SearchProtectToolbar_pcap_631b98cf4c

by malwarelabrobot on December 25th, 2014 in Malware Descriptions.

Backdoor.Win32.Farfli.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 631b98cf4ca36cc609f5e1f61e011463
SHA1: 8145286c6db59500d61deacf10655285919ee57c
SHA256: 55e0600761aef392fec26d78917bb502a19ae0f96108c379ec298e93854c0880
SSDeep: 6144:Yz 92mhAMJ/cPl3izxhjDfuozlx/LVXHSPF0MfB:YK2mhAMJ/cPlUlfH7VXo
Size: 250368 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wsmallstub.exe:1528
%original file name%.exe:1804

The Backdoor injects its code into the following process(es):

Your_Uninstaller.exe:1576

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Your_Uninstaller.exe:1576 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\919447[1].htm (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1201760[1].htm (26835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[2].htm (24705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB3.tmp (45350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\nonadwords_trip[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\PS_searchprotect[1].json (23728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\NextButton_Sprite wide[1].png (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\index[1].html (373 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[1].htm (22704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\icon.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\9ff4d7d9-e509-4157-9272-672e770a13c4[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\nonadwords_trip[1].htm (3611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[4].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBGGoogleDialog[1].png (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2d5611a4-628a-4b0a-bb01-95750affa250[1].png (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[3].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\-[1].png (933 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\NextButton_Sprite wide[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\nonadwords_trip[1].html (0 bytes)

The process wsmallstub.exe:1528 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe (3626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:1804 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (3306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_1508703 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (0 bytes)

Registry activity

The process Your_Uninstaller.exe:1576 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"WebBrowser_embedded.exe" = "6000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Your_Uninstaller.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014122420141225\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1330111199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CachePrefix" = ":2014122420141225:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D B7 C9 08 CA 3E CB 25 CF 2F DA 82 73 E9 BB 22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Your_Uninstaller.exe" = "6000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wsmallstub.exe:1528 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 FD B0 9A AB E8 46 35 38 9C 29 F1 3D D9 2C BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1804 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 41 E1 E9 06 1B 92 F6 E6 10 62 5D 44 C2 2C 5D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"wsmallstub.exe" = "wsmallstub"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
7ce9c717ec8ff8d1c38d97d436189b53 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe
dd4b2762aa7ddc1314bbbdb42640aa20 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\FDMClient.dll
62008374a494afeea2ee2ae9eee4c8c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\System.dll
07f09c1bf361f757675b77320a08506c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\manager\scripts\WebBrowser_embedded.exe
f64b71ab811b25b1cd2fe801449af25c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\webapphost.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: 1.3.9.0.140504.0
Product Version: 1.3.9.
Legal Copyright: (c) 2014 ClientConnect Ltd
Legal Trademarks:
Original Filename: Your_Uninstaller.ex
Internal Name: Your_Uninstaller.ex
File Version: 1.3.9.
File Description: Setup.ex
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 74526 74752 4.54396 a8692f5ba740240ef0f9a827376f76f9
.rdata 81920 7445 7680 3.46159 d4f36accffde0bf520f52486679ccf0d
.data 90112 96036 512 2.46008 b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT 188416 32 512 0.273198 439411041ee0b8261668525c5c132cd9
.rsrc 192512 38164 38400 4.05087 2be43a53ce9007d251b1f780a86a734d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 12
f63cfb64d561a27b92ed1383bf8a3145
7ab081c06a806d95715df0140ebf76c0
21540415bebf1bf7b81ba130b1f2f02e
f22ba2f920421decdb1d5eccaeec39ce
db023753606cff3a27bdc934d8b86883
9b1854447ee59987586123985065578f
37b459b0abd85680d80762dd4907a7fb
a1baad9b4e14d667ef4ab3684cbe3de2
4b0746c82b8f5852e37d12ddc3dd1f3d
f96871ecc110019f18c71dfb7dbcc021
944c10805faf474679503608b7a606de
21a1f9dbfbf7b5cb473761b6ef5062a9

URLs

URL IP
hxxp://23.21.214.196/
hxxp://e8210.g.akamaiedge.net/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
hxxp://e8210.g.akamaiedge.net/Global/GlobalPage/1199375/?Language=None&Welcome=true
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1201545
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1201545GlobalPage
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/X.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/-.png
hxxp://e8210.g.akamaiedge.net///img/offers/r_db/r_bc/2d5611a4-628a-4b0a-bb01-95750affa250.png
hxxp://e8210.g.akamaiedge.net///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/BoxBgNew.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/button.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBG.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/images/SmallLoader.gif
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/InstallationSuccessful.png
hxxp://engine.va.dmccint.com/DecisionEngine.ashx
hxxp://ec2-23-21-214-196.compute-1.amazonaws.com/
hxxp://e8210.g.akamaiedge.net/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://e8210.g.akamaiedge.net/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1201760
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://e6652.g.akamaiedge.net/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=919447
hxxp://e6652.g.akamaiedge.net/ps/OptimizerPro/offerscreen/global/1/index.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://a1128.g1.akamai.net/customoffers/customframeapi.js
hxxp://e6652.g.akamaiedge.net/LMS/PS_searchprotect/PS_searchprotect.json
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBG.png 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/button.png 23.209.104.116
hxxp://engine.dmccint.com/DecisionEngine.ashx 199.101.114.147
hxxp://dehosting.dmccint.com/customoffers/customframeapi.js 184.84.243.64
hxxp://ude.databssint.com/
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1201545 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/images/SmallLoader.gif 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/-.png 23.209.104.116
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1201760 23.209.104.116
hxxp://cmsstorage.dmccint.com///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/BoxBgNew.png 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/X.png 23.209.104.116
hxxp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie 23.209.100.223
hxxp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true 23.209.104.116
hxxp://storage.stgbssint.com/ps/OptimizerPro/offerscreen/global/1/index.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie 23.209.100.223
hxxp://storage.stgbssint.com/LMS/PS_searchprotect/PS_searchprotect.json 23.209.100.223
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite wide.png 23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/InstallationSuccessful.png 23.209.104.116
hxxp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None 23.209.104.116
hxxp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None 23.209.104.116
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1201545GlobalPage 23.209.104.116
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=919447 23.209.104.116
hxxp://cmsstorage.dmccint.com///img/offers/r_db/r_bc/2d5611a4-628a-4b0a-bb01-95750affa250.png 23.209.104.116
hxxp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None 23.209.104.116


