MD5: b86c719f93d86db71d4df0853d97214f
SHA1: 6fc83dae7b45585eb9a30ee3eb5e650e2b58bdc1
SHA256: dcebaec8d155f11d149bf6e0dff73ea22eb2f50f3164cf3eb2da3d9537278e1a
SSDeep: 6144:yz 92mhAMJ/cPl3iwbNozlx/LVXHSPF0MfK:yK2mhAMJ/cPlN 7VXL
Size: 212336 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wsmallstub.exe:472
%original file name%.exe:1560

The Backdoor injects its code into the following process(es):

DVD_Shrink_v3.2.0.15.exe:1596

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process DVD_Shrink_v3.2.0.15.exe:1596 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4357d65f-a22b-4e28-a57c-d632a6270d43[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp (45350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PS_searchprotect[1].json (32508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[2].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PCOptimumBoost[1].htm (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[2].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[2].htm (23341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PCOptimumBoost[1].html (1642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\994349[1].htm (24471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\icon.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[1].htm (27085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].htm (3611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1514591[1].htm (24993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\left_text[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AfterDawn[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\FDMClient.dll (8184 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PCOptimumBoost[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\BoxBgNew[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBG[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (0 bytes)

The process wsmallstub.exe:472 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe (3626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:1560 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_1980906 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (0 bytes)

Registry activity

The process DVD_Shrink_v3.2.0.15.exe:1596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"WebBrowser_embedded.exe" = "6000"
"DVD_Shrink_v3.2.0.15.exe" = "6000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CachePrefix" = ":2014122320141224:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014122320141224\"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "DVD_Shrink_v3.2.0.15.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1330111199"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 14 22 3E 86 2C 8F 6D 34 A7 72 ED F2 93 3B 75"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wsmallstub.exe:472 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 EF B9 07 7A D3 E1 7C 95 32 4C FD 93 4A 8A B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1560 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 FE 43 F6 AE A3 FF F5 2F D3 25 98 AC A7 41 B3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"wsmallstub.exe" = "wsmallstub"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: 1.3.9.0.140504.0
Product Version: 1.3.9.
Legal Copyright: (c) 2014 ClientConnect Ltd
Legal Trademarks:
Original Filename: DVD_Shrink_v3.2.0.15.ex
Internal Name: DVD_Shrink_v3.2.0.15.ex
File Version: 1.3.9.
File Description: Setup.ex
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 66
20a1cc1abdac40f46d8e0aede3c84cbc
dc4891503b7a98d07319c2771e79192e
6faf9d8d9870f3d635dd5406083a17ca
0e43ed0d51af206b106693caf2745067
8b1b8144955c45b2c5e02fa5e05eb775
c4b6804fb5135658e95cd815f9ed2e04
f28e8c7e0bc01fa20d5b3e0f3c5420e7
17e19aaa661c6398e57dfab2bb1aa2d6
47d258151bdc9531528031f19ad0cfc2
c6fb01478c983cdbb2b82def26947c5c
ebe47e79344483b09d65c55638001974
054e9f941c4d06da0e43c063e98714a9
0bc038c839581166a3d7443cfc7d2cfe
b1ac555dfc0bb4d9a64d912574fa0dde
fdaaf3213c83a24c4c209fb5e65c04b6
3d4e152e1ef3195e859ccd4c5cac4a05
0f796b8ee2a25a65488813a8bc9ee06f
b34f22d88e267d6c706ca0ce202fbcf7
87916029b9d43b3d64bc3d9dbb7e6d4c
98bf6d4e3671d2cd20f238794c2b277e
54fd2905b6a4e2ff46851e3ad3231fb1
7bfef502c6cf82fc066e3cad39f9a0e0
f559287308ba44036f2c9a0381837a52
c67ea61534ef16eefc56f02b60eba05d
8cd0313290e88f773d7fa186c1a103d1

