SearchProtectToolbar_pcap_910c8012ac

by malwarelabrobot on December 3rd, 2015 in Malware Descriptions.

SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 910c8012ac4a3a3440664ee42a64190a
SHA1: eb0d39b14d42378a8ebb7737a25bf0cefcdbd1a0
SHA256: 3b61d152f28c4de1456a7b0236c6e352878fbd1661a7ad459a10fbbef62c62d2
SSDeep: 24576:QJLMLKmtvPyHu7FzV9TTWDxpy9pNg4W7HM89cN 2QHC3:uiKmHyORVNTWHp7s8EQ
Size: 894520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Pro Preferred Installer
Created at: 2014-07-31 16:16:20
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:404
%original file name%.exe:608
%original file name%.exe:1888

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:608 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85678DAB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsis7z.dll (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\wbk2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\skip_all_offers_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\uninstall.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\401\moneyviking_490.mht (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline_offer_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\install_now_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\minimise.gif (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\writer[1].jpg (6212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\next.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\mod.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\options.json (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\truste.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\offers.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo2.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\shared_library.dll (1485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\developer_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo.jpg (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\progress.css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\405\Update_Admin_490_1.mht (1924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\index.html (10225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.js (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\404\onesystemcare_490.mht (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\ok.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\acceptGreen2x.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\403\rockettab_490.mht (1924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\290\findwide_nocheckboxes_490.mht (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\1\OO-writer-openofficeuscom-bm25.mht (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\extramod.dll (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\loading_screen.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\bg4.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\back.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\icon_folder.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsisunz.dll (40 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wbk1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:404 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 50 D1 1F 99 6C E1 0E 15 8F 5D 46 FD 16 AD 86"

The process %original file name%.exe:608 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015120220151203]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015120220151203]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015120220151203]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015120220151203\"
"CachePrefix" = ":2015120220151203:"
"CacheLimit" = "8192"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 2E 63 E1 E1 DE 8F D1 78 F0 52 AD F4 A0 51 D9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1888 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 2C F1 71 E6 CF B0 09 97 3C C4 1C 31 02 AC FB"

Dropped PE files

MD5 File path
edaf7c05730d7fb2cc52f7b9851dc5a0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\extramod.dll
44dac7f87bdf94d553f8d2cf073d605d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\loading_screen.dll
f0c59526f8186eadaf2171b8fd2967c1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\lua51.dll
692479f7c07a64a6a632148e382f0e22 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsisunz.dll
0bfb8664639d8c349559d5a61960138a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\shared_library.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Pro Preferred Installer
Product Name: Pro Preferred Installer
Product Version: 50.4.8.219
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 50.4.8.219
File Description: Pro Preferred Installer
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 52411 52736 4.48321 8a36f5dd626ddc7f32cff1aa477cad7e
.rdata 57344 10344 10752 3.9695 2b338e17612f83bf3890455274aa4bbf
.data 69632 15852 12288 4.732 7b3314b6ed59a17f79e6c9a4d412154e
.bindat 86016 586560 586752 5.54398 feea5a1f76814518335d71faae6afcf2
.script 675840 215036 215040 5.54432 e25de589d4f46dc5a647668f0c063aa2
.rsrc 892928 10752 10752 3.24224 b14419f88a8bf804460091560a11b46a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0 50.22.63.140
hxxp://a728.g.akamai.net/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip
hxxp://service.downloadadmin.com/env?browserVersion=9&osVersion=Vista&productKey=&s=msn&browserName=IE&c=Srch_US_OpenOffice_us_Writer_PM&brand=openoffice.us.com&pid=TR&bc=1176227&osName=Windows&country=UA 50.22.63.140
hxxp://a728.g.akamai.net/binstallers/BM2/openoffice/ipage/OO-writer-openofficeuscom-bm25.mht
hxxp://a728.g.akamai.net/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_490.mht
hxxp://a728.g.akamai.net/products/BM2/moneyviking/ipage/moneyviking_490.mht
hxxp://a728.g.akamai.net/products/BM2/rockettab/ipage/rockettab_490.mht
hxxp://a728.g.akamai.net/products/BM2/onesystemcare/ipage/onesystemcare_490.mht
hxxp://a728.g.akamai.net/products/BM2/updateadmin/ipage/Update_Admin_490_1.mht
hxxp://install.downloadadmin.com/cms/cmsimages/openoffice/writer.jpg 98.129.229.20
hxxp://mirror.mirror-files.com/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip 213.133.184.113
hxxp://mirror.downloadnet1210.com/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_490.mht 213.133.184.113
hxxp://mirror.downloadnet1210.com/products/BM2/onesystemcare/ipage/onesystemcare_490.mht 213.133.184.113
hxxp://mirror.downloadnet1210.com/products/BM2/updateadmin/ipage/Update_Admin_490_1.mht 213.133.184.113
hxxp://mirror.downloadnet1210.com/products/BM2/rockettab/ipage/rockettab_490.mht 213.133.184.113
hxxp://mirror.downloadnet1210.com/binstallers/BM2/openoffice/ipage/OO-writer-openofficeuscom-bm25.mht 213.133.184.113
hxxp://mirror.downloadnet1210.com/products/BM2/moneyviking/ipage/moneyviking_490.mht 213.133.184.113


