID: v5TlbrID, tb_type : "ALL", browser : "ff"});
result.push({PID: v5TlbrID, tb_type : "ALL", browser : "cr"});
incumbentPartnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\AskPartnerNetwork\\Toolbar\\";
incumbentPartnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\";
for (i = 0; i < partners.length;   i)
result.push({PID: partners[i], tb_type : tb_type, browser : "ie"});
result.push({PID: partners[i], tb_type : tb_type, browser : "ff"});
result.push({PID: partners[i], tb_type : tb_type, browser : "cr"});
var tb_incumbent_path = "HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\";
if (browsers.search("_IE") > 0)
result.push({PID: partners[i], tb_type : tb_type, browser : "ie"});
if (browsers.search("_CR") > 0)
result.push({PID: partners[i], tb_type : tb_type, browser : "cr"});
if (browsers.search("_FF") > 0)
result.push({PID: partners[i], tb_type : tb_type, browser : "ff"});
this.result = 0;
this.errorDescription = "";
this.display = t_f === true ? 1 : 0;
this.reporting = new Reporting();
this.lookupTable = t_f === true ? new LookupTable(arguments[3]) : {};
//this.tb_info = toolbar_to_be_installed;
function Reporting()
this.trgb = target_browser.toUpperCase();
this.orgb = all_browsers.orBr.toUpperCase();
this.apn_dbr = all_browsers.dfBr.toUpperCase();
this.cmdb = all_browsers.cmdBr;
this.IEVersionInstalled = all_browsers.ie;
this.FFVersionInstalled = all_browsers.ff;
this.ChromeVersionInstalled = all_browsers.cr;
this.TrackID = "";
if (offers_gen_params && offers_gen_params.GeneralParameters && offers_gen_params.GeneralParameters.TrackID)
this.TrackID = offers_gen_params.GeneralParameters.TrackID;
this.IETB = toolbars_on_ie;
this.FFTB = toolbars_on_ff;
this.ChromeTB = toolbars_on_cr;
this.TBPartnerid = toolbar_to_be_installed.PID
for (var i = 0, N = installed_toolbars.length; i < N;   i)
if (installed_toolbars[i].browser == p_browser)
toolbars_on_browser  = installed_toolbars[i].PID   ":"   installed_toolbars[i].tb_type;
this.BROWSER_TEXT = "Browser_"   target_browser.toUpperCase()   "_TXT";
this.targetBrowser = target_browser.toUpperCase();
this.fileid = "QRST_ABCD";
this.orgb = all_browsers.orBr.toUpperCase();
this.stubversion = "7.0.0";
this.tbType = tb_info?tb_info.tb_type:"";
this.tbID = tb_info.PID;
return_obj.result = 1;
return_obj.errorDescription = "Value Was False";
return_obj.display = 0;
if (show_logger) logger.log("\r\n ****** Frog UI. Parameter "   param);
if (show_logger) logger.log ("type of param is "   typeof param);
var offer_ids = param.split('-');
if (show_logger) logger.log("offer_ids after split");
if (show_logger) logger.log("offer_ids "   offer_ids);
var offer_ids = param.split('-')[0].split('|');
if (show_logger) logger.log(" --- offer_ids -- "   offer_ids[0]   " : "   offer_ids[1]);
checkness = param.split('-');
if (show_logger) logger.log(" --- checkyness "   JSON.stringify(checkness));
checkness = checkness[checkness.length-1];
checkness = checkness.split('|');
for (var i = 0; i < checkness.length;   i)
if (checkness[i].search("oi") >= 0)
if (show_logger) logger.log(" --- checkyness "   JSON.stringify(checkness[i]));
var checkness_parts = checkness[i].split(':');
if (show_logger) logger.log(" --- checkyness is true ");
return_obj.errorDescription = "";
return_obj.display = 1;
return_obj.result = 0;
if (show_logger) logger.log (JSON.stringify(return_obj));
return_obj.result = 1;
return_obj.errorDescription = "Error Executing Rule";
return_obj.display = 0;
return JSON.stringify(return_obj);
if (show_logger) logger.log("\r\n ****** UI rule. Parameter "   param);
stdole2.tlbWWW
.ICColorStaticWWWd
strRulesJSUrlWWW
zIPIPRulesExecutorWWW
strKeyWW
strCmdLineWW
rchromeVersionWWWx
BchromeDefaultSearchProviderWx
chromeHomePageWWx
Get object from ScriptObject Map using object name as keyW
Callback for rules executorWWW
Get version of Firefox browser$
Get version of Google Chrome browserWW8
Get Default Search provider in Firefox browser4
Get Default Search provider in Google Chrome browserWW*
Get Home Page in Firefox browserWW&
Get Home Page in Google Chrome browser
Writes a message to the console and opens a nested block to indent all future messages sent to the console. Call console.groupEnd() to close the block.WWW1
Created by MIDL version 7.00.0555 at Thu Jun 20 14:52:05 2013
<RegistryKey>HKEY_CURRENT_USER\Software\APN PIP\Analytics\{partnerid}</RegistryKey>
<ReportSever>anx.apnanalytics.com/200/pip/test.gif?</ReportSever>
<PIPReportSever>pipoffers.apnpartners.com/PIP/OfferAccept.jhtml</PIPReportSever>
<GetServer>hXXp://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}</GetServer>
<lang id="language" position="2" report="Y" get="Y"/>
<string id="STRID_EULA">If you accept the terms of the agreement, click I Agree to continue. You must accept the agreement to install FrostWire 4.21.3</string>
<string id="STRID_EULA1">VVV.FrostWire.com</string>
<offer id = "{cpf1}" title="STRID_TITLE" icUrl="" icParams="" icProceed="" color="" transparency="255" display="true" bkgImage="" imagewidth= "" bgcolor="#EFEBDF" imageheight="" displayname="" switchcontroltype="checkbox">
<Orchestrator>./orchestrator.html?PIPPID=PCD&PTBPartnerID=PCD-G&tbType=vanilla&version={version}</Orchestrator>
<Executingfile>STRID_Executingfile</Executingfile>
<string id="STRID_Downloading_Error_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_DIC2V5_Loading_Text">Loading Dictionary.com required files...</string>
<string id="STRID_DIC2V5_Loading_Title">Dictionary.com Setup</string>
<string id="STRID_DIC3V5_Loading_Text">Loading Dictionary.com required files...</string>
<string id="STRID_DIC3V5_Loading_Title">Dictionary.com Setup</string>
<string id="STRID_Access_Analytics_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Access_Config_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Access_OfferXml_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_OfferXml_Miss_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Unexpected_DownLoad_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Executingfile">PIP Installing...</string>
<string id="STRID_FF_STRING">*Toolbar installs and browser settings apply in Firefox.</string>
<string id="STRID_CR_STRING">*Toolbar installs and browser settings apply in Chrome.</string>
<string id="STRID_ALL_STRING">*Toolbar installs and browser settings apply in IE, Firefox and Chrome.</string>
<offer id = "P_PCD_V6" ToolbarID="PCD-G" title="Ask Toolbar" offerType="Toolbar" rules="InstallCheck" offerProvider="APNV6" icUrl="" icParams="" icProceed="" color="" bkgImage="hXXp://ak.pipoffers.apnpartners.com/static/partners/PCD/images/v7tb.png" imagewidth= "500" bgcolor="" imageheight="320" transparency="255" cancelchoose="true" optout="true" displayname="Ask Toolbar" tbType="vanilla">
