SearchProtectToolbar_pcap_053053d504

by malwarelabrobot on March 6th, 2016 in Malware Descriptions.

SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 053053d504bc2ba423b7102fcccf76ab
SHA1: 8dbaddaaa84460c50f36ab036d31853b9d2fa7c3
SHA256: e3d9e9ff46f54c14413e373619aec6b751f79d56c7f1ae9ad0e4874232d8240c
SSDeep: 24576:d/TtvgkPMZdIIYw4JHS3W8ru 12G XWVbqp7rHX:nzx/LoBaE2BmVbOX
Size: 887632 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-10 04:20:55
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:496
%original file name%.exe:1360
%original file name%.exe:1116

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1360 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P9POCHL3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\177\tidy_nowuseeit_onesystemcare_triple_628_3.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\165\knctr_nowuseeit_tidy_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\153\arcadetwist_knctr_nowuseeit_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\AutoFeatureMod.js (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\OfferScreenParamete.js (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\183\nowuseeit_tidy_double_628_3.mht (8844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\169\knctr_nowuseeit_tidy_triple_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\141\arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\122\arcadetwist_nowuseeit_knctr_pcacceleratepro_updateadmin_628.mht (29308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\1\do_tracking_hit.lua (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\132\arcadetwist_nowuseeit_systemhealer_knctr_updateadmin_628.mht (29308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\173\tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\1eUeCBzMx.dll (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\161\knctr_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\1\codecpacks_satellitesite.mht (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\iconChe.gif (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\wbk2.tmp (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\127\arcadetwist_nowuseeit_onesystemcare_knctr_updateadmin_628_3.mht (29308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\137\arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\options.json (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TS2H88Q6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\2200IsXQsI.dll (1486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\181\onesystemcare_tidy_double628.mht (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F2MQ8WVM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\knockout-2.js (10370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\145\arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\149\arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\common.js (118 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\AutoFeatureMod.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\OfferScreenParamete.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\iconChe.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\knockout-2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk6.tmp (0 bytes)

Registry activity

The process %original file name%.exe:496 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F F7 38 AA B2 AA 7F F1 98 C4 FA 22 DD EC 32 E8"

The process %original file name%.exe:1360 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016030520160306]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016030520160306\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016030520160306]
"CacheOptions" = "11"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016030520160306]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 99 AC 56 F7 DC 3C 04 B8 E5 C9 9A 00 F5 D1 8F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016030520160306]
"CachePrefix" = ":2016030520160306:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016030520160306]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1116 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 D7 37 59 30 5B 93 5E CE CF 5B FA 30 B8 A2 5C"

Dropped PE files

MD5 File path
c13739117f10069083ab024a49640d3a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\1eUeCBzMx.dll
d4600ab740545c2d20469300713ba667 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\2200IsXQsI.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\kLoPVvrSyZOofGUugHSsEez1.dll
f0c59526f8186eadaf2171b8fd2967c1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\lua51.dll
44dac7f87bdf94d553f8d2cf073d605d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Developed Small Install System
Product Name: Developed Small Install System
Product Version: 48.4.6.5687
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 48.4.6.5687
File Description: Developed Small Install System
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 53307 53760 4.47366 0d0100853b58de72a4846c8116abae4e
.rdata 61440 7740 8192 3.72397 4a48db0d8fd3cabe1e1666d9d00e6d72
.data 69632 16276 12800 5.22978 868e54e4d09cb484ad2ce6b2f8dc7792
.rsrc 86016 7032 7168 3.20951 f3c4b42de658aba7164ee066d3b3a615