URLs

URL	IP
hxxp://173.223.99.12/CmsThemes/Default/Images/X.png
hxxp://173.223.99.12/CmsThemes/Default/Images/-.png
hxxp://173.223.99.12///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg
hxxp://173.223.99.12/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://173.223.99.12/CmsThemes/Default/Images/button.png
hxxp://173.223.99.12/CmsThemes/Default/Images/CancelBG.png
hxxp://173.223.99.12/CmsThemes/Default/images/SmallLoader.gif
hxxp://173.223.99.12/CmsThemes/Default/Images/InstallationSuccessful.png
hxxp://engine.va.dmccint.com/DecisionEngine.ashx
hxxp://54.243.179.23/
hxxp://173.223.99.12/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://173.223.99.12/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://173.223.99.12/Js/jquery.dotdotdot.min.js?fid=1514591
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/X.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/-.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/button.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://a1128.g1.akamai.net/customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/CancelBG.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/images/SmallLoader.gif
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/BoxBgNew.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/Js/jquery.dotdotdot.min.js?fid=994349
hxxp://a1128.g1.akamai.net/customoffers/PC optimum boost/en/1/img/left_text.png
hxxp://e6652.g.akamaiedge.net/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://a1128.g1.akamai.net/customoffers/customframeapi.js
hxxp://e6652.g.akamaiedge.net/LMS/PS_searchprotect/PS_searchprotect.json
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBG.png
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://cms.dmccint.com/CmsThemes/Default/Images/button.png
hxxp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://ude.databssint.com/
hxxp://cms.dmccint.com/CmsThemes/Default/Images/-.png
hxxp://dehosting.dmccint.com/customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie	184.84.243.32
hxxp://cms.dmccint.com/CmsThemes/Default/images/SmallLoader.gif
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=994349
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1514591
hxxp://cms.dmccint.com/CmsThemes/Default/Images/BoxBgNew.png
hxxp://engine.dmccint.com/DecisionEngine.ashx	199.101.114.147
hxxp://cms.dmccint.com/CmsThemes/Default/Images/X.png
hxxp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie	23.9.119.70
hxxp://dehosting.dmccint.com/customoffers/customframeapi.js	184.84.243.32
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://storage.stgbssint.com/LMS/PS_searchprotect/PS_searchprotect.json	23.9.119.70
hxxp://dehosting.dmccint.com/customoffers/PC optimum boost/en/1/img/left_text.png	184.84.243.32
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://cmsstorage.dmccint.com///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg
hxxp://cms.dmccint.com/CmsThemes/Default/Images/InstallationSuccessful.png

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 35920

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 21 Aug 2014 07:42:36 GMT

Accept-Ranges: bytes

ETag: "03ea67913bdcf1:528"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=86400

Expires: Wed, 24 Dec 2014 21:04:19 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
...............7.(._.^...Lk..".......QlY....e.%..f...H.*.d&....\......
s3k......8...d"[email protected]./..........>.>.....^<.\.M:x..g_&
gt;{<..ON.{......'...x......d....2QI..........70.. ...........8/.O^
}sr.@O...<V...J..3......Y)z..~..''.E.....7R...|,..%oD.8..........K.
...7.JO....(..;.>.#.S.J...'[email protected]..|.j`.'....]...
...!..._}..|..4........2.K..l.S<./d.c^n....".\.\]q........E.J..M\\&
Y4.n..*...k.CS..W..N&.>}#..,..8N..,.\.. ..4.).......L6.w.y..E....q.
..D./.4..%.._S..x-.r.*...k>.......u...../U.F....z[.\....F..Jv.A.;l.
.........(?x....|......%...M...,.w...A0.......-.!..........b..I.(H.JV 
.M.. .\^)l.......j.IFE.8eB......}.\..4..L......'.......?.......A......
D.dW.......5......E~.,..U.QX..?..f..A..o..a....2OwJN]b*....'.o{c.....`
.Q..*6_?J.Lc`&.4.5j...x...]Q.E......alG..b0..-.<..?...BB..w....o\
...~8.gza2..|...h..@... vP..G.<z.Q...NV...8.3....E..V.......S..%...
..[.o...x._.p)..L..P.C.........1..u?XBm...o.......f........{..0.05C.A.
.NX.N.).<E..`M....'...t0~PN..V..g...m4...o.%I.I. ...A..S.N...7.....
m...N.WI.3....oi....F.-..a.e|.....v...E.X.3.V ..w!.n*[..|....u....q...
x....]....Uk.....~.-:...m.\..q..d....e!ev.......?H...............~]...
{.xp).x..0>.".S/...u._.c.N.=b.........G..*)D...%[email protected].$.....A..
.....0....t.}..7N2d.n....g..N(..~.I....H....... `.[.....S.&.?lo...`=..
...\.<....N{[...4...] `..}n.,.....i...6[.eE...]?.D..[....a=|..}.[(.
._@!"..C.~.Q.w...\.|.t....q".o!....R'1sG....z..2..M^.n'...`...Nz'.....
!..6... v....,.S\.R.}b.?&.....,.....ep..........dL.L>.{G...!...
<<< skipped >>>