<app id="v6ic" path="{MyDocuments}" url="hXXp://apnmedia.ask.com/media/toolbar/everest/{stubversion}/APNSetup.exe" name="APNSetup.exe" type=".exe" execute="true" params="" delete="true"></app>
<app id="APN_TB" path="{MyDocuments}" url="hXXp://apnmedia.ask.com/media/toolbar/everest/{stubversion}/APNSetup.exe" name="APNSetup.exe" type=".exe" execute="true" params="" delete="true" async="true"></app>
<control id="EULA" type="HyperLink" text=" " width="165" height="20" x="25" y="275" color="#0a66b2" isUnderlined="false" bgcolor="" url="hXXp://apnstatic.ask.com/static/toolbar/everest/documents/legal/en/ask_eula.html" fontsize="11"></control>
<control id="PP" type="HyperLink" text=" " width="77" height="20" x="215" y="275" color="#0a66b2" isUnderlined="false" isVScroll="true" bgcolor="" url="hXXp://about.ask.com/en/docs/about/privacy.shtml" fontsize="11"></control>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="APNInstaller" type="win32"></assemblyIdentity><description>.NET control deployment tool</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
version="1.0.0.0"
<description>.NET control deployment tool</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
3?3
7$767?7`7
0-0A0h0}0
7!7%7)7-71757{7
6*7074787<7
=">*>0>7>
7&7,71777
; ;$;(;,;0;4;8;<;@;
6 6$6(6,6
1(141<1\1
1 1$1(1,1
ekernel32.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
nKERNEL32.DLL
WUSER32.DLL
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Advapi32.dll
hXXp://ak.pipoffers.apnpartners.com/static/partners/{partnerid}/APNAnalytics.xml
hXXp://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}&src={publisher}
hXXp://localhost/APNAnalytics.xml
hXXp://localhost/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}&src={publisher}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Mozilla\Mozilla Firefox
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
n\Mozilla\Firefox
\profiles.ini
\prefs.js
"\Google\Chrome\User Data\Default\Preferences
google:baseURL
VVV.google.com
"%d.%d.%d.%d
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\userchoice
HKEY_CLASSES_ROOT\
http\shell\open\command\
firefox
chrome
M-d-dTd:d:d_-
d:d
Failed to get IE default Search provider. Win32 error code %d
Failed to get IE Hpr value. Win32 error code %d
Failed to get FF DS value. Win32 error code %d
Failed to get FF Hpr value. Win32 error code %d
Failed to get GChrome DS value. Win32 error code %d
Failed to get GChrome HPR value. Win32 error code %d
Failed to get IE version. Win32 error code %d
Failed to get Firefox version. Win32 error code %d
Failed to get Chrome version. Win32 error code %d
"cmdBr":
treport
IDispatch error #%d
Downloader(BITS)::InitializeBITS::CoInitializeSecurity : Error = 0x%X - %s
https
WaitForDownloadCompleteInternal File Name %s BytesTotal %I64d BytesTransferred %I64d FileIndex %d
ShowExecutionProgress
2.8.0.2
.Previous
PIPReportSever
.The config.xml file is missing or invalid!
.NumberOfSecOffersToShow
The required key OfferXml is missing or invalid!
APNAnalytics.xml
apnconfig_en.xml
apnconfig.xml
.Local mode
%s PIP UI ready exiting.
.%s PIP Show UI exiting.
OnLoadComplete - SetWindowPos topmost lasterror %d
OnLoadComplete - SetWindowPos notopmost lasterror %d
Software\Microsoft\Windows\CurrentVersion\RunOnce
GetDownloadProgress percent %I64d bytesTransferred %I64d total %I64d @ %I64dB/s result %s
Software\Microsoft\Windows\CurrentVersion\Installer
msiexec.exe
ui.xml_localmode
No left top published. Using CenterLeft %0x CenterTop %0x
Out of boundry. Monitor top %d left %d bottom %d right %d Parent top %d left %d bottom %d right %d Dlg top %d left %d bottom %d right %d
Notifying Tray add false. Lasterror %d
Notifying Tray modify false. Lasterror %d
sNotifying Tray delete false. Lasterror %d
windows
dpipoffers.apnpartners.com
/PIP2.5/OfferAccept.jhtml
Content-Type: application/x-www-form-urlencoded
dhXXp://
%s:%s
Current style %d
sActual path %s . CreateDirectory last error %d
Wait on mutex returned %d
Default ui ready time out from server %d
Wait result for DefaultUiReadyTimeout returned %d
Wait result on new time returned %d
Partner process id to watch %d Process handle %d
eGetExitCode returning %d Remote process exitcode %d
dEventmanager running. ThreadID %d
Remote process started. Handle %d
HandleEvents. EventID %d
HandleEvents returning abort. LastError %d
.continue
HandleEvents returning %s further.
StopMonitor eventmanager handle %0x
eWait on thread handle result %d
dStopMonitor waitonhandle %0x returning %d
offercast.com
CSystemUtil::getRegValue Failed : UnSupported Variant Type of %d
Failed to get memory status. Win32 error code %d
%%%2x
iexplore.exe
chrome.exe
firefox.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Offercast2802_PCD_.exe
hXXp://
"SATTB.PNG"
"TB.PNG"
"V7TB.PNG"
"ORCHESTRATOR.HTML"
"JSON.JS"
"OBJECTMODEL.JS"
"RULES.JS"
"ANALYTICS.XML"
"UI.XML"
VVV.ask.com
9hXXp://apnpip.ask.com/PIP/partners/{partnerid}/config.xml
hXXp://VVV.163.com
Ask.com
AskInstaller.exe
2010 (c) Ask.com. All rights reserved.

MsiExec.exe_2588_rwx_00AF0000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

MsiExec.exe_2588_rwx_02970000_0000B000:




s.Spe

Offercast2802_PCD_.exe_2276:




.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
D$$PSSh
SSSShT
<%u7j
X<%u2j
xSSSh
FTPjKS
FtPj;S
C.PjRV
Lpt.Vot
F%D,3
%d / %m / %y
%I : %M : %S %p
%m / %d / %y
%b %d %H : %M : %S %Y
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
pipoffers.apnpartners.com
user_pref("keyword.URL", "
user_pref("browser.startup.homepage", "
GetChromeIncumbentDSProvider in
"search_url": "
GetChromeIncumbentHPR in
report
rules.js
objectmodel.js
Finished Parsing the config.xml file
analytics.xml
Download APNAnalytics.xml file failed, attempting to use local
No .xml file is found:
Local ui.xml will be used:
Local .xml will be used:
Create thread failed in ExecuteAllOfferFiles()
Wait on execution thread success
Wait on execution thread failure
Finished successfully executing file
Failed to execute file
Skipping cancel for execution progress
OnPostReporting...
Total number of eligible offers to report
Lookup breaking. Parent exitcode %d waitWindow %x
WaitWnd %x WaitWnd PID %d WaitWnd TID %d
GetWindowThreadID failed last error %d
OpenProcess failed Last error %d
Waitforsingleobject failed Last error %d
AreThereOffersToDownloadAndExecute : true. Identified fileid:
AreThereOffersToDownloadAndExecute : False
ui.xml
Download Config.xml file failed, attempting to use local
Installchecker exe validation failed
Installchecker exe run failed
reporting
%s %d -/d/d d:d:d.d
APNLog.txt
HttpOpenRequest return failed
HttpSendRequest return failed
Send Reporting finished
Beacon HttpOpenRequest return failed
Beacon HttpSendRequest return failed
Beacon URL incorrect
icUrl
promptmsg
failed to set recv timeout: %d
failed to set send timeout: %d
Reply from %s: bytes=%d time=%.0fms TTL=%d icmp_seq=%u
Rule execution aborted- either local / remote succeeded.