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CmsThemes/Default/Images/button.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "404a5898c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "404a5898c6fd01:0"
Cache-Control: private, max-age=8752
Expires: Wed, 24 Dec 2014 09:50:46 GMT
Date: Wed, 24 Dec 2014 07:24:54 GMT
Connection: keep-alive
....


GET /DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 174707
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:58 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1201760 HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT
Accept-Ranges: bytes
ETag: "be63c598c6fd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 6149
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:58 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "ac4d4d98c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "ac4d4d98c6fd01:0"
Cache-Control: private, max-age=8083
Expires: Wed, 24 Dec 2014 09:39:41 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "404a5898c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "404a5898c6fd01:0"
Cache-Control: private, max-age=8748
Expires: Wed, 24 Dec 2014 09:50:46 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "10ce6d98c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "10ce6d98c6fd01:0"
Cache-Control: private, max-age=7785
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT
Accept-Ranges: bytes
ETag: "ea23644c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 2779
Cache-Control: private, max-age=9683
Expires: Wed, 24 Dec 2014 10:06:21 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB
792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3
AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB7922
56C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.
c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.
......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{....
......b......w....,.E./[email protected]..];z......f....34...v[...H1....g..
....'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4..
.$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@.
..T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g..
..,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../
.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......
<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "e8b65c98c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6035
Cache-Control: private, max-age=12291
Expires: Wed, 24 Dec 2014 10:49:49 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
.PNG........IHDR...J...1.............sRGB.........gAMA......a.....pHYs
.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.a
dobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xm
pMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Docume
ntID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stRef:
documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>...P....IDATx^...N....P...L.).A(...A."1...$<rcK...r....] .E. 8
.^..[......o........ @.7.u&... @......(J..... @...'...^z....puu5...c..
......cmmm:.#@.......g......{..u>|.0.....?~.......i..........(JQ^..
. @....,p......pyy9lnn.....1_z./....^;..... @`...x....v:nnn....aooo..(
J..I...SI...W.....F.......u..OBz.(.%i>.....*........ @.............
p}}=lmmMg.......O.9...../&@..............|[email protected]....
. . .8.t||<.A.[.|Vi>.4~}..%g.z.... @...6......J....F..l.........
y".W....\..O.-?t..N..... @`...o..K.|.m,J.1.%..V..!-..... .........
<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "caa5998c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "caa5998c6fd01:0"
Cache-Control: private, max-age=8842
Expires: Wed, 24 Dec 2014 09:52:20 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
....


GET /Js/jquery.dotdotdot.min.js?fid=919447 HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT
Accept-Ranges: bytes
ETag: "be63c598c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6149
Cache-Control: private, max-age=10551
Expires: Wed, 24 Dec 2014 10:20:50 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "524e5698c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "524e5698c6fd01:0"
Cache-Control: private, max-age=8841
Expires: Wed, 24 Dec 2014 09:52:20 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/X.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "0c67198c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "0c67198c6fd01:0"
Cache-Control: private, max-age=7784
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "10ce6d98c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "10ce6d98c6fd01:0"
Cache-Control: private, max-age=7784
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "e8b65c98c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "e8b65c98c6fd01:0"
Cache-Control: private, max-age=12290
Expires: Wed, 24 Dec 2014 10:49:49 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "caa5998c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "caa5998c6fd01:0"
Cache-Control: private, max-age=8841
Expires: Wed, 24 Dec 2014 09:52:20 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "524e5698c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "524e5698c6fd01:0"
Cache-Control: private, max-age=8841
Expires: Wed, 24 Dec 2014 09:52:20 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive



GET /MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 174148
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:51 GMT
Date: Wed, 24 Dec 2014 07:24:51 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1201545 HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT
Accept-Ranges: bytes
ETag: "be63c598c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6149
Cache-Control: private, max-age=17952
Expires: Wed, 24 Dec 2014 12:24:04 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "0c67198c6fd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1076
Cache-Control: private, max-age=7791
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:CBFD1020532511E199C4D62405
85BDC2" xmpMM:DocumentID="xmp.did:CBFD1021532511E199C4D6240585BDC2">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CBFD101E532511E199C4
D6240585BDC2" stRef:documentID="xmp.did:CBFD101F532511E199C4D6240585BD
C2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>..q<....IDATx.b)--}...p..}.....i...2q u...
2... v..F.$3.Z...@...$..&..%..i. ....@......... g5.[[email protected] ..T..._f@.
.0.L.6 N..EP....v.$..}.v.H;..v [email protected]....`.uP(...@..*..........1.
%>.d....IEND.B`.....
<<< skipped >>>