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://service.downloadadmin.com/install?bc=1185711&pid=softrevoz&brand=softrevoz.com&c=codec_pack&country=EU&osName=Windows&osVersion=8.1&browserName=Opera&browserVersion=32&secure=true&productKey=hwwedolxmci3l2unufmvt6bepfguguhu&checksum=0 50.22.63.140
hxxp://a728.g.akamai.net/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip
hxxp://service.downloadadmin.com/env?browserVersion=32&osVersion=8.1&productKey=hwwedolxmci3l2unufmvt6bepfguguhu&browserName=Opera&c=codec_pack&brand=softrevoz.com&pid=softrevoz&bc=1185711&osName=Windows&country=UA 50.22.63.140
hxxp://a728.g.akamai.net/binstallers/BM2/DigitialDigest/ipage/codecpacks_satellitesite.mht
hxxp://a728.g.akamai.net/binstallers/BM2/api/do_tracking_hit.lua
hxxp://a728.g.akamai.net/products/BM2/combos/penta/arcadetwist_nowuseeit_knctr_pcacceleratepro_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/penta/arcadetwist_nowuseeit_onesystemcare_knctr_updateadmin_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/combos/penta/arcadetwist_nowuseeit_systemhealer_knctr_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_knctr_nowuseeit_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_nowuseeit_onesystemcare_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_nowuseeit_tidy_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_nowuseeit_tidy_triple_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidy_nowuseeit_onesystemcare_triple_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/combos/onesystemcare_tidy_double628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/nowuseeit_tidy_double_628_3.mht
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_nowuseeit_tidy_triple_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/nowuseeit_tidy_double_628_3.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_nowuseeit_onesystemcare_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_nowuseeit_tidy_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/onesystemcare_tidy_double628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidy_nowuseeit_onesystemcare_triple_628_3.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/penta/arcadetwist_nowuseeit_knctr_pcacceleratepro_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/binstallers/BM2/DigitialDigest/ipage/codecpacks_satellitesite.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_knctr_nowuseeit_updateadmin_628.mht 77.222.148.81
hxxp://mirror.downloadnet1210.com/products/BM2/combos/penta/arcadetwist_nowuseeit_onesystemcare_knctr_updateadmin_628_3.mht 77.222.148.81
hxxp://mirror.ramtransmission.info/binstallers/BM2/api/do_tracking_hit.lua 77.222.148.96
hxxp://mirror.downloadnet1210.com/products/BM2/combos/penta/arcadetwist_nowuseeit_systemhealer_knctr_updateadmin_628.mht 77.222.148.81


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /install?bc=1185711&pid=softrevoz&brand=softrevoz.com&c=codec_pack&country=EU&osName=Windows&osVersion=8.1&browserName=Opera&browserVersion=32&secure=true&productKey=hwwedolxmci3l2unufmvt6bepfguguhu&checksum=0 HTTP/1.1
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 05 Mar 2016 07:42:14 GMT
Age: 0
X-TVAR: 
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <CustomParameter Name=
"ProductName">@ProductName</CustomParameter>.        <Cust
omParameter Name="ProductFileSize">@{ProductFileSize|1mb}</Custo
mParameter>.        <CustomParameter Name="ProductTos">@{Prod
uctTos|hXXp://codecpacks.com/tos.html}</CustomParameter>.       
 <CustomParameter Name="PrivacyUrl">@{PrivacyUrl|hXXp://codecpac
ks.com/privacy.html}</CustomParameter>.        <File Action="
Run before Offer" Destination="" DirMode="false" FileType="Content" Fo
rceCreate="true" Options="@StartTrackingUrl" Scramble="false" ShowFold
er="false" SourceDir="" SourceFile="hXXp://mirror.ramtransmission.info
/binstallers/BM2/api/do_tracking_hit.lua" WaitForExe="false" id="file-
2"/>.        <LinkBelowEula>false</LinkBelowEula>.     
   <OptInDefault>false</OptInDefault>.        <ProductB
inary embed="false" msioptions="@ProductMsiOptions" options="@ProductO
ptions">@ProductBinaryUrl</ProductBinary>.        <Product
Eula comboPrimary="false" embed="false">hXXp://mirror.downloadnet12
10.com/binstallers/BM2/DigitialDigest/ipage/codecpacks_satellitesite.m
ht</ProductEula>.        <Primary>true</Primary>.   
     <ProductId>1177436</ProductId>.        <ProductNam
e>@{ProductName|Digital Digest Satellite Site}</ProductName>.
        <Scramble>false</Scramble>.    </Bundle>
<<< skipped >>>

GET /env?browserVersion=32&osVersion=8.1&productKey=hwwedolxmci3l2unufmvt6bepfguguhu&browserName=Opera&c=codec_pack&brand=softrevoz.com&pid=softrevoz&bc=1185711&osName=Windows&country=UA HTTP/1.1


Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 05 Mar 2016 07:42:23 GMT
Age: 0
X-TVAR: 
X-Cache: MISS
00e46..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&l
t;Installer><Environment><Entry name="over-threshold:Super
 Optimizer (GB)">true</Entry><Entry name="over-threshold:W
eb Bar (AU)">true</Entry><Entry name="over-threshold:Premi
erOpinion (CN)">true</Entry><Entry name="over-threshold:Pr
emierOpinion (BE)">true</Entry><Entry name="over-threshold
:PremierOpinion (ES)">true</Entry><Entry name="over-thresh
old:PremierOpinion (IN)">true</Entry><Entry name="over-thr
eshold:PremierOpinion (JP)">true</Entry><Entry name="over-
threshold:PremierOpinion (HK)">true</Entry><Entry name="ov
er-threshold:PremierOpinion (PT)">true</Entry><Entry name=
"over-threshold:PremierOpinion (TH)">true</Entry><Entry na
me="over-threshold:PremierOpinion (TW)">true</Entry><Entry
 name="over-threshold:Web Bar (FR)">true</Entry><Entry nam
e="over-threshold:Web Bar (DE)">true</Entry><Entry name="o
ver-threshold:Web Bar (RU)">true</Entry><Entry name="over-
threshold:Cassiopesa (US)">true</Entry><Entry name="over-t
hreshold:SearchProtect (US) (Master) (Regkey)">true</Entry>&l
t;Entry name="over-threshold:Web Companion (Lavasoft)">true</Ent
ry><Entry name="over-threshold:Wajam (US)">true</Entry>
<Entry name="over-threshold:Super Optimizer (US)">true</Entry
><Entry name="over-threshold:Cassiopesa (CA)">true</En
<<< skipped >>>


POST /install?bc=1185711&pid=softrevoz&brand=softrevoz.com&c=codec_pack&country=EU&osName=Windows&osVersion=8.1&browserName=Opera&browserVersion=32&secure=true&productKey=hwwedolxmci3l2unufmvt6bepfguguhu&checksum=0 HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1185711&pid=softrevoz&brand=softrevoz.com&c=codec_pack&country=EU&osName=Windows&osVersion=8.1&browserName=Opera&browserVersion=32&secure=true&productKey=hwwedolxmci3l2unufmvt6bepfguguhu&checksum=0
X-Exe-Checksum: 0
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1185711&pid=softrevoz&brand=softrevoz.com&c=codec_pack&country=EU&osName=Windows&osVersion=8.1&browserName=Opera&browserVersion=32&secure=true&productKey=hwwedolxmci3l2unufmvt6bepfguguhu
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
X-Exename: %original file name%.exe
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: service.downloadadmin.com
Connection: Keep-Alive

delta=281
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Sat, 05 Mar 2016 07:42:17 GMT
Age: 0
X-TVAR: 
X-Cache: MISS
0..HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Sat, 05 Mar 2016
 07:42:17 GMT..Age: 0..X-TVAR: ..X-Cache: MISS..0..



GET /skins/da/11122015/megazord_darkskin_nondlm_cancel.zip HTTP/1.1
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "398d4b8eeb1f419a51f5c199a58139a2:1447358884"
Last-Modified: Thu, 12 Nov 2015 20:08:04 GMT
Accept-Ranges: bytes
Content-Length: 73310
Content-Type: application/zip
Date: Sat, 05 Mar 2016 07:42:23 GMT
Connection: keep-alive
PK........,nkG].\.............options.json].... .D.~......... .e..-4..
......t.o.&...=b.r.%s..Z..F0.....Qi.....t..Q...";..i..)..l{.E...v....O
.F..s gsHK..P...of.v........}$G......:.;G.....PK.........`.Dj..m......
......assets/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P.
[email protected]|?MD...>....k<...]...V.y......f...m^.Z
........e...".............0..u.....'<.[7n......p..-le.W.."...PK....
....8d.D3.......%.......assets/accept.png.VwXSg......2d.....$.D.BB$@..
.A!$7.F.$.$ .Ph..V....`.2.Z.2..(.....".Td....._....?........9.y...7...
.[.4. ....5.^.g.^..r2i`[email protected]..@.....=.dK......<..."ta
[email protected]/.$.G......r.d.3..f.P.o.u..p.9....e..0s3...$3.
[email protected]..%.. .(..O../..WP...P....x.....`.........8...`Qh.C@`p$<
;..5.~j0.7>.C...>....0o.0..B.D".....O.0D"q.....i ....)F.........
.... ..2gz.AB2..z......a..S.d)C...(.....G.j............e... >Kv....
..w...,..!>Wv)L?*....xB:.... .\6...YQ... .........[P.8#*.K....Wm...
J..).cc.....X..X.pT,.m.AcM.F..X:O d.X.*...,._.$..`.A.#...V.aoP.....(..
.....c."....|...s..6...C../[email protected]^97.K36..hh......a....'g(Y0.
.)..%Y...?..l..<.O.....Q#......t....{.........u....rHE.Q...J.l.w[$.
X5N...3...G3>...)N.w7h.^...I.>.../Us2.}.l..........>R...B..fA
|8.!^I....J....k.....oo.....1!M9.}.._|.,k.bj.&B.g...D.......g_....T.S3
 .G.7.5...v..5...........n.&hy.u=1..h..K1...D...}.|.../.x....R.}..r..W
..u53...x...(A.hy.s^..S..f....l.P...."......k.v............R^V....9...
=..&../...o.w.p....t'=]96.G.!W...........;~.<@..". .-......*.6l
<<< skipped >>>