GET /LMS/PS_searchprotect/PS_searchprotect.json HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie#cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept: application/json, text/javascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 250005

Content-Type: application/json

Last-Modified: Wed, 17 Dec 2014 11:45:53 GMT

Accept-Ranges: bytes

ETag: "a8cc23ef19d01:ded"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=7200

Expires: Tue, 23 Dec 2014 23:04:20 GMT

Date: Tue, 23 Dec 2014 21:04:20 GMT

Connection: keep-alive

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
{"Product":"PS_SearchProtect","LastUpdate":1345880,"Translations":{"ar
":{"Keys":{"@@AcceptAndInstallButton@@":{"Text":"\u0623\u0648\u0627\u0
641\u0642 & \u0648\u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\u0
64a\u062a"},"@@Body_text_1st_paragraph@@":{"Text":"\u064a\u064f\u0631\
u062c\u0649 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0
644\u0648\u0645\u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637
 \u0627\u0644\u0647\u0627\u0645\u0629 \u0627\u0644\u062a\u0627\u0644\u
064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u0645\u062a\u0627\u0628\u06
39\u0629."},"@@Body_text_1st_paragraph_2@@":{"Text":"\u0643\u062c\u063
2\u0621 \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0628
\u0631\u0646\u0627\u0645\u062c\u060c \u064a\u0645\u0643\u0646\u0643 \u
0623\u064a\u0636\u064b\u0627 \u0627\u0644\u062d\u0635\u0648\u0644 \u06
39\u0644\u0649 \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629
 \u0627\u0644\u0628\u062d\u062b. \u064a\u064f\u0631\u062c\u0649 \u0642
\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0
627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637 \u0642\u0628\u064
4 \u0627\u0644\u0627\u0633\u062a\u0645\u0631\u0627\u0631."},"@@Body_te
xt_2nd_paragraph@@":{"Text":"\u0642\u0645 \u0628\u062a\u062b\u0628\u06
4a\u062a \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629 \u062
7\u0644\u0628\u062d\u062b \u0644\u062a\u0639\u064a\u064a\u0646 \u0627\
u0644\u0635\u0641\u062d\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u06
4a\u0629 \u0648\u0627\u0644\u0628\u062d\u062b \u0627\u0644\u0627\u
<<< skipped >>>

GET ///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Tue, 21 Jan 2014 10:18:01 GMT

If-None-Match: "9024a8109216cf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Tue, 21 Jan 2014 10:18:01 GMT

ETag: "9024a8109216cf1:0"

Cache-Control: private, max-age=10243

Expires: Tue, 23 Dec 2014 23:55:01 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "caa5998c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "caa5998c6fd01:0"

Cache-Control: private, max-age=8122

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive
....


GET /DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 174709

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 02:04:18 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "d0643b44c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "ce177098c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1504

Cache-Control: private, max-age=8115

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
GIF89a.........................v.....5..d..e..........................
{......................................!..NETSCAPE2.0.....!..XMP DataX
MP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xm
pmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155
772, 2014/01/13-19:44:00        "> <rdf:RDF xmlns:rdf="hXXp://ww
w.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=
"" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://n
s.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com
/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981"
 xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:Ins
tanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Ad
obe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:ins
tanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentI
D="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> &l
t;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacke
t end="r"?>........................................................
......................................................................
....~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?&g
t;=<;:9876543210/.-, *)('&%$#"! .................................!.
......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v
._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,[email protected]. 
J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G
<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "0c67198c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "0c67198c6fd01:0"

Cache-Control: private, max-age=9260

Expires: Tue, 23 Dec 2014 23:38:39 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8115

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "98a6d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "98a6d98c6fd01:0"

Cache-Control: private, max-age=8769

Expires: Tue, 23 Dec 2014 23:30:28 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ce177098c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ce177098c6fd01:0"

Cache-Control: private, max-age=8115

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive
....