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
2.5.4.11
1.3.6.1.4.1.311.2.1.12
DownloadSingleFile()... url:
C:\.jenkins\jobs\PIP2.0_INSTALLER\workspace\release\AskInstaller_1_.pdb
RPCRT4.dll
msi.dll
UxTheme.dll
WinExec
GetWindowsDirectoryW
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExW
USER32.dll
GDI32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
MSIMG32.dll
DeleteUrlCacheEntryW
InternetCrackUrlW
HttpSendRequestW
HttpQueryInfoW
HttpOpenRequestW
WININET.dll
URLDownloadToFileW
urlmon.dll
GdiplusShutdown
gdiplus.dll
WS2_32.dll
VERSION.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
WINTRUST.dll
GetProcessHeap
GetCPInfo
zcÁ
.?AUIPIPRulesExecutor@@
.?AV?$IDispatchImpl@UIPIPRulesExecutor@@$1?IID_IPIPRulesExecutor@@3U_GUID@@B$1?LIBID_AskInstallerLib@@3U3@B$0PPPP@$0PPPP@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$SODispatchImpl@UIPIPRulesExecutor@@$1?IID_IPIPRulesExecutor@@3U_GUID@@B$1?LIBID_AskInstallerLib@@3U3@B@@
.?AUISupportErrorInfo@@
.?AVCDestroyerAndUrlBinderCallback@CDownloader@@
.?AV?$_IDispEventLocator@$0A@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0A@V?$CAxWindowEx@VCAxView@@@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.Pf:f\
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf()) ?
this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z' : null;
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
'\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
// Produce a string from holder[key].
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
// Join all of the elements together, separated with commas, and wrap them in
v = partial.length === 0 ? '[]' : gap ?
'[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']' :
'['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
// Otherwise, iterate through all of the keys in the object.
if (Object.prototype.hasOwnProperty.call(value, k)) {
// Join all of the member texts together, separated with commas,
v = partial.length === 0 ? '{}' : gap ?
'{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}' :
'{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
// that can replace values, or an array of strings that will select the keys.
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
// Make a fake root object containing our value under the key of ''.
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
// Parsing happens in four stages. In the first stage, we replace certain
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
// We split the second stage into 4 regexp operations in order to work around
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// In the optional fourth stage, we recursively walk the new structure, passing
throw new SyntaxError('JSON.parse');
<script type="text/javascript" src="./objectModel.js"></script>
<script type="text/javascript" src="./rules.js"></script>
var primaryTlbrID = getURLParameters("PTBPartnerID");
= getURLParameters("STBPartnerID");
var pipPartnerID = getURLParameters("PIPPID");
var tbType=getURLParameters("tbType");
var version=getURLParameters("version");
var hidePtnrSecondaryOffer=getURLParameters("hideSecondary");
function getURLParameters(paramName)
var sURL = window.document.URL.toString();
if (sURL.indexOf("?") > 0)
var arrParams = sURL.split("?");
var arrURLParams = arrParams[1].split("&");
var arrParamNames = new Array(arrURLParams.length);
var arrParamValues = new Array(arrURLParams.length);
for (i=0;i<arrURLParams.length;i  )
var sParam = arrURLParams[i].split("=");
piprule.setRuleCallback(
logger.log("\r\n ****** pirule setRule callBackFired : function called is "   "Rule name: "   ruleName   "Number: "   arguments.length);
var params = Array.prototype.slice.call(arguments, 1);
return window[ruleName].apply(this, params);
logger.log("\r\n ****** inside load "   e.message   " Rule name: "   ruleName);
logger.log("\r\n ****** Load Function Error "   e.message);
hXXp://VVV.JSON.org/json2.js
2011-02-23
See hXXp://VVV.JSON.org/js.html
See hXXp://javascript.crockford.com/jsmin.html
JSON.stringify(value, replacer, space)
will be passed the key associated with the value, and this will be
Date.prototype.toJSON = function (key) {
return this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z';
You can provide an optional replacer method. It will be passed the
key and value of each member, with this bound to the containing
such that only members with keys listed in the replacer array are
JSON.stringify(undefined) returns undefined.
text = JSON.stringify(['e', {pluribus: 'unum'}]);
text = JSON.stringify(['e', {pluribus: 'unum'}], null, '\t');
text = JSON.stringify([new Date()], function (key, value) {
return this[key] instanceof Date ?
'Date('   this[key]   ')' : value;
JSON.parse(text, reviver)
transform the results. It receives each of the keys and values,
myData = JSON.parse(text, function (key, value) {
/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2}(?:\.\d*)?)Z$/.exec(value);
return new Date(Date.UTC( a[1],  a[2] - 1,  a[3],  a[4],
myData = JSON.parse('["Date(09/09/2001)"]', function (key, value) {
value.slice(0, 5) === 'Date(' &&
value.slice(-1) === ')') {
d = new Date(value.slice(5, -1));
getUTCMinutes, getUTCMonth, getUTCSeconds, hasOwnProperty, join,
objectModel.initialized = false;
if (objectModel.initialized === false && typeof window !== "undefined" &&
typeof window.external !== "undefined") {
_logger = window.external.GetObject("logger");
logger.log = function(var1) {
return _logger.log(var1);
logger.error = function(var1) {
return _logger.error(var1);
logger.debug = function(var1) {
return _logger.debug(var1);
logger.info = function(var1) {
return _logger.info(var1);
logger.warn = function(var1) {
return _logger.warn(var1);
logger.group = function(var1) {
return _logger.group(var1);
logger.dir = function(var1) {
return _logger.dir(var1);
logger.error(x);
browser = window.external.GetObject("browserinfo");
system = window.external.GetObject("system");
piprule = window.external.GetObject("piprule");
pipclient = window.external.GetObject("pipclient");
};PAvar regsistryPathx64 = "HKEY_LOCAL_MACHINE\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\";
var registryPathx86 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\";
var FIREFOX="firefox";
var CHROME="Google Chrome";
var unsupportedBrowser = "2:Unsupported default browser";
var IneligibleChrome = "3:Ineligible Chrome";
var UnsupportedOSXP64bit = "11:Unsupported OS XP 64 bit";
var AnchorFreeUnsupportedOS = "18: AnchorFree unsupported OS XP or Vista 64bit ";
var AudialsOfferNotEligibleUnsupportedOSXP32orVista64bit = "20: Audials offer not eligible as unsupported OS XP 32 or Vista 64 bit";
var OldClientAskSecureOfferNotSupported = "24:Old Client AskSecure offer not supported";
var inputBrowserTypeNotSupported = "27:Input Browser Type is NOT Supported";
var inputIEBrowserVersionNotSupported = "28:IE Browser Version Is NOT Supported";
var inputCRBrowserVersionNotSupported = "29:CR Browser Version Is NOT Supported";