GET /binstallers/BM2/DigitialDigest/ipage/codecpacks_satellitesite.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "3b271cbf478e072bc94be19b8408d871:1425655378"
Last-Modified: Fri, 06 Mar 2015 15:22:58 GMT
Accept-Ranges: bytes
Content-Length: 61494
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Product Name..Date: Mo
n, 20 Oct 2014 17:40:00 -0400..MIME-Version: 1.0..Content-Type: multip
art/related;...type="text/html";...boundary="----=_NextPart_000_0000_0
1CFEC8C.DF382910"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.
17609..This is a multi-part message in MIME format...------=_NextPart_
000_0000_01CFEC8C.DF382910..Content-Type: text/html;...charset="utf-8"
..Content-Transfer-Encoding: quoted-printable..Content-Location: file:
//C:\offerscreen\vitallia_primary_4.html..=EF=BB=BF<!DOCTYPE HTML P
UBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/
TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC 
"-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/199
9/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..ME
TA=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..&l
t;META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000"> =20
..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D
"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///
C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"><
;/SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/OfferScre
enParameters.js" =..type=3D"text/javascript"></SCRIPT>..  <
;TITLE =..data-bind=3D"text:$root.customParameters()['ProductName']"&g
t;Product=20..Name</TITLE>=20..<META http-equiv=3D"Content-Ty
pe" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>
<<< skipped >>>

GET /products/BM2/combos/penta/arcadetwist_nowuseeit_knctr_pcacceleratepro_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "354a39e3d7d693ebe97d8c4df3f5c154:1455750226"
Last-Modified: Wed, 17 Feb 2016 23:03:46 GMT
Accept-Ranges: bytes
Content-Length: 226421
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: Search.com 628 
by 282..Date: Wed, 17 Feb 2016 15:42:00 -0500..MIME-Version: 1.0..Cont
ent-Type: multipart/related;...type="text/html";...boundary="----=_Nex
tPart_000_0000_01D16999.BE013D00"..X-MimeOLE: Produced By Microsoft Mi
meOLE V6.1.7601.17514..This is a multi-part message in MIME format...-
-----=_NextPart_000_0000_01D16999.BE013D00..Content-Type: text/html;..
.charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content
-Location: file://C:\Users\TightropeJB\Desktop\AutoFeatureModel\produc
t_product_product_product_product_628.html..=EF=BB=BF<!DOCTYPE HTML
 PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><H
EAD><TITLE>Search.com 628 by 282</TITLE>..<SCRIPT ty
pe=3Dtext/javascript=20..src=3D"file:///C:/Users/TightropeJB/Desktop/A
utoFeatureModel/Knockout-2.0=...0.js"></SCRIPT>..<SCRIPT t
ype=3Dtext/javascript=20..src=3D"file:///C:/Users/TightropeJB/Desktop/
AutoFeatureModel/AutoFeatureM=..odel.js"></SCRIPT>..<META 
content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..
<STYLE>BODY {...POSITION: relative; PADDING-BOTTOM: 0px; BACKGRO
UND-COLOR: #e3e3e3; =..MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 628px; P
ADDING-RIGHT: 0px; =..FONT-FAMILY: arial, verdana, sans serif; HEIGHT:
 282px; COLOR: #222; =..PADDING-TOP: 0px..}..TABLE {...BACKGROUND-REPE
AT: no-repeat..}..H1 {...MARGIN-TOP: 0px; MARGIN-BOTTOM: 4px; FONT-SIZ
E: 18px; FONT-WEIGHT: bold..}..P {...MARGIN: 0px; FONT-SIZE: 12px.
<<< skipped >>>