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0 HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0
X-Exe-Checksum: 0
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true
X-Exename: %original file name%.exe
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 02 Dec 2015 00:44:54 GMT
Age: 0
X-TVAR: 
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <LinkBelowEula>fals
e</LinkBelowEula>.        <OptInDefault>false</OptInDef
ault>.        <PlainEula>false</PlainEula>.        <
ProductBinary embed="false" msioptions="" options="/S">hXXp://mirro
r.downloadmanager145.com/binstallers/BM2/openoffice/exe/4_1_1/Apache_O
penOffice_4.1.1_Win_x86_install_en-US.exe</ProductBinary>.      
  <ProductEula comboPrimary="false" embed="false">hXXp://mirror.
downloadnet1210.com/binstallers/BM2/openoffice/ipage/OO-writer-openoff
iceuscom-bm25.mht</ProductEula>.        <Primary>true</
Primary>.        <ProductId>14</ProductId>.        <
ProductName>OpenOffice Writer</ProductName>.        <Scram
ble>false</Scramble>.    </Bundle>.    <Bundle>. 
       <BrandingText>Findwide Toolbar - Flat Design - TB10723<
;/BrandingText>.        <BrandingUrl>hXXp://VVV.downloadadmin
.com</BrandingUrl>.        <Category>toolbar, search, home
</Category>.        <CustomCss>color:#FFFFFF;</CustomCs
s>.        <CustomParameter Name="advertisername">eShield<
/CustomParameter>.        <If>.            <Not>.      
          <Env property="browser.chrome.is_default" op="=" value="t
rue"/>.            </Not>.            <Not>.           
     <Env property="custom.browserName" op="=" value="Chrome"/&
<<< skipped >>>


POST /install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0 HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0
X-Exe-Checksum: 0
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
X-Exename: %original file name%.exe
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: service.downloadadmin.com
Connection: Keep-Alive

delta=375
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 02 Dec 2015 00:44:57 GMT
Age: 0
X-Cache: MISS
0..HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Wed, 02 Dec 2015
 00:44:57 GMT..Age: 0..X-Cache: MISS..0......


GET /env?browserVersion=9&osVersion=Vista&productKey=&s=msn&browserName=IE&c=Srch_US_OpenOffice_us_Writer_PM&brand=openoffice.us.com&pid=TR&bc=1176227&osName=Windows&country=UA HTTP/1.1