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "524e5698c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 5182
Cache-Control: private, max-age=8848
Expires: Wed, 24 Dec 2014 09:52:20 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR...[...G......9......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "ce177098c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1504
Cache-Control: private, max-age=7790
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
GIF89a.........................v.....5..d..e..........................
{......................................!..NETSCAPE2.0.....!..XMP DataX
MP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xm
pmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155
772, 2014/01/13-19:44:00        "> <rdf:RDF xmlns:rdf="hXXp://ww
w.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=
"" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://n
s.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com
/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981"
 xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:Ins
tanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Ad
obe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:ins
tanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentI
D="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> &l
t;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacke
t end="r"?>........................................................
......................................................................
....~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?&g
t;=<;:9876543210/.-, *)('&%$#"! .................................!.
......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v
._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,[email protected]. 
J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G
<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "ac4d4d98c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "ac4d4d98c6fd01:0"
Cache-Control: private, max-age=8088
Expires: Wed, 24 Dec 2014 09:39:41 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "caa5998c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "caa5998c6fd01:0"
Cache-Control: private, max-age=8847
Expires: Wed, 24 Dec 2014 09:52:20 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "ce177098c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/gif
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "ce177098c6fd01:0"
Cache-Control: private, max-age=7790
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "404a5898c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "404a5898c6fd01:0"
Cache-Control: private, max-age=8753
Expires: Wed, 24 Dec 2014 09:50:46 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive



GET ///img/offers/r_db/r_bc/2d5611a4-628a-4b0a-bb01-95750affa250.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Sun, 09 Mar 2014 10:05:22 GMT
Accept-Ranges: bytes
ETag: "d6b2ad157f3bcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 41495
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:52 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR.............?.......sRGB.........gAMA......a.....pHYs
.......... ......tEXtSoftware.Adobe ImageReadyq.e<....IDATx^..w...u
...4/_..........@...=H.n...i...hc'b.....cwB.....r.`HK.V$A/. A.....UU..
....e..s...|...*]uW.}^.......c..U-..}.r(.....-.............#....---YUU
....Xmm...i.d2...h...~.s...~..po.}a.$.......3<........9f.Yg.r....`u
uuI08f.1.p .........T__o;w....x........a......q.?y....q......a...:knn.
..&gb.5j{.}.A.#.`d|.....V.........|....)......|............}X../...4:.
.......00.. .n...v..m...%..m*.JR..@......"_.ehh..#,..."..A...?n...w.!.
....}aH.2.X..]r<}...<h`.:..o.>g......].....M.QX .ONN...Wmbb..
\.b...~..Bl....n..O<a.<....}...~.......^....&........u....C.. 3.
....J..y.-..f..I.r.X...A;u......>.bUc..}.Q/.......C(....1..h..g..{.
..{q..A..^g.[5?A..L.......v...9s..{\(b..9...g.uKG,...j.C!..1..hK.. ...
p.h.A......6...9.Z..G.P..#.X....."..........~...h...?....D..?}.....p.p
...*......Ah...$YKLp.Cy....b.,#t...AA.....?...nT|..~.hr;......&.../..c
[email protected]..,...k....0<...n=iD..3.....0...!8z....0
=...=.....'......Y.U............}.#.@(P&...U(~ ..".[.ZO....8.B@%F(..~.
..v.Y.\(....:w...W.\[email protected]#DW.}..=T..........
{b.,n......g.....z..7......a.h...c..C.~.]..Bd...]".c......w.......F. .
>.'...$*..".9A1csb[9..%.<T....(b.:#...e.$...t.O..~ ..k...M.....{
.5.....o..."...O.e....W.A....:..=#.h!..z.1.h#L4cn..-....B.rB...A8..CAa
.....R..'...c.8...I. [email protected]....~.....ub4-u.....i..R.....w.........
.....0cj..L.n......s ....H^...{..XQ...../.V....(.wD.....q_...NXoF.
<<< skipped >>>

GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Sun, 09 Mar 2014 09:08:21 GMT
If-None-Match: "9e6f411e773bcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT
ETag: "9e6f411e773bcf1:0"
Cache-Control: private, max-age=17999
Expires: Wed, 24 Dec 2014 12:24:52 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
....


GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Sun, 09 Mar 2014 09:08:21 GMT
If-None-Match: "9e6f411e773bcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT
ETag: "9e6f411e773bcf1:0"
Cache-Control: private, max-age=17993
Expires: Wed, 24 Dec 2014 12:24:52 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive



POST / HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 543
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "dm_version" : "1.4.0.4.141214.03" , "tracking_id" : "" , "json_send_time" : "2014-12-24.4:15:12:982" , "phase" : "Init" , "phase_type" : "regular" , "attempt_number" : "1" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "Is_Test" : "0" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "publisher_account_id" : "A-3330836" , "activated_by_stub" : "1" , "sln" : "29566" , "welcome_screen" : "0"  }
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:50 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 587
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:13:638" , "phase" : "AfterNavM" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : ""  }
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:50 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Wed, 24 Dec 2014 07:24:50 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive......