GET /products/BM2/combos/penta/arcadetwist_nowuseeit_onesystemcare_knctr_updateadmin_628_3.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "4d4ec609d81274ab9c535663886293b7:1455749893"
Last-Modified: Wed, 17 Feb 2016 22:58:13 GMT
Accept-Ranges: bytes
Content-Length: 226274
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: Search.com 628 
by 282..Date: Wed, 17 Feb 2016 15:42:00 -0500..MIME-Version: 1.0..Cont
ent-Type: multipart/related;...type="text/html";...boundary="----=_Nex
tPart_000_0000_01D16999.BE013D00"..X-MimeOLE: Produced By Microsoft Mi
meOLE V6.1.7601.17514..This is a multi-part message in MIME format...-
-----=_NextPart_000_0000_01D16999.BE013D00..Content-Type: text/html;..
.charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content
-Location: file://C:\Users\TightropeJB\Desktop\AutoFeatureModel\produc
t_product_product_product_product_628.html..=EF=BB=BF<!DOCTYPE HTML
 PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><H
EAD><TITLE>Search.com 628 by 282</TITLE>..<SCRIPT ty
pe=3Dtext/javascript=20..src=3D"file:///C:/Users/TightropeJB/Desktop/A
utoFeatureModel/Knockout-2.0=...0.js"></SCRIPT>..<SCRIPT t
ype=3Dtext/javascript=20..src=3D"file:///C:/Users/TightropeJB/Desktop/
AutoFeatureModel/AutoFeatureM=..odel.js"></SCRIPT>..<META 
content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..
<STYLE>BODY {...POSITION: relative; PADDING-BOTTOM: 0px; BACKGRO
UND-COLOR: #e3e3e3; =..MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 628px; P
ADDING-RIGHT: 0px; =..FONT-FAMILY: arial, verdana, sans serif; HEIGHT:
 282px; COLOR: #222; =..PADDING-TOP: 0px..}..TABLE {...BACKGROUND-REPE
AT: no-repeat..}..H1 {...MARGIN-TOP: 0px; MARGIN-BOTTOM: 4px; FONT-SIZ
E: 18px; FONT-WEIGHT: bold..}..P {...MARGIN: 0px; FONT-SIZE: 12px.
<<< skipped >>>