X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0
X-Exe-Checksum: 0
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true
X-Exename: %original file name%.exe
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 02 Dec 2015 00:44:58 GMT
Age: 0
X-TVAR: 
X-Cache: MISS
002337..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&
lt;Installer><Environment><Entry name="over-threshold:Prem
ierOpinion (US) (1457)">true</Entry><Entry name="over-thre
shold:PremierOpinion (US) (1456)">true</Entry><Entry name=
"over-threshold:PremierOpinion (US) (1449)">true</Entry><E
ntry name="over-threshold:One System Care (US) (Chrome)">true</E
ntry><Entry name="over-threshold:Super Optimizer (US)">true&l
t;/Entry><Entry name="over-threshold:PremierOpinion (UK)">tru
e</Entry><Entry name="over-threshold:PremierOpinion (UK) (145
6)">true</Entry><Entry name="over-threshold:Super Optimize
r (GB)">true</Entry><Entry name="over-threshold:Web Bar (G
B)">true</Entry><Entry name="over-threshold:Web Bar (AU)"&
gt;true</Entry><Entry name="over-threshold:Optimizer Pro (AR)
">true</Entry><Entry name="over-threshold:Optimizer Pro (M
X)">true</Entry><Entry name="over-threshold:Optimizer Pro 
(BR)">true</Entry><Entry name="over-threshold:Optimizer Pr
o (TR)">true</Entry><Entry name="over-threshold:Registry H
elper (SafeApp Software) (INTL)">true</Entry><Entry name="
over-threshold:PremierOpinion (FR)">true</Entry><Entry nam
e="over-threshold:PremierOpinion (AU)">true</Entry><Entry 
name="over-threshold:PremierOpinion (DE)">true</Entry><Ent
ry name="over-threshold:PremierOpinion (BR)">true</Entry>
<<< skipped >>>


GET /cms/cmsimages/openoffice/writer.jpg HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: install.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.4
Content-Type: image/jpeg
Date: Wed, 02 Dec 2015 00:45:00 GMT
Accept-Ranges: bytes
Connection: Keep-Alive
Set-Cookie: X-Mapping-dbfpeoop=69071A17C24CFA9DDF58AC8A8F62766E; path=/
Last-Modified: Fri, 18 Jan 2013 19:40:03 GMT
X-Cache-Info: caching
Content-Length: 63397
......JFIF.....d.d......Ducky.......H......Adobe.d....................
......................................................................
......................................................................
......................................................................
...........!1..AQa".q.2..B#.$......Rb3.r..4.....CS...t.s..T.eV.5..v...
.....................!1.AQa..q."2......B.R#..br3......C.$.S4D.........
...?..h.....5. .$..,.Ze..n..w._.E<.8c...xQ>k.....<.|.....O)..
...~U.R.k..z|.<.<...#.S.C.a.z<.|.<....*.).5...yS.C.b...*yH
y.?.G.<.<......R.k....O).5..r<..!...9.U>R.k..r<.....3.O
.<.<.Fq.....>k.`'..B,.....).!....!O!...8..Q....o.......s.c..)
...9......t<.!.#.S..>s....O.D..o......dO...=>B...>k..#.S..
.X...B...>k.`#.S.Q>k.q....T[.a..<.>..5. ..S.Q.k..#...Q.k. 
#.S...k.@G..."<.<@G.O.". .1...... .1...?N...x....B(....<.."&l
t;.8AG.<.<.8AG...P.X...T.P.X...U.J.k........X|...yHy.i..*yH.5.0.
.)..VVF.(...Qo1..(.........T..o5...<.>..YY...*..".##T..T}2..23.&
gt;U.J.y.a..*..".!..O..X.........t....#.\.n| [email protected] .cS..I
.d.P..H.|. ..'......H"G..* H.'..$.}).H..NU.$:|=hD..J..'O..D..T.....).Q
.........$...c....-.R...^..u.-..S....<..P.1.H'P...*.-.B.JA).(...#J.
. ...T.i.P<....SM$...i,...i&D".I2..S....J...%X.j.%G..i*..SIQ....)..
.......Q....*. ]B.D. ...i..%B..P...yTi"F.<.t.L.@R.&D@...^F.=*`.....
....@SI.. Ti,0..Ii.QQ..d.?..i/&.&..XVl ...e$.iw.[0En.....s../t]CU..u.1
..z.U.E..'X...(5....v.5...........j.....A.......P.C.V.....<..P.
<<< skipped >>>