GET /DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 174715

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 02:04:18 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1514591 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=9336

Expires: Tue, 23 Dec 2014 23:39:54 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "0c67198c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "0c67198c6fd01:0"

Cache-Control: private, max-age=8974

Expires: Tue, 23 Dec 2014 23:33:52 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8763

Expires: Tue, 23 Dec 2014 23:30:21 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8764

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6f33944c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6f33944c6fd01:0"

Cache-Control: private, max-age=9330

Expires: Tue, 23 Dec 2014 23:39:48 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "e8b65c98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6035

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:28 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
.PNG........IHDR...J...1.............sRGB.........gAMA......a.....pHYs
.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.a
dobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xm
pMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Docume
ntID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stRef:
documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>...P....IDATx^...N....P...L.).A(...A."1...$<rcK...r....] .E. 8
.^..[......o........ @.7.u&... @......(J..... @...'...^z....puu5...c..
......cmmm:.#@.......g......{..u>|.0.....?~.......i..........(JQ^..
. @....,p......pyy9lnn.....1_z./....^;..... @`...x....v:nnn....aooo..(
J..I...SI...W.....F.......u..OBz.(.%i>.....*........ @.............
p}}=lmmMg.......O.9...../&@..............|[email protected]....
. . .8.t||<.A.[.|Vi>.4~}..%g.z.... @...6......J....F..l.........
y".W....\..O.-?t..N..... @`...o..K.|.m,J.1.%..V..!-..... .........
<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "caa5998c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

Accept-Ranges: bytes

ETag: "c8592844c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2726

Cache-Control: private, max-age=8621

Expires: Tue, 23 Dec 2014 23:27:59 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
.PNG........IHDR...>.........$.=.....sRGB.........gAMA......a.....p
HYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:co
m.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"
?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5
.0-c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:
rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Descript
ion rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM=
"hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap
/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows"
 xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Doc
umentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stR
ef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>...P....IDATx^...N#K.....%[email protected]..$`.3U..j.3.h0..%m..E.i
W.'........ ..?.......<<<.......V..i..d...`....S......v... ..
..S.Y.....r.._677...F..>=~....8z.....yyy)......`~r.>u.s{{.......
........Y.>5z.......!|....l6 [[[-z..x.........j...o{j..............
....EN...O..:..#....2....O......S.Y.?.......S.g.>..]b..X75eV]s....!
|.//...#|........S..........j!|...........j....\u...:'''.....;;;C.....
....UM...O...?OOO..........F...?.W...U....X.............%v....O..!|...
./X.4.....!|.......!|.......!|.......!|.......!|.......!|.......!|
<<< skipped >>>

GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "98a6d98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2779

Cache-Control: private, max-age=8132

Expires: Tue, 23 Dec 2014 23:19:50 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB
792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3
AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB7922
56C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.
c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.
......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{....
......b......w....,.E./[email protected]..];z......f....34...v[...H1....g..
....'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4..
.$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@.
..T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g..
..,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../
.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......
<<< skipped >>>

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "524e5698c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

Accept-Ranges: bytes

ETag: "6972344c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 5182

Cache-Control: private, max-age=9334

Expires: Tue, 23 Dec 2014 23:39:53 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
.PNG........IHDR...[...G......9......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=994349 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 6149

Cache-Control: private, max-age=10976

Expires: Wed, 24 Dec 2014 00:07:15 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8762

Expires: Tue, 23 Dec 2014 23:30:21 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6f33944c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6f33944c6fd01:0"

Cache-Control: private, max-age=9329

Expires: Tue, 23 Dec 2014 23:39:48 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "e8b65c98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "e8b65c98c6fd01:0"

Cache-Control: private, max-age=8769

Expires: Tue, 23 Dec 2014 23:30:28 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "c8592844c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "c8592844c6fd01:0"

Cache-Control: private, max-age=8620

Expires: Tue, 23 Dec 2014 23:27:59 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6972344c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6972344c6fd01:0"

Cache-Control: private, max-age=9334

Expires: Tue, 23 Dec 2014 23:39:53 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

POST /DecisionEngine.ashx HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: engine.dmccint.com