GET /products/BM2/combos/penta/arcadetwist_nowuseeit_systemhealer_knctr_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "f8ba8a41cb3afca6b181afaaa04e54dc:1455750226"
Last-Modified: Wed, 17 Feb 2016 23:03:46 GMT
Accept-Ranges: bytes
Content-Length: 226349
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: Search.com 628 
by 282..Date: Wed, 17 Feb 2016 15:42:00 -0500..MIME-Version: 1.0..Cont
ent-Type: multipart/related;...type="text/html";...boundary="----=_Nex
tPart_000_0000_01D16999.BE013D00"..X-MimeOLE: Produced By Microsoft Mi
meOLE V6.1.7601.17514..This is a multi-part message in MIME format...-
-----=_NextPart_000_0000_01D16999.BE013D00..Content-Type: text/html;..
.charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content
-Location: file://C:\Users\TightropeJB\Desktop\AutoFeatureModel\produc
t_product_product_product_product_628.html..=EF=BB=BF<!DOCTYPE HTML
 PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><H
EAD><TITLE>Search.com 628 by 282</TITLE>..<SCRIPT ty
pe=3Dtext/javascript=20..src=3D"file:///C:/Users/TightropeJB/Desktop/A
utoFeatureModel/Knockout-2.0=...0.js"></SCRIPT>..<SCRIPT t
ype=3Dtext/javascript=20..src=3D"file:///C:/Users/TightropeJB/Desktop/
AutoFeatureModel/AutoFeatureM=..odel.js"></SCRIPT>..<META 
content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..
<STYLE>BODY {...POSITION: relative; PADDING-BOTTOM: 0px; BACKGRO
UND-COLOR: #e3e3e3; =..MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 628px; P
ADDING-RIGHT: 0px; =..FONT-FAMILY: arial, verdana, sans serif; HEIGHT:
 282px; COLOR: #222; =..PADDING-TOP: 0px..}..TABLE {...BACKGROUND-REPE
AT: no-repeat..}..H1 {...MARGIN-TOP: 0px; MARGIN-BOTTOM: 4px; FONT-SIZ
E: 18px; FONT-WEIGHT: bold..}..P {...MARGIN: 0px; FONT-SIZE: 12px.
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "d5b059b9def0504411bdb2db9c216a3d:1449767805"
Last-Modified: Thu, 10 Dec 2015 17:16:45 GMT
Accept-Ranges: bytes
Content-Length: 75985
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "38cbe3d5d882081bb71074b52758b9b4:1453907915"
Last-Modified: Wed, 27 Jan 2016 15:18:35 GMT
Accept-Ranges: bytes
Content-Length: 76038
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "1dd737541e3940f4cef74621f76b62fa:1449767804"
Last-Modified: Thu, 10 Dec 2015 17:16:44 GMT
Accept-Ranges: bytes
Content-Length: 76128
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "7252da07c31ba2110f2caaeba0890e3c:1449767806"
Last-Modified: Thu, 10 Dec 2015 17:16:46 GMT
Accept-Ranges: bytes
Content-Length: 76048
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_knctr_nowuseeit_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "ae50f47b8f976fcba8edfd829fcf5aaa:1450365473"
Last-Modified: Thu, 17 Dec 2015 15:17:53 GMT
Accept-Ranges: bytes
Content-Length: 76057
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/knctr_nowuseeit_onesystemcare_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "ed4b9b12f39800406f507196a9e05501:1449767804"
Last-Modified: Thu, 10 Dec 2015 17:16:44 GMT
Accept-Ranges: bytes
Content-Length: 76046
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/knctr_nowuseeit_tidy_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "747cfe38befb558e90d4aff2c748848a:1449767805"
Last-Modified: Thu, 10 Dec 2015 17:16:45 GMT
Accept-Ranges: bytes
Content-Length: 76151
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/knctr_nowuseeit_tidy_triple_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "1ee70d370acae337db961198ce34abcf:1449767805"
Last-Modified: Thu, 10 Dec 2015 17:16:45 GMT
Accept-Ranges: bytes
Content-Length: 75801
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Mon, 7 Apr 2014 14:26:55 -0400..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_0007_01CF526D.6D799070"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_0007_01CF526D.6D799070..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\highlightly_stormalerts_optimizerpro_triple_6
28.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Trans
itional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0
000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///
C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SC
RIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureMod
el.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>S
earch.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-
Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=
0A=..=0A=../* set the background color to match the offer. */=0A=..bod
y {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..
verdana, sans serif;color:#222;position:relative;height: 282px;width: 
=..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-siz
e: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {m
argin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COL
<<< skipped >>>

GET /products/BM2/combos/tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "ab612260ebb800ba44e230e95419a646:1449767803"
Last-Modified: Thu, 10 Dec 2015 17:16:43 GMT
Accept-Ranges: bytes
Content-Length: 76041
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/tidy_nowuseeit_onesystemcare_triple_628_3.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "c93b2f0ef2e880670430fcf302b32d12:1449767803"
Last-Modified: Thu, 10 Dec 2015 17:16:43 GMT
Accept-Ranges: bytes
Content-Length: 75992
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Thu, 11 Sep 2014 14:28:18 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0007_01CFCDCC.A1C309D0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0007_01CFCDCC.A1C309D0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\tidy_rapidwatch_optimizerpro_triple_628_3.ht
ml..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transition
al//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" 
=..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 
282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Co
mpatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/
offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtex
t/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js">
;</SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http
-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-F
AMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative
; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT:
 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}
..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px
; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FO
<<< skipped >>>

GET /products/BM2/combos/onesystemcare_tidy_double628.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "b2b2ba26d95808459c2f3b647fbec299:1439558956"
Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT
Accept-Ranges: bytes
Content-Length: 72381
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 9"..Subject: 628 by 282 Icy 
Offer..Date: Mon, 7 Jan 2013 11:23:06 -0500..MIME-Version: 1.0..Conten
t-Type: multipart/related;...type="text/html";...boundary="----=_NextP
art_000_0010_01CDECC9.5D450B40"..X-MimeOLE: Produced By Microsoft Mime
OLE V6.1.7601.17609..This is a multi-part message in MIME format...---
---=_NextPart_000_0010_01CDECC9.5D450B40..Content-Type: text/html;...c
harset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-L
ocation: file://C:\offerscreen\strongvault_tidy_double628.html..=EF=BB
=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =
.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<
;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML>&
lt;HEAD>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/
offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3D"te
xt/javascript" =..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"&g
t;</SCRIPT>..<TITLE>628 by 282 Icy Offer</TITLE>..&l
t;META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3D"Content
-Type"><!--=20..Edited by: Insert Initials & Date..Template Name
: 628_Icy_2col_toolbar_EULA.php..-->..<STYLE>=0A=../* Overall
 page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;p
adding:0;font-family: arial, =..verdana, sans serif;color:#707271;}=0A
=..#content {width:628px;height:282px; overflow:hidden; =..backgro
<<< skipped >>>