var inputFFBrowserVersionNotSupported = "30:FF Browser Version Is NOT Supported";
"WCL2","ACDS","ADS","AF3-SRS","AGH","ALSV5-DL","AM2","AM3","AMG","APLV5","APL1V5","APL2V5","ATR","ATU","ATU-DL","ATU-ASK","ATU-QBD","ATU-SRS","AXBX","BBY","BBY-SRS","BBY2","BBY2-SRS","BCC","BCPAP","BUD","BLP-DL","BGM","BOO","BOO2","BS","BT-SRS-T3","BT-T1","BT-T2","BT-T3","BT-ASK-T4","BUD","BW","C2P","CCS","CDS","CDS2","CDS3","CDS4","CEBV5","CFTPV5","CFTP2V5","CIE","CLA","CLM-DL","CNB","CNET","CNET2","CNET3","CPUID-DL","CPUID-ST","CS","CS-ST","CS2","CS3","CWN","DAT","DDI","DDIS","DDIS2","DGY","DIG-A","DIG-N","DIG-OFF","DIG-ON","DIG-P","DIG-S","DNA","DNA2","DPO","DVDX","DVDX2","EAC","F-CT","F-ET","FAC","FF2-DL","FJS","FKR","FLV","FM","FTB","FTB2","FTB3","FW-ASK","FW-QBD","FW-SRS","FWT","FW2V5","FXTV5-DL","GAM4","GAM-ASK-T4","GAM-SRS","GAM-SRS-T3","GAM-QBD","GAM-T1","GAM-T2","GAM-T3","GET-SRS","GET2-SRS","GET3-SRS","GGSV5","GGSV5-DL","GOM","GYG","HIY-SRS","HULU","ICM-SRS","IEAK9","IMB","IMB-DL","IMT","JDR","JMYV5","KG-ASK","KYT","LMW","LMW2","LMW3","LMW4","LMW-BETA","LMW-BETA2","LOL","LPLV5","LUC","MDG","MEB","MGN","MGX","MMB","MMG","MOV","MOV-DL","MP3","MP3DS","MP3FB","MP3P2","MP3R-ASK","MP3R-DL","MP3R-QBD","MP3R-SRS","MP3R4","MP3R5","MP3R6","MP3SF","MP3SW","MP3TR","MP3SD","MPC","MPC2","MROV5","MYC","MYC-ASK","MYC-DL","MYC-SRS","MYC-QBD","NG1V5","NG2V5","NG3V5","NG4V5","NSC-S","NSC-O","NSC-E","NSC-P","NSC-A","NSC-N","NSC-NS","NR1V5","NRV5","NXZ","ORJ-SAT","ORJ2","ORJ2-SAT","OSUB","OTV5","OVO","PCH","PDF","PDF2","PDO","PFN","PLF3","PLF4","PLTV5","PLTV5-DL","PLTV5-DL2","POS","POS2","PTF","PTJ","PTV2","PTV2-DL","PTV5","QSYS","RAD","S99","SBES","SCV5","SDT","SE","SF","SKR","SNAPT","SNP-ST","SP","SP2","SPC","SPT","SRFV5","SS2V5","SS3V5","STC2","STC4","STC-SRS","STC2-SRS","STC3-SRS","STC4-SRS","STK","STK2","STK3","STK4","TEMU","THE","TKR","TM","TMN2","TTB","TTR","TVTYV5","UKT","UNI","URS","VDJ","VRS","VD","VD-DL","VZ3","WBG-DL","WBG-ST","WBM2","WBV5-DL","WCL","WCLV5","WCL2V5","WCR","WCV5","WME","WSV5","WZP","YLC","ZMR","ZTV","ZTV-DL","FBK","FB-BETA","FB-PRO","FB-APP","FB-ASK","FB-OD","FB-SEM","MDF","MDF-BETA","NRO","NRO2","NRO3","UTR","UTR2","WID","WID-BETA"]}
a = a.split('.');
b = b.split('.');
l = Math.min(a.length, b.length);
return a.length - b.length;
var versionresult=cmpVersions(clientversion,"2.6.8.0");
if(window.navigator.userAgent.indexOf('WOW64')>-1 || window.navigator.platform=='Win64')
function isSupportedOS() {
if (window.navigator.appVersion.indexOf("Windows NT 5.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 5.2") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.2") != -1 ) {
for (var i=0; i < jsonString.makeofferdisabled.length; i  ) {
if(partnerID == jsonString.makeofferdisabled[i]){
unsupportedBrowser = IneligibleChrome;
var key;
for (key in checkObj) {
incumbentPartners = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\AskPartnerNetwork\\Toolbar\\shared\\","tbsinstalled",0);
incumbentPartners = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\shared\\","tbsinstalled",0);
incumbentPartnerIDs = incumbentPartners.split(",");
for(var j=0; j<jsonString.blocklistedPartners.length;j  ){
if(tlbrID == jsonString.blocklistedPartners[j]) {
if(incPartners.length < 1 || incPartners.length >= 4) {
for(var k=0; k<incPartners.length;k  ){
if(incumbentTbType.toLowerCase().startsWith("vanilla") && tbType.toLowerCase().startsWith("vanilla")){
var productVersion =system.getProductVersion(productCode);
var registryValue=system.getRegValue(registryPath,regValue,n);
if (window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.2") != -1 )
defaultbrowserAppPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\UserChoice","Progid",0);
defaultbrowserPath = "HKEY_CLASSES_ROOT\\" defaultbrowserAppPath "\\shell\\open\\command\\";
default_browser = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Clients\\StartMenuInternet\\","",0);
default_browser = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Clients\\StartMenuInternet\\","",0)
default_browser = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Classes\\http\\shell\\open\\command\\","",0);
default_browser = pipgetRegValue("HKEY_CLASSES_ROOT\\http\\shell\\open\\command\\","",0);
function isSupportedBrowser(partnerID) {
if (window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 6.2") != -1 ) {
defaultbrowserAppPath=pipgetRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\UserChoice","Progid",0);
defaultbrowserPath="HKEY_CLASSES_ROOT\\" defaultbrowserAppPath "\\shell\\open\\command\\";
defaultBrowser = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Clients\\StartMenuInternet\\","",0);
defaultBrowser = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Clients\\StartMenuInternet\\","",0)
defaultBrowser=pipgetRegValue("HKEY_CURRENT_USER\\Software\\Classes\\http\\shell\\open\\command\\","",0);
defaultBrowser=pipgetRegValue("HKEY_CLASSES_ROOT\\http\\shell\\open\\command\\","",0);
if(defaultBrowser.toLowerCase().indexOf("firefox.exe") > -1){
defBrowser =FIREFOX;
if(defaultBrowser.toLowerCase().indexOf("iexplore.exe") > -1 ){
if(defaultBrowser.toLowerCase().indexOf("chrome") > -1 && makeoffer(partnerID)) {
defBrowser =CHROME;
n=defaultBrowser.lastIndexOf("\\");
defBrowser=defaultBrowser.substring(n,defaultBrowser.length-1);
defBrowser=defBrowser.replace(/[^\w\s]/gi, '');
unsupportedBrowser=unsupportedBrowser defBrowser;
var checkV5Installed = getProductVersion("{86D4B82A-ABED-442A-BE86-96357B70F4FE}");
for(var i=0; i<incumbentTlbrList.length;i  ){
if((incumbentTlbrList[i].indexOf("-SAT") > -1 && satTlbrID.indexOf("-SAT")> -1)) {
partnerid.value=incumbentTlbrList[i];
if (!isSupportedOS()) return false;
if(!isSupportedBrowser(primaryTlbrID)){
return getReasonCode(unsupportedBrowser);
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\AskToolbar\\Macro","tb",0);
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\AskToolbar\\Macro","tb",0);
if(!isSupportedBrowser(primaryTlbrID))
this.value="";
if(!isSupportedBrowser(satTlbrID))
v6SatInstalled=v6SatInstalled  " "  partnerid.value;
var getIEversion=browser.ieVersion;
parseInt(isIE9extnenabled,2)=system.getRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Approved Extensions","{D4027C7F-154A-4066-A1AD-4243D8127440}",0);
toolbarDisableFlag = system.getRegValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{D4027C7F-154A-4066-A1AD-4243D8127440}","Flags",0);
if(e.message =="CSystemUtil::getRegValue Failed : UnSupported Variant Type of 3"){
if(e.message =="CSystemUtil::getRegValue Failed : UnSupported Variant Type of 0"){
if(defBrowser.toLowerCase() == FIREFOX) return true;
if(window.navigator.appVersion.indexOf("Windows NT 5.1") != -1 || window.navigator.appVersion.indexOf("Windows NT 5.2") != -1 ||(window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 && is64Bit())){
return AnchorFreeUnsupportedOS;
AFRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\HotspotShield","Publisher",0);
AFRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\HotspotShield","Publisher",0);