Content-Length: 2509

Connection: Keep-Alive

Cache-Control: no-cache

<OFFER_REQUEST><COMPLETE_COMMAND_LINE>false</COMPLETE_COMMAND_LINE><USER_PROFILE><PUBLISHER_ID_NUM>244</PUBLISHER_ID_NUM><SESSION_ID><![CDATA[49deca54-7b41-4951-ba0d-e55cf038edeb]]></SESSION_ID><TRACKING_ID><![CDATA[]]></TRACKING_ID><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DMVersion</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>1.4.0.4.141214.03</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultBrowser</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>IE</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>CurrentToolbar</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>Homepage</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[about:blank]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultSearch</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USE
HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/xml; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 23 Dec 2014 21:04:16 GMT

Content-Length: 11519
...<OFFER_RESPONSE><MAIN_OFFER><OFFER_ID>1572961<
/OFFER_ID><OFFER_NAME>DVD Shrink v3.2.0.15</OFFER_NAME>
<OFFER_URL>no_dynamic_main_offer_url_supported_in_this_version&l
t;/OFFER_URL><OFFER_DESCRIPTION /><OFFER_INSTALL_CMD>&l
t;OFFER_ID>1572961</OFFER_ID><OFFER_STATE>default</O
FFER_STATE><DOWNLOAD_URL>hXXp://VVV.afterdawn.com/software/ge
neral/download.cfm?version_id=1421&installer_download=1&perion
=1</DOWNLOAD_URL><INSTALL_COMMAND_LINE /></OFFER_INSTAL
L_CMD><INSTALLATION_TYPE>1</INSTALLATION_TYPE><PRODU
CT_ID /><PRODUCT_TYPE>Publisher's Offer</PRODUCT_TYPE>&
lt;PRODUCT_VERSION /><ROOT_OFFER_ID>1572961</ROOT_OFFER_ID
><DOWNLOAD_URL>hXXp://VVV.afterdawn.com/software/general/down
load.cfm?version_id=1421&installer_download=1&perion=1</DOW
NLOAD_URL><OFFER_FILE_NAME /><DOWNLOAD_BACKUP_URL>http:
//VVV.afterdawn.com/software/general/download.cfm?version_id=1421&
installer_download=1&perion=1</DOWNLOAD_BACKUP_URL><CONDI
TION_TYPE>None</CONDITION_TYPE><TOTAL_STEPS>1</TOTAL
_STEPS><SOFTWARE_PRODUCT_VERSION /><ANTI_OFFER /><SU
CCESS_CODE /><INSTALLATION_UI_ELEMENTS><UI_ELEMENT><
NAME>DownloadBrowser</NAME><VALUE>IE</VALUE></
UI_ELEMENT><UI_ELEMENT><NAME>CType</NAME><VALU
E>-1</VALUE></UI_ELEMENT><UI_ELEMENT><NAME
<<< skipped >>>

GET ///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Tue, 21 Jan 2014 10:18:01 GMT

If-None-Match: "9024a8109216cf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Tue, 21 Jan 2014 10:18:01 GMT

ETag: "9024a8109216cf1:0"

Cache-Control: private, max-age=10250

Expires: Tue, 23 Dec 2014 23:55:01 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive
....


GET ///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Tue, 21 Jan 2014 10:18:01 GMT

If-None-Match: "9024a8109216cf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Tue, 21 Jan 2014 10:18:01 GMT

ETag: "9024a8109216cf1:0"

Cache-Control: private, max-age=10242

Expires: Tue, 23 Dec 2014 23:55:01 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

GET /customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 13 Nov 2014 10:11:54 GMT

Accept-Ranges: bytes

ETag: "427df63f2affcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 10303

Cache-Control: private, max-age=31536000

Expires: Wed, 23 Dec 2015 21:04:18 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