GET /products/BM2/combos/nowuseeit_tidy_double_628_3.mht HTTP/1.1


User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "6d5e59b839ac2c6daa141dcf782ccd4d:1450365474"
Last-Modified: Thu, 17 Dec 2015 15:17:54 GMT
Accept-Ranges: bytes
Content-Length: 68712
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..
Date: Thu, 11 Sep 2014 14:39:31 -0400..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_0007_01CFCDCE.32759F00"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_0007_01CFCDCE.32759F00..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\stormwatch_tidy_double_628_2.html..=EF=BB=BF&
lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."h
ttp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DO
CTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://
VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><
;HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-C
ompatible">..<TITLE>628 by 282 Icy Offer</TITLE>=20..&l
t;META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20.
.<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"
text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:
/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></
SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3D"text/
html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Insert Ini
tials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0
A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0px; BACK
<<< skipped >>>


GET /binstallers/BM2/api/do_tracking_hit.lua HTTP/1.1
User-Agent: Developed Small Install System(ref=[3f016a4fc889aff9b6e3e4c4f8b320b7b3661051];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=280702;pid=1360)
Host: mirror.ramtransmission.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "9cc9c7aa05eddd412b09d5b37d446f81:1404848561"
Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT
Accept-Ranges: bytes
Content-Length: 913
Content-Type: text/plain
Date: Sat, 05 Mar 2016 07:42:24 GMT
Connection: keep-alive
--[[.-- Lua Script to perform tracking hits IT can be run at start off
er or finish and has aacces tot he variables.--]]..local http=require(
"wininet.http");.local json=require("json");..local main=function().  
  -- Need GuiInit.    local guiinit=require("GuiInit");.    local _Dow
nloads=require("Downloads");.    local target=current.file._a_.Options
 -- Get the options blob.    -- No Target is specified then do nothing
.    if target  == ""  or not target then.       return; -- Blank so d
o nothing .    end.    target=current.expand_path(target);.    -- Get 
the command line and look for an option .    --[[local cli=current.exp
and_path("$CMDLINE");.    local opts=string.match(cli or "","--custom.
p.tid=([^ ] )");.    ]].    -- Make a reques to the target Url.    loc
al r,c,h  = http.request{.        method="POST",.        url=target ,.
        proxy=_Downloads.proxyForUrl(target).    }..end...return main(
);.HTTP/1.1 200 OK..Server: Apache..ETag: "9cc9c7aa05eddd412b09d5b37d4
46f81:1404848561"..Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT..Accep
t-Ranges: bytes..Content-Length: 913..Content-Type: text/plain..Date: 
Sat, 05 Mar 2016 07:42:24 GMT..Connection: keep-alive..--[[.-- Lua Scr
ipt to perform tracking hits IT can be run at start offer or finish an
d has aacces tot he variables.--]]..local http=require("wininet.http")
;.local json=require("json");..local main=function().    -- Need GuiIn
it.    local guiinit=require("GuiInit");.    local _Downloads=require(
"Downloads");.    local target=current.file._a_.Options -- Get the
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_1116:

.text
`.rdata
@.data
.rsrc
PSSSSSSh
advapi32.dll
debug.pdb
comdlg32.dll
GetProcessShutdownParameters
KERNEL32.dll
GDI32.dll
USER32.dll
ole32.dll
SHFileOperationA
ShellExecuteExA
SHELL32.dll
msvcrt.dll
_acmdln
_amsg_exit
luabridge.fs
Press any key to continue
luabridge.registry
dialog.image
lua51.dll
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
%d.%.%d
resources.compressed
./lua51.dll
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
shared_library.dll
dialog.html
luabridge.nsis
luabridge.dll
luabridge.config
luabridge.classes
resources.binlib
luabridge.net
resources.nsis
resources.overlay
mime.core
resources.js
luabridge.win32
win32.shell
%d.%d.%d
11111111
./extramod.dll
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
444444444
CryptDestroyKey
CryptDuplicateKey
CryptDeriveKey
111111111
key_destroy
Win32.Crypt.Key
derive_key
bad argument #%d to %s('%s' expected)
key_duplicate
Win32.Crypto.Provider
key_encrypt
key_decrypt
%s expected data in index [1]
default_key
%s<%p>
%s expected table argument
Win32.Crypt.Hash
%s expected 'length' with lightuserdata
provider_dervice_key
inflate() failed(rc=%d)
miniz.InflateZStream
deflate() failed(rc=%d)
inflateInit() failed (rc=%s)
deflateInit() failed (rc=%s)
miniz.DeflateZStream
Unsupported filter input(string|nil) expected
Mime 1.0.3
zcÁ
version="48.4.6.5687"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
setup.exe
48.4.6.5687