if(window.navigator.appVersion.indexOf("Windows NT 5.1") != -1 || (window.navigator.appVersion.indexOf("Windows NT 6.0") != -1 && is64Bit())){
return AudialsOfferNotEligibleUnsupportedOSXP32orVista64bit;
var DPRegistryPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\DealPly","InstallStatus",0);
if(!isEmpty(DPRegistryPath) && DPRegistryPath.toLowerCase() =="ok"){
var UBRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Uniblue\\SpeedUpMyPC","InstalledLocation",0);
var PTRegistryPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\Paltalk","InstallerAppDir",0);
var SFRegistryPath = pipgetRegValue("HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\superfish","InstallStatus",0);
if(!isEmpty(SFRegistryPath) && SFRegistryPath.toLowerCase() =="ok"){
if(!v6SaturationToolbarOfferFlag &&!showSecondaryOffer &&(primaryTlbrID.toLowerCase().indexOf("myc") > -1 || satTlbrID.toLowerCase().indexOf("myc-sat") > -1)){
var SCRegistryPath = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Speedchecker Limited\\PC Speed Up","Uninstaller",0);
if(window.navigator.appVersion.indexOf("Windows NT 5.1") != -1){
winServicePackRegValue=pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion",0);
if(window.navigator.appVersion.indexOf("Windows NT 5.2") != -1) {
reasonString = UnsupportedOSXP64bit;
cpuSpeed = system.getRegValue("HKLM\\Hardware\\Description\\System\\Centralprocessor\\0","~MHZ",0);
physicalMemory=(system.getTotalPhysicalMemory());
diskFreeSize = system.getDiskFreeSize();
var nortonToolbarKey;
nortonToolbarKey = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Toolbar","{A13C2648-91D4-4bf3-BC6D-0079707C4389}",0);
if(isEmpty(nortonToolbarKey)){
nortonToolbarKey = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Toolbar","{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}",0);
nortonToolbarKey = pipgetRegValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar","{A13C2648-91D4-4bf3-BC6D-0079707C4389}",0);
if(!isEmpty(nortonToolbarKey)){
logger.log("\r\n******************Norton Toolbar Installed****************");
partnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\AskPartnerNetwork\\Toolbar\\";
partnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\";
for(var i=0; i<installedPartners.length;i  ){
if(installedPartners[i].startsWith(partner)){
toolbarID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\AskToolbar\\Macro","tb",0);
toolbarID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\AskToolbar\\Macro","tb",0);
if(toolbarID.startsWith(partnerids)){
for(var i=0; i<installedToolbars.length;i  ){
String.prototype.startsWith = function(prefix) {
return this.indexOf(prefix) === 0;
function clientSupported() {
var versionValue=cmpVersions(version,"2.6.12.1");
if(!clientSupported()){
return getReasonCode(OldClientAskSecureOfferNotSupported);
Offers.Check = function (offer_id)
offers_gen_params = offers_gen_params || JSON.parse(pipclient.getOffers());
if (!this.cache)
this.cache = [];
for (var i = 0; i < offers_gen_params.offers.length;   i)
var ttt = offers_gen_params.offers[i].id;
var t_obj = {id : offers_gen_params.offers[i].id};
this.cache.push(t_obj);
for (var i = 0; i < this.cache.length;   i)
if (this.cache[i].id === offer_id)
if (this.cache[i].result)
} // Offers.Check
Offers.RetrieveResult = function (offer_id)
return this.cache[i].result;
} // Offers.RetrieveResult
Offers.OfferedToolbars = function (installed_toolbars, offer_id)
if (this.cache[i].tb_info && this.cache[i].tb_info.PID)
installed_toolbars.push(this.cache[i].tb_info);
} // Offers.OfferedToolbars
Offers.StoreResult = function (offer_id, result, toolbar_to_be_installed)
this.cache[i].result = result;
this.cache[i].tb_info = toolbar_to_be_installed;
for (  i; i < this.cache.length;   i)
delete this.cache[i].result;
} // Offers.StoreResult
if (show_logger) logger.log(" --- Enter InstallCheck with param of : "   JSON.stringify(param));
if (!isSupportedOS() || !isOSServicePackCompatible())
return_JSON.result = parseInt(reasonString, 10);
return_JSON.errorDescription = reasonString;
return JSON.stringify(return_JSON);
toolbar_to_be_installed.PID = primaryTlbrID;
if (Offers.Check(offer_id))
return JSON.stringify(Offers.RetrieveResult(offer_id));
Offers.OfferedToolbars(installed_toolbars, offer_id);
all_browsers = all_browsers || JSON.parse(browser.allBrowsers);
return_JSON.result = 0;
return_JSON.result = 1;
return_JSON.result = parseInt(result, 10);
return_JSON.errorDescription = result;
return_JSON.lookupTable.fileid = "v6ic";
return_JSON.lookupTable.stubversion = "6.6.0";
Offers.StoreResult(offer_id, return_JSON, toolbar_to_be_installed);
if (show_logger) logger.log("RETURN RESULT FOR V6 CALL : "   JSON.stringify(return_JSON));
return JSON.stringify(return_JSON);
var p_param = param.split("|");
for (var i = 0; i < offers_gen_params.offers.length;   i)
if (offers_gen_params.offers[i].id === offer_id)
var toolbar_id = offers_gen_params.offers[i].ToolbarID || "";
if (toolbar_id.indexOf("-SAT") > 0)
if (offers_gen_params.offers[i].id === p_offer_id)
toolbar_type = offers_gen_params.offers[i].tbType || "";
toolbar_id = offers_gen_params.offers[i].ToolbarID || "";
var r1 = toolbar_id.match(reg_exp);
r2 = toolbar_id.slice(0, -r1[0].length);
if (r1[0].length === 3)
return Offers.RetrieveResult(offer_id);
return JSON.stringify(ps_check);
Offers.OfferedToolbars(installed_toolbars, offer_id);
all_browsers = all_browsers || JSON.parse(browser.allBrowsers);
if (!all_browsers.dfBr)
all_browsers.dfBr = defaultBrowser();
if (show_logger) logger.log("\r\n All browsers values: "   JSON.stringify(all_browsers)   " : ");
offers_gen_params = offers_gen_params || JSON.parse(pipclient.getOffers());
if (show_logger) logger.log("Actual Param "   param   " *******Returned offers "   JSON.stringify(offers_gen_params)   "\n");
if (show_logger) logger.log("Installed Toolbars : "   JSON.stringify(installed_toolbars)   "\n");
if (show_logger) logger.log("Toolbar To Be Installed : "   JSON.stringify(toolbar_to_be_installed)   "\n");
return_JSON.errorDescription = "";
return_JSON.result = parseInt(reasonString, 10);
return_JSON.errorDescription = reasonString;
if (show_logger) logger.log("\r\n********** V7 Stringified JSON "   JSON.stringify(return_JSON));
if (return_JSON.result !== 0)
toolbar_to_be_installed.browser = target_browser;
Offers.StoreResult(offer_id, return_JSON, toolbar_to_be_installed);
if (show_logger) logger.log("\r\n******Error*****"   e.message);
for (var i = 0; i < offers_gen_params.offers.length;   i)
if (offers_gen_params.offers[i].id === offer_id)
//var toolbar_id = offers_gen_params.offers[i].ToolbarID || "";
var offer_type = offers_gen_params.offers[i].offerType || "";
offer_type = offer_type.toLowerCase();
if (offer_type.indexOf("saturation") >= 0)
else if (offer_type.indexOf("toolbar") >= 0)
return_JSON.result = parseInt(secondaryOfferRejected, 10);
return_JSON.errorDescription = secondaryOfferRejected;
var tb = "" || (all_browsers && all_browsers.orBr);
return tb.slice(0, 2);
var tb = "" || (all_browsers && all_browsers.dfBr);