POST / HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 2296
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:20:779" , "phase" : "InStartLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "7797" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_opera
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:57 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 2228
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:310" , "phase" : "Android detection start" , "phase_type" : "regular" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "531" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_operating_system" : "Microsoft Windows XP" , "user_service_pack" : "3.0" 
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:57 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 2294
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:341" , "phase" : "StartingLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_operati
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:58 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 2742
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:388" , "phase" : "InitComplete" , "phase_type" : "regular" , "order" : "2.0" , "result" : "Success" , "error_details" : "" , "phase_duration" : "16" , "duration_details" : "EngineMgrCreated:828,BuildUserProfile:6890,retrieveCid:16,sendXML:0,xmlSent:0,startParse:234,endParse:16,StartOffersLoop:562,ValidateMO:16,NavigateFirstSlot:0,ReportInitComplete:0," , "general_status_code" : "1" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_id" : "1201545" , "product_id" : "0" , "product_type" : "Publisher's Offer" , "product_id_version" : "" , "rule_id" : "467134" , "vector_id" : "467727" , "is_parallel" : "0" , "call_service_duration" : "234" , "navigate_mo_duration" : "MONavigationCompleted:3422," , "navigate_global_duration" : "GlobalNavigationCompleted:3547," , "attempt_number" : "1" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_scr
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:57 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 2760
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:420" , "phase" : "OfferPresented" , "phase_type" : "regular" , "order" : "3.1" , "result" : "Success" , "error_details" : "" , "phase_duration" : "16" , "duration_details" : "" , "general_status_code" : "2" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_suggestion_number" : "1" , "offer_presented_number" : "1" , "slot_number" : "1" , "position_in_slot" : "1" , "server_settings" : {"DownloadBrowser":"IE","CType":"-1","SearchProvider":"Bing","UserMode":"-1"} , "user_selection_settings" : "" , "condition_type" : "None" , "offer_type" : "Main" , "offer_id" : "1201545" , "root_offer_id" : "1201545" , "rule_id" : "467134" , "vector_id" : "467727" , "product_id" : "0" , "product_id_version" : "" , "product_type" : "Publisher's Offer" , "state" : "" , "installation_type" : "0" , "attempt_number" : "1" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:57 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 2250
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:451" , "phase" : "ChromeError" , "phase_type" : "regular" , "order" : "" , "result" : "Error" , "error_details" : "error: did not found chrome full path" , "phase_duration" : "15" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_operating_system" : "Microsoft Windows XP" , "user_
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:58 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



GET /customoffers/customframeapi.js HTTP/1.1
Accept: */*
Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dehosting.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Encoding: gzip
Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT
Accept-Ranges: bytes
ETag: "46a2919a7ac7cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 798
Cache-Control: private, max-age=31536000
Expires: Thu, 24 Dec 2015 07:24:59 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
Vary: Accept-Encoding
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l...
..4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W.
...(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r.
.....Wu.UP....H.w........w.|....8O.:..W|.h..m]L.m...,k..I>......N..
~...e.....k.uM8./po\....`]...yu..'Y...?#.4o..a.A..S..j..e<q.}.~...t
.O.....H?z..k?J....f...~I..M~s.M...m.|..c...Y~...6.o..0. Z....We6....9
.......zo.z..w........\..Rk.....K./..1..D........m.8....h:.l...w.t.0o?
J0...h.,..............$=..._.....n.l..... ...F..3.V......U^.Ok]@.....K
..b..>...o;..t`m....jZ..|t...Cj......y.[...v..Z...?.|..?......[..].
.`.i..A.q..4m.....#.F|U,g..X.......I.'.."....z#.......h.......a..b.K.#
L...k.M..-..&...6z..........;....8".F.....



POST /DecisionEngine.ashx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: engine.dmccint.com
Content-Length: 2509
Connection: Keep-Alive
Cache-Control: no-cache

<OFFER_REQUEST><COMPLETE_COMMAND_LINE>false</COMPLETE_COMMAND_LINE><USER_PROFILE><PUBLISHER_ID_NUM>265</PUBLISHER_ID_NUM><SESSION_ID><![CDATA[080914f4-46db-47a1-8d6d-2e1070d7fb1f]]></SESSION_ID><TRACKING_ID><![CDATA[]]></TRACKING_ID><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DMVersion</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>1.4.0.4.141214.03</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultBrowser</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>IE</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>CurrentToolbar</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>Homepage</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[about:blank]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultSearch</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USE
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 24 Dec 2014 07:24:57 GMT
Content-Length: 19758
...<OFFER_RESPONSE><MAIN_OFFER><OFFER_ID>1201545<
/OFFER_ID><OFFER_NAME>Your Uninstaller</OFFER_NAME><
OFFER_URL>no_dynamic_main_offer_url_supported_in_this_version</O
FFER_URL><OFFER_DESCRIPTION /><OFFER_INSTALL_CMD><OF
FER_ID>1201545</OFFER_ID><OFFER_STATE>default</OFFER
_STATE><DOWNLOAD_URL>hXXp://YourUninstaller.download.dmccint.
com/Default.ashx?EnvironmentID=3</DOWNLOAD_URL><INSTALL_COMMA
ND_LINE>/verysilent</INSTALL_COMMAND_LINE></OFFER_INSTALL_
CMD><INSTALLATION_TYPE>1</INSTALLATION_TYPE><PRODUCT
_ID /><PRODUCT_TYPE>Publisher's Offer</PRODUCT_TYPE><
;PRODUCT_VERSION /><ROOT_OFFER_ID>1201545</ROOT_OFFER_ID&g
t;<DOWNLOAD_URL>hXXp://YourUninstaller.download.dmccint.com/Defa
ult.ashx?EnvironmentID=3</DOWNLOAD_URL><OFFER_FILE_NAME />
<DOWNLOAD_BACKUP_URL /><CONDITION_TYPE>None</CONDITION_
TYPE><TOTAL_STEPS>1</TOTAL_STEPS><SOFTWARE_PRODUCT_V
ERSION /><ANTI_OFFER /><SUCCESS_CODE /><INSTALLATION
_UI_ELEMENTS><UI_ELEMENT><NAME>DownloadBrowser</NAME
><VALUE>IE</VALUE></UI_ELEMENT><UI_ELEMENT>
<NAME>CType</NAME><VALUE>-1</VALUE></UI_ELE
MENT><UI_ELEMENT><NAME>SearchProvider</NAME><V
ALUE>Bing</VALUE></UI_ELEMENT><UI_ELEMENT><NAM
E>UserMode</NAME><VALUE>-1</VALUE></UI_ELE
<<< skipped >>>