%original file name%.exe_1360:

.text
`.rdata
@.data
.rsrc
PSSSSSSh
advapi32.dll
debug.pdb
comdlg32.dll
GetProcessShutdownParameters
KERNEL32.dll
GDI32.dll
USER32.dll
ole32.dll
SHFileOperationA
ShellExecuteExA
SHELL32.dll
msvcrt.dll
_acmdln
_amsg_exit
luabridge.fs
Press any key to continue
luabridge.registry
dialog.image
lua51.dll
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
%d.%.%d
resources.compressed
./lua51.dll
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
shared_library.dll
dialog.html
luabridge.nsis
luabridge.dll
luabridge.config
luabridge.classes
resources.binlib
luabridge.net
resources.nsis
resources.overlay
mime.core
resources.js
luabridge.win32
win32.shell
%d.%d.%d
11111111
./extramod.dll
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
444444444
CryptDestroyKey
CryptDuplicateKey
CryptDeriveKey
111111111
key_destroy
Win32.Crypt.Key
derive_key
bad argument #%d to %s('%s' expected)
key_duplicate
Win32.Crypto.Provider
key_encrypt
key_decrypt
%s expected data in index [1]
default_key
%s<%p>
%s expected table argument
Win32.Crypt.Hash
%s expected 'length' with lightuserdata
provider_dervice_key
inflate() failed(rc=%d)
miniz.InflateZStream
deflate() failed(rc=%d)
inflateInit() failed (rc=%s)
deflateInit() failed (rc=%s)
miniz.DeflateZStream
Unsupported filter input(string|nil) expected
Mime 1.0.3
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/AVMoO8shWBvkmaOHUjc
c:\%original file name%.exe
?456789:;<=
!"#$%&'()* ,-./0123
version="48.4.6.5687"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
setup.exe
48.4.6.5687


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:496
    %original file name%.exe:1360
    %original file name%.exe:1116

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P9POCHL3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\177\tidy_nowuseeit_onesystemcare_triple_628_3.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\default_logo.png (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\close.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\165\knctr_nowuseeit_tidy_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\skin.png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\skin.psd (42457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\153\arcadetwist_knctr_nowuseeit_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\progress-bar.gif (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\minify.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\step_off.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\step_bg.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\AutoFeatureMod.js (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\OfferScreenParamete.js (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\progressPause.gif (517 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\183\nowuseeit_tidy_double_628_3.mht (8844 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\cancel.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\next.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\.DS_Store (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\index.html (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\accept-lg.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\169\knctr_nowuseeit_tidy_triple_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\141\arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\122\arcadetwist_nowuseeit_knctr_pcacceleratepro_updateadmin_628.mht (29308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\1\do_tracking_hit.lua (913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\132\arcadetwist_nowuseeit_systemhealer_knctr_updateadmin_628.mht (29308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\173\tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\save.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\lua51.dll (3579 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\knockout.js (2039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\accept.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\decline.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\1eUeCBzMx.dll (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\161\knctr_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\main.css (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\1\codecpacks_satellitesite.mht (7772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin.zip (9476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\iconChe.gif (740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\wbk2.tmp (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\127\arcadetwist_nowuseeit_onesystemcare_knctr_updateadmin_628_3.mht (29308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\progress.gif (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\back.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\137\arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\step_on.png (999 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\common.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\options.json (197 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TS2H88Q6\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\skipall.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\assets\run.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\2200IsXQsI.dll (1486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\181\onesystemcare_tidy_double628.mht (9476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F2MQ8WVM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4H2JKHY7\knockout-2.js (10370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\145\arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\jquery.js (1843 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\149\arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AVMoO8shWBvkmaOHUjc\skin\res\common.js (118 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now