Vary: Accept-Encoding
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"~........7....t.....WO.....m...
.{'w.>}.4.........x'}Sg..h.j..w.....7NR}>.......WWW..{........w.
..(..v......GG...J.-.e.Y.......................v....uq..G'........U.Q:
..>.......0................q[.e~............@).i..7...(.T.....O.,..
.X>Jw...W.lV,/._.......(......"....j.........*..Q......5pM~....A..X
.u...b.............}.yq1o...vwz..*..Gi6i.r....5.....*.i...to...$......
r.(]...G...n....?fe.Z^|t'.....v.......... D..|...VD..[......y.....C5#.
......)~.....o..Awwo....x..I............?...p. n|[email protected]{_.......h.6.6
[email protected].{....x,.....T.,....C...x.. ..x.C..=..i......e^.....5....:_
 Y.l."....n.1.........}M........j.:N.....3t.w.y.%..m..n.m.........7..3
.3A;{..'..w...I&.O...4....:.?g.eZ.>...Y...)4.GdT.o...BX.........ix.
......E.._.../.....x.~...UJ.....iz...../N_.y|wB`......e.gMN..%.o..I..j
.~...7.$'.O.s2.iU.UI<..UZ,.6 K|F..../Wm.X/..'...j.qzv.^...f...%X.tV
...w....;.O...7...Y>#6....5.'....(..lq......MJ.........gQ.iu.f.....
u...).Uz5/.......O.~......X/.v{B....jU...o5.g....,.9.1.V5d..Pw4.g....W
....gOO......N...........g'o..|...,..:M.z....................7../_....
....9}............K..c..:.F4.?I..z..|q.../.|.>.../..y.tD..~s..9....
_.|s..W_0..........8.........sB......1..IV. ..4'YS.[.....&......fvA.. 
.k.s.g4..._........Xd.4..n :..2'. ....jc.^...i..#.....kn..L.]h.U...1..
.5..0.^.g.y.Z..6...O.d.........9.E..$. ...1.8...,x..jy..=...v..[_..VU.
.x.^2wge.^3....#yY..e.Ij..UU...#....tyQ..MJ..X.?3.....f...HS^T3...
<<< skipped >>>

GET /customoffers/PC optimum boost/en/1/img/left_text.png HTTP/1.1

Accept: */*

Referer: hXXp://dehosting.dmccint.com/customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 13 Nov 2014 10:11:54 GMT

Accept-Ranges: bytes

ETag: "8a5af43f2affcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 11937

Cache-Control: private, max-age=31536000

Expires: Wed, 23 Dec 2015 21:04:19 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive
.PNG........IHDR...=.........KF......sRGB.........gAMA......a.....pHYs
..........o.d...6IDATx^.......@'....x)...... ..L..D=~.......r.....D...
.\...}.A.\.(zA.\.(zA.\.(zA.\.(zA.\.(zA.\.(zA.\.(z..}}|.... ...?8....s.
.......l..`....I.~..g......{..o..}.}hs?S.'..T.a.......NU.X.1...Y.n....
E9...s..6=..wz...|~jg.#..W.:NS.x...B^....ER.....#b!|'..P.......pX!>
.._..i9G.c.l.4..n.....1.^.....v...#..l.....{._...E.^.y..]E.D...`."J...
.h\..x[k.>%..:.UQ.{..*t.0.....Gm.......C..q.'...G.;G.O.]...u...m.{.
..76-..f..Mr........>7G.Q@.:.E.>:.l.=..[6..{_'?...a..mh..(z...EO
.jPa....Fn.z.o.iU.|..6....[...........A.Q.........).a.O6M..S.)..s...'.
.Q.&......=.....=.`l.I.{.=..V.,y.^^)zw.A.,z....!......f....Cj...c...I~
......z........7.e...B.;R......k6.....q=. w.6-....G....GW#g........fa.
q.....Q.....;6m.[...q......F..#s....&|.E......o...@?....x..%.%.....;m.
[...*.}......U......z........=.<z..$.......&.FRZ.......'...G..r...9
..g..>...O...Pc}d.N....j.:NQ.x..&../x...y.w....[............Cu..zml
Z..RL.\. z.YW.,...v.l..B...*.. ..5...eDa....K..5..x.....nm<oC.B..'.
>i...j..:(..{W*.=...=..:-.;....z..4.S/...q.....F...." e(..2&=.}^..X
z.7... .>.*z.Y ..z..J3..Q..Evk.j.%....u.....-.A...(zA.\.(zA.\.(zA.\
..Q.. .V......................................E.....$..]..w..........J
...#?.'......m..[............o.....{~..P..6..'..D..]^_.r....../4._g...
.Ii..G.c..q....n......}L.N\......G.....<.....^..kY.......I.E...[...
~..b....m.r..<..#9G.k...G...I2.._H.}...a..m..(...2..*:..ps~... #lor
.|...u#k..R....b.U.....<......6.s..5..kS.>....6.........>
<<< skipped >>>