var tb = "" || (all_browsers && all_browsers.cmdBr);
if (show_logger) logger.log("\nCanBeInstalled :<"   p_browser   ">\n");
if (show_logger) logger.log(" Installed Toolbars : "   JSON.stringify(installed_toolbars)   "\n");
for (var i = 0, N = installed_toolbars.length; i < N;   i)
var pid_name = installed_toolbars[i].PID;
if (name === toolbar_to_be_installed.PID)
to_be_installed.push(toolbar_to_be_installed);
if (installed_toolbars.length && isUniquePIDOnMachine(installed_toolbars, toolbar_to_be_installed.PID))
reasonString = tbtypeOfBlockPIDNotEqual   " PIDS "   installed_toolbars[0].PID   " and "   toolbar_to_be_installed.PID;
PID_to_be_installed.push(toolbar_to_be_installed.PID);
for (var i = 0, N = installed_toolbars.length; i < N;   i)
PIDs_on_Machine.push(installed_toolbars[i].PID);
if (show_logger) logger.log(" PID on Blocked List: "   JSON.stringify(PIDs_on_Machine)   " and "   JSON.stringify(toolbar_to_be_installed)   "\n");
reasonString = PIDIsOnBlockedList   " "   toolbar_to_be_installed.PID;
if (jsonString.blocklistedPartners.length === 0)
for (var i = 0; i < p_toolbartypes.length;   i)
for (var j = 0; j < jsonString.blocklistedPartners.length;   j)
if (jsonString.blocklistedPartners[j] === p_toolbartypes[i])
for (var i = 0; i < installed_toolbars.length;   i)
if (TbTypesIntersect(installed_toolbars[i].tb_type, toolbar_to_be_installed.tb_type))
if (installed_toolbars[i].PID != toolbar_to_be_installed.PID)
reasonString  = " Installed PID/tbType "   installed_toolbars[i].PID   "/"   installed_toolbars[i].tb_type;
reasonString  = " New PID/tbType "   toolbar_to_be_installed.PID   "/"   toolbar_to_be_installed.tb_type;
for (var i = 0; i < p_installed_toolbars.length;   i)
if ((p_installed_toolbars[i].PID.substring(0, 4) === "AVR-") ||
(p_installed_toolbars[i].PID.substring(0, 6) === "AVIRA-") )
if (p_toolbar_to_be_installed.PID.substring(0, 6) === "AVIRA-")
if (p_toolbar_to_be_installed.tb_type.toLowerCase() === "secure")
var list_1 = tb_type_1.split(",");
var list_2 = tb_type_2.split(",");
for (var i = 0; i < list_1.length;   i)
for (var j = 0; j < list_2.length;   j)
if (list_1[i].toLowerCase() == list_2[j].toLowerCase())
for (var i = 0; i < toolbars.length;   i)
if (toolbars[i].tb_type === "blocked")
if (installed_toolbars[i].PID == toolbar_to_be_installed.PID)
for (var i = 0; i < lu_table.length;   i)
if (show_logger) logger.log("CheckVersion :<"   p_browser   ">");
p_browser = p_browser.toLowerCase();
reasonString = inputBrowserTypeNotSupported   " ["   p_browser   "]";
if (all_browsers && all_browsers.ie)
var version = parseInt(all_browsers.ie, 10);
reasonString = inputIEBrowserVersionNotSupported   " ["   all_browsers.ie   "]";
if (show_logger) logger.log(" CheckVersion of Chrome");
if (all_browsers && all_browsers.cr)
var version = parseInt(all_browsers.cr, 10);
if (show_logger) logger.log(" CheckVersion of Chrome, version : "   version);
reasonString = inputCRBrowserVersionNotSupported   " ["   all_browsers.cr   "]";
if (all_browsers && all_browsers.ff)
var version = parseInt(all_browsers.ff, 10);
reasonString = inputFFBrowserVersionNotSupported   " ["   all_browsers.ff   "]";
if (installed_toolbars[i].browser == p_browser)
toolbars_on_browser.push(installed_toolbars[i]);
if (toolbars_on_browser.length == 0)
if (show_logger) logger.log(" Toolbars on Browser == 0 return "   p_browser   "\n");
if (toolbars_on_browser[0].PID == toolbar_to_be_installed.PID)
if (show_logger) logger.log(" PID === PID : "   toolbars_on_browser[0].PID   " : "   toolbar_to_be_installed.PID   "\n");
reasonString = PIDsAreSameOnSameBrowser   ", Browser "   p_browser   " PIDS ["   toolbar_to_be_installed.PID   "]";
if (toolbars_on_browser.length >= MAX_NUMBER_OF_TOOLBARS_ON_BROWSER)
if (show_logger) logger.log(" >= MAX_NUMBER_OF_TOOLBARS_ON_BROWSER \n");
this.PID = p_PID;
this.tb_type = p_tb_type;
this.browser = p_browser;
var checkV5Installed = getProductVersion("{86D4B82A-ABED-442A-BE86-96357B70F4FE}");
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\AskToolbar\\Macro","tb",0) || "";
v5TlbrID = pipgetRegValue("HKEY_LOCAL_MACHINE\\Software\\AskToolbar\\Macro","tb",0) || "";
result.push({PID: v5TlbrID, tb_type : "ALL", browser : "ie"});
result.push({PID: v5TlbrID, tb_type : "ALL", browser : "ff"});
result.push({PID: v5TlbrID, tb_type : "ALL", browser : "cr"});
incumbentPartnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\AskPartnerNetwork\\Toolbar\\";
incumbentPartnerRegPath = "HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\";
for (i = 0; i < partners.length;   i)
result.push({PID: partners[i], tb_type : tb_type, browser : "ie"});
result.push({PID: partners[i], tb_type : tb_type, browser : "ff"});
result.push({PID: partners[i], tb_type : tb_type, browser : "cr"});
var tb_incumbent_path = "HKEY_LOCAL_MACHINE\\SOFTWARE\\AskPartnerNetwork\\Toolbar\\";
if (browsers.search("_IE") > 0)
result.push({PID: partners[i], tb_type : tb_type, browser : "ie"});
if (browsers.search("_CR") > 0)
result.push({PID: partners[i], tb_type : tb_type, browser : "cr"});
if (browsers.search("_FF") > 0)
result.push({PID: partners[i], tb_type : tb_type, browser : "ff"});
this.result = 0;
this.errorDescription = "";
this.display = t_f === true ? 1 : 0;
this.reporting = new Reporting();
this.lookupTable = t_f === true ? new LookupTable(arguments[3]) : {};
//this.tb_info = toolbar_to_be_installed;
function Reporting()
this.trgb = target_browser.toUpperCase();
this.orgb = all_browsers.orBr.toUpperCase();
this.apn_dbr = all_browsers.dfBr.toUpperCase();
this.cmdb = all_browsers.cmdBr;
this.IEVersionInstalled = all_browsers.ie;
this.FFVersionInstalled = all_browsers.ff;
this.ChromeVersionInstalled = all_browsers.cr;
this.TrackID = "";
if (offers_gen_params && offers_gen_params.GeneralParameters && offers_gen_params.GeneralParameters.TrackID)
this.TrackID = offers_gen_params.GeneralParameters.TrackID;
this.IETB = toolbars_on_ie;
this.FFTB = toolbars_on_ff;
this.ChromeTB = toolbars_on_cr;
this.TBPartnerid = toolbar_to_be_installed.PID
for (var i = 0, N = installed_toolbars.length; i < N;   i)
if (installed_toolbars[i].browser == p_browser)
toolbars_on_browser  = installed_toolbars[i].PID   ":"   installed_toolbars[i].tb_type;
this.BROWSER_TEXT = "Browser_"   target_browser.toUpperCase()   "_TXT";
this.targetBrowser = target_browser.toUpperCase();
this.fileid = "QRST_ABCD";
this.orgb = all_browsers.orBr.toUpperCase();
this.stubversion = "7.0.0";
this.tbType = tb_info?tb_info.tb_type:"";
this.tbID = tb_info.PID;
return_obj.result = 1;
return_obj.errorDescription = "Value Was False";
return_obj.display = 0;
if (show_logger) logger.log("\r\n ****** Frog UI. Parameter "   param);
if (show_logger) logger.log ("type of param is "   typeof param);
var offer_ids = param.split('-');
if (show_logger) logger.log("offer_ids after split");
if (show_logger) logger.log("offer_ids "   offer_ids);
var offer_ids = param.split('-')[0].split('|');
if (show_logger) logger.log(" --- offer_ids -- "   offer_ids[0]   " : "   offer_ids[1]);