GET /Global/GlobalPage/1199375/?Language=None&Welcome=true HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 186842
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:51 GMT
Date: Wed, 24 Dec 2014 07:24:51 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1201545GlobalPage HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT
Accept-Ranges: bytes
ETag: "be63c598c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6149
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:52 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "ac4d4d98c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 933
Cache-Control: private, max-age=7791
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR.............e.......tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:C8E631185D6711E1A99F8AF4FF
A87D51" xmpMM:DocumentID="xmp.did:C8E631195D6711E1A99F8AF4FFA87D51">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C8E631165D6711E1A99F
8AF4FFA87D51" stRef:documentID="xmp.did:C8E631175D6711E1A99F8AF4FFA87D
51"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>Z..G....IDATx.b,--.a``8....01.........{f.....
..IEND.B`.....


GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "10ce6d98c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 2562
Cache-Control: private, max-age=7791
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB26C3E111E3AEC3EB
792256C508" xmpMM:DocumentID="xmp.did:72B2EB27C3E111E3AEC3EB792256C508
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB24C3E111E3
AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB25C3E111E3AEC3EB7922
56C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.......tIDATx....o\W...{f.........P.hb..V
DQ..R!..*6f.... ..T.6..."V(...*..Xb.#!;.H...r.R.3q.nR?.^..~h&.....9..2
v.f...|.;.1.(...R..~...N.{6.....[.e.'-..1(..k6[K.V.r.}.^ul...._...3[[.
7..S.|p.....3g.Z./_.... Cxw?...G9...BC...R.....Lmnn^.<^o........b..
.Z...{.`~.....d......x...I0..L..HM...."[email protected]..`.... ..4..... .I07....$
h;..T#...C.H4...v(.iF.v(.IG.v(.)F.....;..0..T#XM.&A...`=.. .)F.(r.....
.<[email protected]...#Xm.... ...:..d#XO."[email protected].`.. ..F...%. .IF.W).
.l.C#...NZ..b.B.8........./..s.............;.^..E.MY"."....?{.'Y}%....
\`....jg...\y.......6a...$~.....s.f~..K/.-.....9...Fu......|.....l
<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "404a5898c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 3937
Cache-Control: private, max-age=8089
Expires: Wed, 24 Dec 2014 09:39:41 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e&
lt;...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12
B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11
E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> 
<xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8
635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K......
....*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.
o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?
}...}...~..=............G...~,[email protected].. u....... ?.H.
."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q..
......l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo......
.....hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU
..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f
<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "caa5998c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 2726
Cache-Control: private, max-age=8114
Expires: Wed, 24 Dec 2014 09:40:06 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR...>.........$.=.....sRGB.........gAMA......a.....p
HYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:co
m.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"
?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5
.0-c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:
rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Descript
ion rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM=
"hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap
/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows"
 xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Doc
umentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stR
ef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>...P....IDATx^...N#K.....%[email protected]..$`.3U..j.3.h0..%m..E.i
W.'........ ..?.......<<<.......V..i..d...`....S......v... ..
..S.Y.....r.._677...F..>=~....8z.....yyy)......`~r.>u.s{{.......
........Y.>5z.......!|....l6 [[[-z..x.........j...o{j..............
....EN...O..:..#....2....O......S.Y.?.......S.g.>..]b..X75eV]s....!
|.//...#|........S..........j!|...........j....\u...:'''.....;;;C.....
....UM...O...?OOO..........F...?.W...U....X.............%v....O..!|...
./X.4.....!|.......!|.......!|.......!|.......!|.......!|.......!|
<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "0c67198c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "0c67198c6fd01:0"
Cache-Control: private, max-age=9213
Expires: Wed, 24 Dec 2014 09:58:26 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "10ce6d98c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "10ce6d98c6fd01:0"
Cache-Control: private, max-age=7790
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "404a5898c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "404a5898c6fd01:0"
Cache-Control: private, max-age=8088
Expires: Wed, 24 Dec 2014 09:39:41 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/InstallationSuccessful.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "e87a6698c6fd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2670
Cache-Control: private, max-age=9213
Expires: Wed, 24 Dec 2014 09:58:26 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive
.PNG........IHDR...#...".......`.....tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:F1E913D3555911E18CA7F85F75
1BB1C7" xmpMM:DocumentID="xmp.did:F1E913D4555911E18CA7F85F751BB1C7">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F1E913D1555911E18CA7
F85F751BB1C7" stRef:documentID="xmp.did:F1E913D2555911E18CA7F85F751BB1
C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>~. .....IDATx..W]l.U.>........t...V~.X ...
I@HA.'~.D. .J4....o.V.&...X.B.E...M$}....l...o.P..g........w.eKA.....n
w.....}.9.`.n....r.|?(J..7 .;.....`.,.a.8Op....O..f..*.m..... g..(.../
.f0.E.......L..........Ru.r.....J.....`2..O..*[email protected]...@|..@..,S
..K.....P=.#..n....D.P..Y.x.:T.t.......Qv.n4..P6......x$.\....a.....#0
}.W...y:.*[email protected]..#9s.a...F..a....."P....H........].H....x
4...O/.<.....h:.J<b)..[....y....|f.a.....cy a..#..K2.z~I..ZS....
HM...[,[email protected]..?.sp...6.....g:....2#...X.V.,[email protected].<....).
...%.....p.&......M....$.b.......I.>hI.O.c.6AW'....C<1..F[..
<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "404a5898c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "404a5898c6fd01:0"
Cache-Control: private, max-age=8088
Expires: Wed, 24 Dec 2014 09:39:41 GMT
Date: Wed, 24 Dec 2014 07:24:53 GMT
Connection: keep-alive