GET /binstallers/BM2/openoffice/ipage/OO-writer-openofficeuscom-bm25.mht HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "a2999772c3f42d84b5185004a58392c0:1348790843"
Last-Modified: Thu, 27 Sep 2012 23:41:31 GMT
Accept-Ranges: bytes
Content-Length: 2266
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: Untitled Docume
nt..Date: Tue, 23 Aug 2011 14:06:37 -0700..MIME-Version: 1.0..Content-
Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-
printable..Content-Location: hXXp://install.downloadadmin.com/uber/Ope
n_office/Writer/writer_da.php..X-MimeOLE: Produced By Microsoft MimeOL
E V6.1.7601.17609..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-199
91224/loose.dtd">..<HTML=20..xmlns=3D"hXXp://VVV.w3.org/1999/xht
ml"><HEAD><TITLE>Untitled =..Document</TITLE>..&l
t;META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Typ
e>..<STYLE type=3Dtext/css>BODY {...MARGIN: 0px..}...style7 {
...FONT-FAMILY: Geneva, Arial, Helvetica, sans-serif; COLOR: #666; =..
FONT-SIZE: 11px..}..</STYLE>..<META name=3DGENERATOR content=
3D"MSHTML 8.00.7601.17655"></HEAD>..<BODY>..<DIV=20.
.style=3D"BACKGROUND-IMAGE: =..url(hXXp://install.downloadadmin.com/cm
s/cmsimages/openoffice/writer.jpg)=..; WIDTH: 490px; BACKGROUND-REPEAT
: no-repeat; BACKGROUND-POSITION: left =..top; HEIGHT: 450px">..<
;DIV=20..style=3D"PADDING-BOTTOM: 0px; PADDING-LEFT: 35px; PADDING-RIG
HT: 35px; =..PADDING-TOP: 345px"=20..align=3Dleft><SPAN class=3D
style7>OpenOfficeSuite is an open source =..product=20..developed b
y Oracle Corporation licensed under <A=20..href=3D"hXXp://VVV.gnu.o
rg/licenses/lgpl.html" target=3D_blank>GNU LGPL =..v3</A>
<<< skipped >>>

GET /products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_490.mht HTTP/1.1


User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "d526c0dae99b16719f4f02416715c27f:1405373453"
Last-Modified: Mon, 14 Jul 2014 21:30:53 GMT
Accept-Ranges: bytes
Content-Length: 15352
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Mon, 14 Jul 2014 17:30:45 -0400..MIME-Version: 1.0.
.Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding
: quoted-printable..Content-Location: hXXp://install.downloadadmin.com
/bm2.5_ALL_OFFERS/advertisers/tnt/findwide_nocheckboxes.php?mode=previ
ew..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=B
F<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =..
"hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<H
TML><HEAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE&g
t;..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DCo
ntent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A
=..Template Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYL
E>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px
; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdan
a, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...PO
SITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =.
.block; HEIGHT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: ab
solute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: abs
olute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: a
bsolute..}..#baselineCheckbox {...POSITION: absolute..}..#toolbar {...
WIDTH: 450px; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH:
 450px; HEIGHT: 145px; TOP: 260px; LEFT: 20px..}..#eula {...WIDTH:
<<< skipped >>>

GET /products/BM2/moneyviking/ipage/moneyviking_490.mht HTTP/1.1


User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "2aaec5237cf6fea275c19597b2efc7b2:1447446596"
Last-Modified: Fri, 13 Nov 2015 20:29:56 GMT
Accept-Ranges: bytes
Content-Length: 34927
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Fri, 13 Nov 2015 15:28:42 -0500..MIME-Version: 1.0.
.Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding
: quoted-printable..Content-Location: hXXp://install.downloadadmin.com
/bm2.5_ALL_OFFERS/advertisers/moneyviking/EULA.php..X-MimeOLE: Produce
d By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUB
LIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR
/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><
;TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META content=3
D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- 
=0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 450_
Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-
BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px
; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: 
=..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACK
GROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 450px;
 OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {.
..POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...PO
SITION: absolute..}..#disclaimer {...POSITION: absolute..}..#baselineC
heckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HEIGHT: 
26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 145px;
 TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT: 200px;
<<< skipped >>>