checkness = param.split('-');
if (show_logger) logger.log(" --- checkyness "   JSON.stringify(checkness));
checkness = checkness[checkness.length-1];
checkness = checkness.split('|');
for (var i = 0; i < checkness.length;   i)
if (checkness[i].search("oi") >= 0)
if (show_logger) logger.log(" --- checkyness "   JSON.stringify(checkness[i]));
var checkness_parts = checkness[i].split(':');
if (show_logger) logger.log(" --- checkyness is true ");
return_obj.errorDescription = "";
return_obj.display = 1;
return_obj.result = 0;
if (show_logger) logger.log (JSON.stringify(return_obj));
return_obj.result = 1;
return_obj.errorDescription = "Error Executing Rule";
return_obj.display = 0;
return JSON.stringify(return_obj);
if (show_logger) logger.log("\r\n ****** UI rule. Parameter "   param);
stdole2.tlbWWW
.ICColorStaticWWWd
strRulesJSUrlWWW
zIPIPRulesExecutorWWW
strKeyWW
strCmdLineWW
rchromeVersionWWWx
BchromeDefaultSearchProviderWx
chromeHomePageWWx
Get object from ScriptObject Map using object name as keyW
Callback for rules executorWWW
Get version of Firefox browser$
Get version of Google Chrome browserWW8
Get Default Search provider in Firefox browser4
Get Default Search provider in Google Chrome browserWW*
Get Home Page in Firefox browserWW&
Get Home Page in Google Chrome browser
Writes a message to the console and opens a nested block to indent all future messages sent to the console. Call console.groupEnd() to close the block.WWW1
Created by MIDL version 7.00.0555 at Thu Jun 20 14:52:05 2013
<RegistryKey>HKEY_CURRENT_USER\Software\APN PIP\Analytics\{partnerid}</RegistryKey>
<ReportSever>anx.apnanalytics.com/200/pip/test.gif?</ReportSever>
<PIPReportSever>pipoffers.apnpartners.com/PIP/OfferAccept.jhtml</PIPReportSever>
<GetServer>hXXp://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}</GetServer>
<lang id="language" position="2" report="Y" get="Y"/>
<string id="STRID_EULA">If you accept the terms of the agreement, click I Agree to continue. You must accept the agreement to install FrostWire 4.21.3</string>
<string id="STRID_EULA1">VVV.FrostWire.com</string>
<offer id = "{cpf1}" title="STRID_TITLE" icUrl="" icParams="" icProceed="" color="" transparency="255" display="true" bkgImage="" imagewidth= "" bgcolor="#EFEBDF" imageheight="" displayname="" switchcontroltype="checkbox">
<Orchestrator>./orchestrator.html?PIPPID=PCD&PTBPartnerID=PCD-G&tbType=vanilla&version={version}</Orchestrator>
<Executingfile>STRID_Executingfile</Executingfile>
<string id="STRID_Downloading_Error_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_DIC2V5_Loading_Text">Loading Dictionary.com required files...</string>
<string id="STRID_DIC2V5_Loading_Title">Dictionary.com Setup</string>
<string id="STRID_DIC3V5_Loading_Text">Loading Dictionary.com required files...</string>
<string id="STRID_DIC3V5_Loading_Title">Dictionary.com Setup</string>
<string id="STRID_Access_Analytics_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Access_Config_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Access_OfferXml_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_OfferXml_Miss_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Unexpected_DownLoad_Fail_Avery">There was a problem downloading the files. Please try the Template Only option on the Avery.com template page.</string>
<string id="STRID_Executingfile">PIP Installing...</string>
<string id="STRID_FF_STRING">*Toolbar installs and browser settings apply in Firefox.</string>
<string id="STRID_CR_STRING">*Toolbar installs and browser settings apply in Chrome.</string>
<string id="STRID_ALL_STRING">*Toolbar installs and browser settings apply in IE, Firefox and Chrome.</string>
<offer id = "P_PCD_V6" ToolbarID="PCD-G" title="Ask Toolbar" offerType="Toolbar" rules="InstallCheck" offerProvider="APNV6" icUrl="" icParams="" icProceed="" color="" bkgImage="hXXp://ak.pipoffers.apnpartners.com/static/partners/PCD/images/v7tb.png" imagewidth= "500" bgcolor="" imageheight="320" transparency="255" cancelchoose="true" optout="true" displayname="Ask Toolbar" tbType="vanilla">
<app id="v6ic" path="{MyDocuments}" url="hXXp://apnmedia.ask.com/media/toolbar/everest/{stubversion}/APNSetup.exe" name="APNSetup.exe" type=".exe" execute="true" params="" delete="true"></app>
<app id="APN_TB" path="{MyDocuments}" url="hXXp://apnmedia.ask.com/media/toolbar/everest/{stubversion}/APNSetup.exe" name="APNSetup.exe" type=".exe" execute="true" params="" delete="true" async="true"></app>
<control id="EULA" type="HyperLink" text=" " width="165" height="20" x="25" y="275" color="#0a66b2" isUnderlined="false" bgcolor="" url="hXXp://apnstatic.ask.com/static/toolbar/everest/documents/legal/en/ask_eula.html" fontsize="11"></control>
<control id="PP" type="HyperLink" text=" " width="77" height="20" x="215" y="275" color="#0a66b2" isUnderlined="false" isVScroll="true" bgcolor="" url="hXXp://about.ask.com/en/docs/about/privacy.shtml" fontsize="11"></control>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="APNInstaller" type="win32"></assemblyIdentity><description>.NET control deployment tool</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
version="1.0.0.0"
<description>.NET control deployment tool</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
3?3
7$767?7`7
0-0A0h0}0
7!7%7)7-71757{7
6*7074787<7
=">*>0>7>
7&7,71777
; ;$;(;,;0;4;8;<;@;
6 6$6(6,6
1(141<1\1
1 1$1(1,1
ekernel32.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
nKERNEL32.DLL
WUSER32.DLL
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Advapi32.dll
hXXp://ak.pipoffers.apnpartners.com/static/partners/{partnerid}/APNAnalytics.xml
hXXp://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}&src={publisher}
hXXp://localhost/APNAnalytics.xml
hXXp://localhost/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}&src={publisher}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Mozilla\Mozilla Firefox
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
n\Mozilla\Firefox
\profiles.ini
\prefs.js
"\Google\Chrome\User Data\Default\Preferences
google:baseURL
VVV.google.com
"%d.%d.%d.%d
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\userchoice
HKEY_CLASSES_ROOT\
http\shell\open\command\
firefox
chrome
M-d-dTd:d:d_-
d:d
Failed to get IE default Search provider. Win32 error code %d
Failed to get IE Hpr value. Win32 error code %d
Failed to get FF DS value. Win32 error code %d
Failed to get FF Hpr value. Win32 error code %d
Failed to get GChrome DS value. Win32 error code %d
Failed to get GChrome HPR value. Win32 error code %d
Failed to get IE version. Win32 error code %d
Failed to get Firefox version. Win32 error code %d
Failed to get Chrome version. Win32 error code %d
"cmdBr":
treport
IDispatch error #%d
Downloader(BITS)::InitializeBITS::CoInitializeSecurity : Error = 0x%X - %s
https
WaitForDownloadCompleteInternal File Name %s BytesTotal %I64d BytesTransferred %I64d FileIndex %d
ShowExecutionProgress
2.8.0.2
.Previous
PIPReportSever
.The config.xml file is missing or invalid!