GET /CmsThemes/Default/Images/button.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "404a5898c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "404a5898c6fd01:0"
Cache-Control: private, max-age=8087
Expires: Wed, 24 Dec 2014 09:39:41 GMT
Date: Wed, 24 Dec 2014 07:24:54 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: image/png..Last-Modified: Thu
, 04 Dec 2014 13:31:22 GMT..ETag: "404a5898c6fd01:0"..Cache-Control: p
rivate, max-age=8087..Expires: Wed, 24 Dec 2014 09:39:41 GMT..Date: We
d, 24 Dec 2014 07:24:54 GMT..Connection: keep-alive......


GET /DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 174691
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:58 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "0c67198c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "0c67198c6fd01:0"
Cache-Control: private, max-age=9207
Expires: Wed, 24 Dec 2014 09:58:26 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "ce177098c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/gif
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "ce177098c6fd01:0"
Cache-Control: private, max-age=8876
Expires: Wed, 24 Dec 2014 09:52:55 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/-.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "ac4d4d98c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "ac4d4d98c6fd01:0"
Cache-Control: private, max-age=7784
Expires: Wed, 24 Dec 2014 09:34:43 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "404a5898c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "404a5898c6fd01:0"
Cache-Control: private, max-age=8082
Expires: Wed, 24 Dec 2014 09:39:41 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT
If-None-Match: "ea23644c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
Accept-Ranges: bytes
ETag: "98a6d98c6fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 2779
Cache-Control: private, max-age=8111
Expires: Wed, 24 Dec 2014 09:40:10 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB
792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3
AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB7922
56C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.
c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.
......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{....
......b......w....,.E./[email protected]..];z......f....34...v[...H1....g..
....'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4..
.$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@.
..T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g..
..,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../
.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......
<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT
If-None-Match: "ce177098c6fd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/gif
Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT
ETag: "ce177098c6fd01:0"
Cache-Control: private, max-age=8876
Expires: Wed, 24 Dec 2014 09:52:55 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive



GET /ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: storage.stgbssint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 35920
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Thu, 21 Aug 2014 07:42:36 GMT
Accept-Ranges: bytes
ETag: "03ea67913bdcf1:ded"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=86400
Expires: Thu, 25 Dec 2014 07:24:58 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
...............7.(._.^...Lk..".......QlY....e.%..f...H.*.d&....\......
s3k......8...d"[email protected]./..........>.>.....^<.\.M:x..g_&
gt;{<..ON.{......'...x......d....2QI..........70.. ...........8/.O^
}sr.@O...<V...J..3......Y)z..~..''.E.....7R...|,..%oD.8..........K.
...7.JO....(..;.>.#.S.J...'[email protected]..|.j`.'....]...
...!..._}..|..4........2.K..l.S<./d.c^n....".\.\]q........E.J..M\\&
Y4.n..*...k.CS..W..N&.>}#..,..8N..,.\.. ..4.).......L6.w.y..E....q.
..D./.4..%.._S..x-.r.*...k>.......u...../U.F....z[.\....F..Jv.A.;l.
.........(?x....|......%...M...,.w...A0.......-.!..........b..I.(H.JV 
.M.. .\^)l.......j.IFE.8eB......}.\..4..L......'.......?.......A......
D.dW.......5......E~.,..U.QX..?..f..A..o..a....2OwJN]b*....'.o{c.....`
.Q..*6_?J.Lc`&.4.5j...x...]Q.E......alG..b0..-.<..?...BB..w....o\
...~8.gza2..|...h..@... vP..G.<z.Q...NV...8.3....E..V.......S..%...
..[.o...x._.p)..L..P.C.........1..u?XBm...o.......f........{..0.05C.A.
.NX.N.).<E..`M....'...t0~PN..V..g...m4...o.%I.I. ...A..S.N...7.....
m...N.WI.3....oi....F.-..a.e|.....v...E.X.3.V ..w!.n*[..|....u....q...
x....]....Uk.....~.-:...m.\..q..d....e!ev.......?H...............~]...
{.xp).x..0>.".S/...u._.c.N.=b.........G..*)D...%[email protected].$.....A..
.....0....t.}..7N2d.n....g..N(..~.I....H....... `.[.....S.&.?lo...`=..
...\.<....N{[...4...] `..}n.,.....i...6[.eE...]?.D..[....a=|..}.[(.
._@!"..C.~.Q.w...\.|.t....q".o!....R'1sG....z..2..M^.n'...`...Nz'.....
!..6... v....,.S\.R.}b.?&.....,.....ep..........dL.L>.{G...!...
<<< skipped >>>