GET /products/BM2/rockettab/ipage/rockettab_490.mht HTTP/1.1


User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "86c1268b2989e21ee1276a68d828078b:1406649493"
Last-Modified: Tue, 29 Jul 2014 15:58:13 GMT
Accept-Ranges: bytes
Content-Length: 23514
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Tue, 29 Jul 2014 11:57:47 -0400..MIME-Version: 1.0.
.Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding
: quoted-printable..Content-Location: hXXp://install.downloadadmin.com
/bm2.5_ALL_OFFERS/advertisers/rockettab/uniform_eula.php..X-MimeOLE: P
roduced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HT
ML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.
org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD&
gt;<TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META con
tent=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type>&l
t;!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name
: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PA
DDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: 
=..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; C
OLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative
; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 
450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#tool
bar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula 
{...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#bas
elineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HE
IGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 
145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT: 
<<< skipped >>>

GET /products/BM2/onesystemcare/ipage/onesystemcare_490.mht HTTP/1.1


User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "fbf24e88e7a942bf9651dda851b4739b:1431544513"
Last-Modified: Wed, 13 May 2015 19:15:13 GMT
Accept-Ranges: bytes
Content-Length: 15917
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Wed, 13 May 2015 15:15:06 -0400..MIME-Version: 1.0.
.Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding
: quoted-printable..Content-Location: hXXp://install.downloadadmin.com
/bm2.5_ALL_OFFERS/advertisers/onesystemcare/uniform_eula.php..X-MimeOL
E: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYP
E HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.
w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><H
EAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META
 content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type&g
t;<!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template 
Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {.
..PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LE
FT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans seri
f; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: rela
tive; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIG
HT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#
toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#e
ula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..
#baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px
; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIG
HT: 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIG
<<< skipped >>>

GET /products/BM2/updateadmin/ipage/Update_Admin_490_1.mht HTTP/1.1


User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "51943c10df43f524c8a34441c5bd6023:1418079573"
Last-Modified: Mon, 08 Dec 2014 22:59:33 GMT
Accept-Ranges: bytes
Content-Length: 24576
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Thu, 4 Sep 2014 13:57:27 -0400..MIME-Version: 1.0..
Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding:
 quoted-printable..Content-Location: hXXp://install.downloadadmin.com/
bm2.5_ALL_OFFERS/advertisers/UpdateAdmin/uniform_eula.php..X-MimeOLE: 
Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE H
TML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c
.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD
><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META co
ntent=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type>&
lt;!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Nam
e: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...P
ADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT:
 =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; 
COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relativ
e; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT:
 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#too
lbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula
 {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#ba
selineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; H
EIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT:
 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT:
<<< skipped >>>


GET /skins/da/03042014/DownloadAdmin_Google_DevInfo.zip HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "1afaa98075fcb4e70a449fb2c68d2f91:1393974846"
Last-Modified: Tue, 04 Mar 2014 23:14:06 GMT
Accept-Ranges: bytes
Content-Length: 84488
Content-Type: application/zip
Date: Wed, 02 Dec 2015 00:44:57 GMT
Connection: keep-alive
PK.........ydD....k...y.......options.json%.;.. ....xf.S.. ]....E...e.
z.V....{.'.Y{..>.Br......kr.l.g..hu.2.."((\.".<j...J._..$.' .j..
....m.G........PK.........ydDj..m............skin/.DS_Store..1..0.....
.M\:2v....!x./....{t%[email protected]|?MD...
>....k<...]...V.y......f...m^.Z........e...".............0..u...
..'<.[7n......p..-le.W.."...PK.........ydD../.............skin/acce
ptGreen2x.gif.U.T....$.:...P.E..$$.$...J ...a.....zS. [email protected]".
t..t. EA......].{....[.....?........oie...........rY.~#...&..\(c..g.c.
k.W..!rq'........HHH..d..%F.....#.g.......a...op....,.~.o....3".. )..t
.......'..8.u..d....Y..c.#q.;v^.=..Z..F..y..-..2...p........b.7...R.3~
.\F]..H..._...xI.G.8.[......S...a...8.F}."../.......c...~".~vS-......P
.n...;../.....) .b......CO........t....}.=.....E.-G..l4.z.....<l...
M.l.p.s..-G.H].i<.......5.....?.XK.D.U.!....5r..L4....qjur....S8...
..GO/....c....9..S....$..{......As....@/P........ C.....t.."...M%D.Q..
..=.|<0..8#.A.6...G.q.F....c#...=..P.....pe.? !>...?6.?l...Q.:..
S..--...~.:..Z'.H......tOiicut.H=.?.... ...3f..../.*{....pxxx.f8J3 ...
..`~.@"O.#N.G...G...V.......D..P...?d....!...?C.....R......4=.....4..&
........9C.......4...%8 4....W.o..=..p...}.u?)..f...~... 3C...MO.'...E
.!.:z..ss.........,..f:.Hs..:.7........6.....s.F...L.d..0.0....Z.....{
P~r...E.[..4............H..!....4.....v........#=....D..xZ...A.q.X..b.
...?....3..;.....si...L.U.........1A................._.V?.|Z^..aqa~...
.4wjrb|ltdx........7=.]...m.._..l~....g.6>.4.?y\W..............
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_404:

.text
`.rdata
@.data
.bindat
@.script
@.rsrc
PSSSSSSh
%d.%d.%d
./shared_library.dll
./extramod.dll
./lua51.dll
advapi32.dll
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
miniz.InflateZStream
miniz.DeflateZStream
inflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
deflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
derive_key
default_key
KEYLEN
UPDATE_KEY
EXPORTABLE
DELETE_KEYSET
MACHINE_KEYSET
NEWKEYSET
BAD_KEYSET
NO_KEY
BAD_PUBLIC_KEY
bad argument #%d to %s('%s' expected)
%s<%p>
provider_derive_key
key_destroy
%s expected data in index [1]
%s expected 'length' with lightuserdata
%s expected table argument
key_encrypt
key_decrypt
key_duplicate
Win32.Crypt.Key
Win32.Crypt.Hash
Win32.Crypto.Provider
@MIME 1.0.3
debug.pdb
USER32.dll
GDI32.dll
KERNEL32.dll
comdlg32.dll
ole32.dll
SHFileOperationA
SHELL32.dll
msvcrt.dll
_acmdln
_amsg_exit
luabridge.classes
resources.compressed
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
resources.binlib
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
luabridge.net
win32.shell
luabridge.config
dialog.image
resources.nsis
dialog.html
Press any key to continue
luabridge.fs
luabridge.win32
luabridge.registry
luabridge.nsis
resources.js
%d.%.%d
mime.core
.ViLPW
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
lua51.dll
luabridge.dll
shared_library.dll
zcÁ
|[%s!
.xuUF
%xG=Q1
M'0%S
[email protected]
<.wD\M
2.xU9
Ln%Fqo
(aö>
d].Jt
 .Pla:
PJI%uS|
qX.Zmm&;
9^.zd>rb
f[2)|%F
E.tr[
l-Y}kOv
c~.Ibc_
_D-AfU%C&
Dk.pz
I.rJ3
O.zDE(3
JuBY%4U
ZJZ.vS
6G.QG
w.Wh>
#.Fl1
l}PÜe
.OO}V?CH}
E#h%S
-M}A%y
]dS
C`n:d%S
3j.AK
yJ.AG
)9V.WzS
l-z}yL
g#,.JZP
8$.WB
,'%fG
o.YaMZ!
.yH}v
NW%Xh
L0 ð
!r_of
J .skn
w.jtO
9~'.zB
.NqEc
{%Fve
.hf-a
$}ßDq
o4g%C
/.KQP
.vWTDB
ym%F!/
[j%UKlU
.cGH'
ny-.FF
Jb$%uFK
/tX.NLe
6.DmM
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Sun Aug 02 21:17:40 2015
version="50.4.8.219"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
setup.exe
50.4.8.219

%original file name%.exe_608:

.text
`.rdata
@.data
.bindat
@.script
@.rsrc
PSSSSSSh
%d.%d.%d
./shared_library.dll
./extramod.dll
./lua51.dll
advapi32.dll
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
miniz.InflateZStream
miniz.DeflateZStream
inflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
deflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
derive_key
default_key
KEYLEN
UPDATE_KEY
EXPORTABLE
DELETE_KEYSET
MACHINE_KEYSET
NEWKEYSET
BAD_KEYSET
NO_KEY
BAD_PUBLIC_KEY
bad argument #%d to %s('%s' expected)
%s<%p>
provider_derive_key
key_destroy
%s expected data in index [1]
%s expected 'length' with lightuserdata
%s expected table argument
key_encrypt
key_decrypt
key_duplicate
Win32.Crypt.Key
Win32.Crypt.Hash
Win32.Crypto.Provider
@MIME 1.0.3
debug.pdb
USER32.dll
GDI32.dll
KERNEL32.dll
comdlg32.dll
ole32.dll
SHFileOperationA
SHELL32.dll
msvcrt.dll
_acmdln
_amsg_exit
luabridge.classes
resources.compressed
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
resources.binlib
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
luabridge.net
win32.shell
luabridge.config
dialog.image
resources.nsis
dialog.html
Press any key to continue
luabridge.fs
luabridge.win32
luabridge.registry
luabridge.nsis
resources.js
%d.%.%d
mime.core
.ViLPW
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
lua51.dll
luabridge.dll
shared_library.dll
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/FvxiEESGs0th3PHLIZs
c:\%original file name%.exe
?456789:;<=
!"#$%&'()* ,-./0123
|[%s!
.xuUF
%xG=Q1
M'0%S
[email protected]
<.wD\M
2.xU9
Ln%Fqo
(aö>
d].Jt
 .Pla:
PJI%uS|
qX.Zmm&;
9^.zd>rb
f[2)|%F
E.tr[
l-Y}kOv
c~.Ibc_
_D-AfU%C&
Dk.pz
I.rJ3
O.zDE(3
JuBY%4U
ZJZ.vS
6G.QG
w.Wh>
#.Fl1
l}PÜe
.OO}V?CH}
E#h%S
-M}A%y
]dS
C`n:d%S
3j.AK
yJ.AG
)9V.WzS
l-z}yL
g#,.JZP
8$.WB
,'%fG
o.YaMZ!
.yH}v
NW%Xh
L0 ð
!r_of
J .skn
w.jtO
9~'.zB
.NqEc
{%Fve
.hf-a
$}ßDq
o4g%C
/.KQP
.vWTDB
ym%F!/
[j%UKlU
.cGH'
ny-.FF
Jb$%uFK
/tX.NLe
6.DmM
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Sun Aug 02 21:17:40 2015
version="50.4.8.219"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
setup.exe
50.4.8.219


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:404
    %original file name%.exe:608
    %original file name%.exe:1888

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\jquery.js (1843 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85678DAB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsis7z.dll (2039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\wbk2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_on.gif (142 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\skip_all_offers_btn.gif (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline.gif (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\uninstall.gif (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\401\moneyviking_490.mht (4708 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline_offer_btn.gif (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\install_now_btn.gif (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\minimise.gif (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\writer[1].jpg (6212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\headerBG.gif (366 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin.zip (11948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\.DS_Store (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\next.gif (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\mod.css (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\options.json (121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\lua51.dll (3579 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\stepBG.gif (946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\truste.gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\offers.css (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo2.gif (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\shared_library.dll (1485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\developer_btn.gif (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo.jpg (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\progress.css (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\405\Update_Admin_490_1.mht (1924 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\index.html (10225 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.js (118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\404\onesystemcare_490.mht (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\ok.gif (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\acceptGreen2x.gif (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.css (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\403\rockettab_490.mht (1924 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\close.gif (510 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\290\findwide_nocheckboxes_490.mht (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_off.gif (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\knockout.js (2039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\1\OO-writer-openofficeuscom-bm25.mht (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\extramod.dll (675 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\loading_screen.dll (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\bg4.gif (1417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\back.gif (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.gif (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\icon_folder.gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsisunz.dll (40 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now