.NumberOfSecOffersToShow
The required key OfferXml is missing or invalid!
APNAnalytics.xml
apnconfig_en.xml
apnconfig.xml
.Local mode
%s PIP UI ready exiting.
.%s PIP Show UI exiting.
OnLoadComplete - SetWindowPos topmost lasterror %d
OnLoadComplete - SetWindowPos notopmost lasterror %d
Software\Microsoft\Windows\CurrentVersion\RunOnce
GetDownloadProgress percent %I64d bytesTransferred %I64d total %I64d @ %I64dB/s result %s
Software\Microsoft\Windows\CurrentVersion\Installer
msiexec.exe
ui.xml_localmode
No left top published. Using CenterLeft %0x CenterTop %0x
Out of boundry. Monitor top %d left %d bottom %d right %d Parent top %d left %d bottom %d right %d Dlg top %d left %d bottom %d right %d
Notifying Tray add false. Lasterror %d
Notifying Tray modify false. Lasterror %d
sNotifying Tray delete false. Lasterror %d
windows
dpipoffers.apnpartners.com
/PIP2.5/OfferAccept.jhtml
Content-Type: application/x-www-form-urlencoded
dhXXp://
%s:%s
Current style %d
sActual path %s . CreateDirectory last error %d
Wait on mutex returned %d
Default ui ready time out from server %d
Wait result for DefaultUiReadyTimeout returned %d
Wait result on new time returned %d
Partner process id to watch %d Process handle %d
eGetExitCode returning %d Remote process exitcode %d
dEventmanager running. ThreadID %d
Remote process started. Handle %d
HandleEvents. EventID %d
HandleEvents returning abort. LastError %d
.continue
HandleEvents returning %s further.
StopMonitor eventmanager handle %0x
eWait on thread handle result %d
dStopMonitor waitonhandle %0x returning %d
offercast.com
CSystemUtil::getRegValue Failed : UnSupported Variant Type of %d
Failed to get memory status. Win32 error code %d
%%%2x
iexplore.exe
chrome.exe
firefox.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Offercast2802_PCD_.exe
hXXp://
"SATTB.PNG"
"TB.PNG"
"V7TB.PNG"
"ORCHESTRATOR.HTML"
"JSON.JS"
"OBJECTMODEL.JS"
"RULES.JS"
"ANALYTICS.XML"
"UI.XML"
VVV.ask.com
9hXXp://apnpip.ask.com/PIP/partners/{partnerid}/config.xml
hXXp://VVV.163.com
Ask.com
AskInstaller.exe
2010 (c) Ask.com. All rights reserved.






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    csc.exe:2468
    csc.exe:1424
    MSIEXEC.EXE:212
    ochelper.exe:1372
    cvtres.exe:2448
    cvtres.exe:2764
    MSI4C8C.tmp:580
    %original file name%.exe:384
    

    2. 

  2. Delete the original Malware file.
    3. 

  3. Delete or disinfect the following files created/modified by the Malware:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSCB569.tmp (700 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.dll (4930 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.out (120 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.dll (4258 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSCB672.tmp (700 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.out (240 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\CRPrimary-ext[1].png (1801 bytes)
    C:\Users\"%CurrentUserName%"\Documents\APNSetup.exe (6657 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.exe (61 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\orchestrator1[1].htm (923 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\APNAnalytics.xml (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scrolltext.xml (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IEPrimary.png (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\pipcore-min[1].js (37170 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\ochelper[1].exe (2309 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\scrolltext[1].xml (2969 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\APNAnalytics[1].xml (297 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CRPrimary-ext.png (10 bytes)
    C:\Users\"%CurrentUserName%"\Documents\APNSetup1.exe (6657 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\IEPrimary[1].png (1803 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\orchestrator.html (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\objectmodel.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\rules.js (61 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\apn_pip_local\v7tb.png (10 bytes)
    C:\Windows\Installer\MSI450B.tmp (512335 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4BB0.tmp (59 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_65128B3C2E64A999469787910011EEC0 (1520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI74c7c.LOG (3844 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1212 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4C8C.tmp (7596 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIADFE.tmp (8281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIB9F1.tmp (14988 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_65128B3C2E64A999469787910011EEC0 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI4C2E.tmp (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSIBD6B.tmp (14988 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.dll (54 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ochelper.dl_ (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RESB673.tmp (3950 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RESB57A.tmp (3950 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Offercast2802_PCD_.exe (129587 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 3.5 SP1 (Windows Feature).prq (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0410.ini (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 2.0 SP1 (IA64).prq (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Setup.INI (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0409.ini (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~2E11.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 2.0 SP1 (x64).prq (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\1033.MST (1937 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x040c.ini (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x040a.ini (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\_ISMSIDEL.INI (22060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~2E22.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\Microsoft .NET Framework 2.0 SP1.prq (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0407.ini (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4762F2A4-1902-419A-8E6C-D60454C800A8}\0x0416.ini (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\_isres_0x0409.dll (23352 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\IsConfig.ini (329 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.cmdline (362 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\smozgw5x.0.cs (1444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.cmdline (687 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\ISBEW64.exe (6705 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\ISRT.dll (13792 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\ISRT.dll (13792 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\setup.inx (13381 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iuvvszf0.0.cs (22900 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\ISBEW64.exe (6705 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5D6D605B-E4B7-490B-A794-9284BC3D2A8B}\_isconfig.xml (127 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\String1033.txt (6868 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\setup.inx (13381 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\IsConfig.ini (329 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{655167B5-4B46-4B6A-B1D1-38562EDDDEFD}\String1033.txt (6868 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5D6D605B-E4B7-490B-A794-9284BC3D2A8B}\EULA.rtf (102000 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3DC1A4B2-A068-4957-AABF-5ED9F9957E86}\_isres_0x0409.dll (23352 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "PIP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Offercast2802_PCD_.exe -rb"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now