GET /ps/OptimizerPro/offerscreen/global/1/index.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: storage.stgbssint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 4506
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Thu, 11 Dec 2014 13:59:41 GMT
Accept-Ranges: bytes
ETag: "804477b54a15d01:528"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=31536000
Expires: Thu, 24 Dec 2015 07:24:59 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
...........Z...7...z.........;.....o..Hb.n..,..U<R1."kH...#.......'
.s.I..V.$;.U.P./... )_......?.y%.........{!&'...........?....{.hz*...A
G..4....'b.....f..z.>.:..].....G.9?....S..........r.J,......?..>
....f...%LC\.C.6N....0..|[email protected]...''H..n;c..#.=....g.dru..TW..D)h...e.
.....F...z..D4...$.m....i......... T...:.......2.....B......~f...x....
kQ^g...Q.>......n..}=...z.|W.}[email protected].!.F.......u.s.u.ul..j.W<^vx
....I.......Ji....C=.. .?:=....|..4'...=.s.....7D.>....T.t..4w^.?..
gq...y..q..>...t.gP..YgB.....B...y...5C...D..zZi..P.`.)..;Pz..u..'k
.b{Nl....xa.Q.7.V....^...\."x.)..\L....Co...0.......b{A.......V....kA/
.Hz.O......D...L...O.';........q...).....g...x...W.w.......x..._.'a$.&
lt;y..^lG.D.8..NX.p. .3Z..jA.;Kds..n..\.......o\2z.x...=.X.N.TYz-.8G..
0n}BSCt.La....wQ../..qU.?....(/F.S<..X....}F.."e6U.H...:{$r...Q...e
....]#|u..gO..we>..z.0z.S.V...#.........L..:\.]....o...>...".C..
......c.....(m-..h..~V...'.wqT..Q.#^.....J........D...b...Cr..B.X<J
.y..d.;.q2w1..Q..{.5...a./.s...-=L$G.=.,%[.9.w.....:..u......n....{br.
...i......2...HV...hi..t.......t.u..........?....t....]e..M....}.~..q2
.b...nR....Mq.(.](.%......_r.hT..T~.......]....W.?.E.H~..hD......55..N
..r....*...K....{9.......R]R....... .......\U..a.nruI.... z..p..[..-.Z
z...(..t .........N,!..}............@x...,.1n..R..w>J..".Q.........
... I..p..r..].P.=...I.;.=...J<..t.!....er..AG.o^.....s ....b$0...n
{.!....\"..lDJ..i]......b....hn1..Th.]....i..9.N*..E....~..k..[0?..q..
$r.4..._..h..<.?N.u..........cN.........V.i..5....'...5..d..NnD
<<< skipped >>>

GET /LMS/PS_searchprotect/PS_searchprotect.json HTTP/1.1


x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie#cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: storage.stgbssint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 250005
Content-Type: application/json
Last-Modified: Wed, 17 Dec 2014 11:45:53 GMT
Accept-Ranges: bytes
ETag: "a8cc23ef19d01:ded"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=7200
Expires: Wed, 24 Dec 2014 09:24:59 GMT
Date: Wed, 24 Dec 2014 07:24:59 GMT
Connection: keep-alive
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
{"Product":"PS_SearchProtect","LastUpdate":1345880,"Translations":{"ar
":{"Keys":{"@@AcceptAndInstallButton@@":{"Text":"\u0623\u0648\u0627\u0
641\u0642 & \u0648\u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\u0
64a\u062a"},"@@Body_text_1st_paragraph@@":{"Text":"\u064a\u064f\u0631\
u062c\u0649 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0
644\u0648\u0645\u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637
 \u0627\u0644\u0647\u0627\u0645\u0629 \u0627\u0644\u062a\u0627\u0644\u
064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u0645\u062a\u0627\u0628\u06
39\u0629."},"@@Body_text_1st_paragraph_2@@":{"Text":"\u0643\u062c\u063
2\u0621 \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0628
\u0631\u0646\u0627\u0645\u062c\u060c \u064a\u0645\u0643\u0646\u0643 \u
0623\u064a\u0636\u064b\u0627 \u0627\u0644\u062d\u0635\u0648\u0644 \u06
39\u0644\u0649 \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629
 \u0627\u0644\u0628\u062d\u062b. \u064a\u064f\u0631\u062c\u0649 \u0642
\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0
627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637 \u0642\u0628\u064
4 \u0627\u0644\u0627\u0633\u062a\u0645\u0631\u0627\u0631."},"@@Body_te
xt_2nd_paragraph@@":{"Text":"\u0642\u0645 \u0628\u062a\u062b\u0628\u06
4a\u062a \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629 \u062
7\u0644\u0628\u062d\u062b \u0644\u062a\u0639\u064a\u064a\u0646 \u0627\
u0644\u0635\u0641\u062d\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u06
4a\u0629 \u0648\u0627\u0644\u0628\u062d\u062b \u0627\u0644\u0627\u
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 738
Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "technical" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "json_send_time" : "2014-12-24.4:15:21:341" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_WaitForDMInitComplete" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "265" , "publisher_account_id" : "A-3330836" , "publisher_id" : "URSoftware" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0"  }
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:58 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: ude.databssint.com
Content-Length: 727
Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "regular" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "json_send_time" : "2014-12-24.4:15:21:420" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_EndOfSession" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "265" , "publisher_account_id" : "A-3330836" , "publisher_id" : "URSoftware" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0"  }
HTTP/1.1 202 Accepted
Date: Wed, 24 Dec 2014 07:24:57 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Wed, 24 Dec 2014 07:24:57 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..



GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT
Accept-Ranges: bytes
ETag: "9e6f411e773bcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 5253
Cache-Control: private, max-age=18000
Expires: Wed, 24 Dec 2014 12:24:52 GMT
Date: Wed, 24 Dec 2014 07:24:52 GMT
Connection: keep-alive
.PNG........IHDR................/....tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:EA751F92A50111E3BCC1DD2AE7
0EC44D" xmpMM:DocumentID="xmp.did:EA751F93A50111E3BCC1DD2AE70EC44D">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EA751F90A50111E3BCC1
DD2AE70EC44D" stRef:documentID="xmp.did:EA751F91A50111E3BCC1DD2AE70EC4
4D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.L......IDATx..[.pT.y.....v%...@.$$....B..6..
.....6!..........[;.gR;$v..=yP..Lk;.[.nhp.....l...0.#@H..._......;.g.;
...H ....7.}....|....?W...?NF   #..N.T.dY&I.(.......;.M......Y........
D.._.=|....D".3...r:..p82..L&..L[...$uuu........&....'EQH..)..........
....pY,.;&...K..u N{8.^388....._...p.......6r0..T............z..\.. ..
z.U..u...w....8y....`.Y\...ps.................~Q..'.H.b...(....T.M..a.
.r7.*=$...P.Bu..9.;G..]~....h..s.?..`. gL......z...uuuS..H...%:~z.....
..HQ.....L.\.%....y..Z.1..:..U.%..Z.`.=...s..=wCs..Z...r..|H...'.,./.1
..\..i.cJ..FG...g.....@R}?....d.HKk...(..L.......aZ4t.V..R...L.mmm
<<< skipped >>>

GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Sun, 09 Mar 2014 09:08:21 GMT
If-None-Match: "9e6f411e773bcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT
ETag: "9e6f411e773bcf1:0"
Cache-Control: private, max-age=17994
Expires: Wed, 24 Dec 2014 12:24:52 GMT
Date: Wed, 24 Dec 2014 07:24:58 GMT
Connection: keep-alive







The Backdoor connects to the servers at the folowing location(s):







Your_Uninstaller.exe_1576:




.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
H#.Mx
dWi7.wU
zcÁ
.?AVfsURL@@
.?AVfsInternetURLFile@@
.?AVfsInternetURLFileDownloader@@
.?AVfsHttpFile@@
.?AVfsFtpConnection@@
.?AVfsFtpFile@@
.?AVfsHttpConnection@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
6'6,60646]6
2(2F2i2
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXps://VVV.verisign.com/cps0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
LOCALS~1\Temp\nsvB4.tmp\webapphost.dll
n Data\Google\Chrome\User Data\Default
=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
conPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\webapphost.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp
n\App Paths\IEXPLORE.EXE
geDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
0d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
1.0.0.1
Download.dll
nsvB4.tmp
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\webapphost.dll" (overwriteflag=1)
\webapphost.dll"
PLORE.EXE
gle\Chrome\User Data\Default
dleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
ByStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe /ByStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f
Your_Uninstaller.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe
LORE.EXE
IEXPLORE.EXE
080914f4-46db-47a1-8d6d-2e1070d7fb1f
hXXp://ude.databssint.com
hXXp://engine.dmccint.com/DecisionEngine.ashx
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico
Icons\icon.png
5a97c212-9d8d-4368-bcfc-7f7b8f3c3752
1201545
hXXp://cms.dmccint.com/MainOffer/1199375/
Setup.exe
hXXp://cms.dmccint.com/Global/GlobalPage/1199375/
hXXp://business.va.conduit.com/chrome/inline/instafeed/shell.html
d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
G/moc.tniccmd.smc//:ptth=lrUegaPlabolG
1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
se MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
yStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
1.3.9.0.140504.01
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\webapp\
1511843
Naive_recommender_Bayesian_adjust_2014-12-24.csv
Microsoft Windows XP
6.0.2900.5512
%Documents and Settings%\%current user%\Local Settings\Application Data
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default
/ByStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\client_xml.xml
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\offer.xml
no_dynamic_main_offer_url_supported_in_this_version
%Program Files%\Internet Explorer\iexplore.exe
GenericDM.exe
1.4.0.4.141214.03

svchost.exe_340:




.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    wsmallstub.exe:1528
    %original file name%.exe:1804
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\919447[1].htm (20416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1201760[1].htm (26835 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\manager.js (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\init.html (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Success.htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\NoneSilentSuccess.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\DM_loader.gif (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[2].htm (24705 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsaB3.tmp (45350 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\nonadwords_trip[1].html (6038 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\InstallationSuccessful[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\gplay.js (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[1].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\proxy.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BoxBgNew[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\PS_searchprotect[1].json (23728 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\NextButton_Sprite wide[1].png (574 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[2].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBG[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\index[1].html (373 bytes)
    %System%\wbem\Logs\wbemprox.log (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[1].htm (22704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\manager.html (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\NextButton_Sprite-wide-grey[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\webapphost.dll (39329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\icon.png (431 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\SmallLoader[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\certInlineLB.pfx (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\9ff4d7d9-e509-4157-9272-672e770a13c4[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\customframeapi[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\X[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\nonadwords_trip[1].htm (3611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[4].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\WelcomeScreen.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBGGoogleDialog[1].png (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\NextButton_Sprite wide[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2d5611a4-628a-4b0a-bb01-95750affa250[1].png (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\FDMClient.dll (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[3].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Failed.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\-[1].png (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe (3626 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (3306 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now