GET /customoffers/customframeapi.js HTTP/1.1

Accept: */*

Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Encoding: gzip

Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT

Accept-Ranges: bytes

ETag: "46a2919a7ac7cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 798

Cache-Control: private, max-age=31536000

Expires: Wed, 23 Dec 2015 21:04:19 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

Vary: Accept-Encoding
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l...
..4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W.
...(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r.
.....Wu.UP....H.w........w.|....8O.:..W|.h..m]L.m...,k..I>......N..
~...e.....k.uM8./po\....`]...yu..'Y...?#.4o..a.A..S..j..e<q.}.~...t
.O.....H?z..k?J....f...~I..M~s.M...m.|..c...Y~...6.o..0. Z....We6....9
.......zo.z..w........\..Rk.....K./..1..D........m.8....h:.l...w.t.0o?
J0...h.,..............$=..._.....n.l..... ...F..3.V......U^.Ok]@.....K
..b..>...o;..t`m....jZ..|t...Cj......y.[...v..Z...?.|..?......[..].
.`.i..A.q..4m.....#.F|U,g..X.......I.'.."....z#.......h.......a..b.K.#
L...k.M..-..&...6z..........;....8".F.....

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "d0643b44c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "0c67198c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 1076

Cache-Control: private, max-age=8981

Expires: Tue, 23 Dec 2014 23:33:52 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive
.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:CBFD1020532511E199C4D62405
85BDC2" xmpMM:DocumentID="xmp.did:CBFD1021532511E199C4D6240585BDC2">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CBFD101E532511E199C4
D6240585BDC2" stRef:documentID="xmp.did:CBFD101F532511E199C4D6240585BD
C2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>..q<....IDATx.b)--}...p..}.....i...2q u...
2... v..F.$3.Z...@...$..&..%..i. ....@......... g5.[[email protected] ..T..._f@.
.0.L.6 N..EP....v.$..}.v.H;..v [email protected]....`.uP(...@..*..........1.
%>.d....IEND.B`.....
<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "67f82544c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "404a5898c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 3937

Cache-Control: private, max-age=8771

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive
.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e&
lt;...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12
B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11
E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> 
<xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8
635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K......
....*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.
o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?
}...}...~..=............G...~,[email protected].. u....... ?.H.
."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q..
......l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo......
.....hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU
..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f
<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "d0643b44c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "d0643b44c6fd01:0"

Cache-Control: private, max-age=8627

Expires: Tue, 23 Dec 2014 23:27:59 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2337

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:40:373" , "phase" : "InStartLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "7719" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_comb
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:16 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Tue, 23 Dec 2014 21:04:16 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive......


POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2268

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:44" , "phase" : "Android detection start" , "phase_type" : "regular" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "671" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_combinations_2014-12-23.csv" , "user_operating_system" : "Microsoft Windo
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
....


POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2334

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:76" , "phase" : "StartingLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_combina
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
....


POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2781

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:107" , "phase" : "InitComplete" , "phase_type" : "regular" , "order" : "2.0" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "EngineMgrCreated:828,BuildUserProfile:6656,retrieveCid:0,sendXML:0,xmlSent:16,startParse:391,endParse:15,StartOffersLoop:703,ValidateMO:0,NavigateFirstSlot:0,ReportInitComplete:0," , "general_status_code" : "1" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_id" : "1572961" , "product_id" : "0" , "product_type" : "Publisher's Offer" , "product_id_version" : "" , "rule_id" : "465651" , "vector_id" : "466244" , "is_parallel" : "0" , "call_service_duration" : "407" , "navigate_mo_duration" : "MONavigationCompleted:1578," , "navigate_global_duration" : "GlobalNavigationCompleted:2110," , "attempt_number" : "1" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_s
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
....


POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2801

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:138" , "phase" : "OfferPresented" , "phase_type" : "regular" , "order" : "3.1" , "result" : "Success" , "error_details" : "" , "phase_duration" : "63" , "duration_details" : "" , "general_status_code" : "2" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_suggestion_number" : "1" , "offer_presented_number" : "1" , "slot_number" : "1" , "position_in_slot" : "1" , "server_settings" : {"DownloadBrowser":"IE","CType":"-1","SearchProvider":"Bing","UserMode":"-1"} , "user_selection_settings" : "" , "condition_type" : "None" , "offer_type" : "Main" , "offer_id" : "1572961" , "root_offer_id" : "1572961" , "rule_id" : "465651" , "vector_id" : "466244" , "product_id" : "0" , "product_id_version" : "" , "product_type" : "Publisher's Offer" , "state" : "" , "installation_type" : "0" , "attempt_number" : "1" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:18 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
....


POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2291

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:279" , "phase" : "ChromeError" , "phase_type" : "regular" , "order" : "" , "result" : "Error" , "error_details" : "error: did not found chrome full path" , "phase_duration" : "16" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_combinations_2014-12-23.csv" , "user_operating_sys
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:18 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Tue, 23 Dec 2014 21:04:18 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8245

Expires: Tue, 23 Dec 2014 23:21:36 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6f33944c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6f33944c6fd01:0"

Cache-Control: private, max-age=8982

Expires: Tue, 23 Dec 2014 23:33:53 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive
....


GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "c8592844c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "caa5998c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 2726

Cache-Control: private, max-age=8246

Expires: Tue, 23 Dec 2014 23:21:37 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive
.PNG........IHDR...>.........$.=.....sRGB.........gAMA......a.....p
HYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:co
m.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"
?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5
.0-c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:
rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Descript
ion rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM=
"hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap
/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows"
 xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Doc
umentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stR
ef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>...P....IDATx^...N#K.....%[email protected]..$`.3U..j.3.h0..%m..E.i
W.'........ ..?.......<<<.......V..i..d...`....S......v... ..
..S.Y.....r.._677...F..>=~....8z.....yyy)......`~r.>u.s{{.......
........Y.>5z.......!|....l6 [[[-z..x.........j...o{j..............
....EN...O..:..#....2....O......S.Y.?.......S.g.>..]b..X75eV]s....!
|.//...#|........S..........j!|...........j....\u...:'''.....;;;C.....
....UM...O...?OOO..........F...?.W...U....X.............%v....O..!|...
./X.4.....!|.......!|.......!|.......!|.......!|.......!|.......!|
<<< skipped >>>

GET /CmsThemes/Default/Images/InstallationSuccessful.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "e87a6698c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2670

Cache-Control: private, max-age=8890

Expires: Tue, 23 Dec 2014 23:32:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive
.PNG........IHDR...#...".......`.....tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:F1E913D3555911E18CA7F85F75
1BB1C7" xmpMM:DocumentID="xmp.did:F1E913D4555911E18CA7F85F751BB1C7">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F1E913D1555911E18CA7
F85F751BB1C7" stRef:documentID="xmp.did:F1E913D2555911E18CA7F85F751BB1
C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>~. .....IDATx..W]l.U.>........t...V~.X ...
I@HA.'~.D. .J4....o.V.&...X.B.E...M$}....l...o.P..g........w.eKA.....n
w.....}.9.`.n....r.|?(J..7 .;.....`.,.a.8Op....O..f..*.m..... g..(.../
.f0.E.......L..........Ru.r.....J.....`2..O..*[email protected]...@|..@..,S
..K.....P=.#..n....D.P..Y.x.:T.t.......Qv.n4..P6......x$.\....a.....#0
}.W...y:.*[email protected]..#9s.a...F..a....."P....H........].H....x
4...O/.<.....h:.J<b)..[....y....|f.a.....cy a..#..K2.z~I..ZS....
HM...[,[email protected]..?.sp...6.....g:....2#...X.V.,[email protected].<....).
...%.....p.&......M....$.b.......I.>hI.O.c.6AW'....C<1..F[..
<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

Accept-Ranges: bytes

ETag: "67f82544c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 3937

Cache-Control: private, max-age=8890

Expires: Tue, 23 Dec 2014 23:32:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive
.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e&
lt;...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12
B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11
E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> 
<xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8
635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K......
....*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.
o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?
}...}...~..=............G...~,[email protected].. u....... ?.H.
."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q..
......l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo......
.....hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU
..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f
<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 742

Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "technical" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "json_send_time" : "2014-12-23.17:54:41:107" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_WaitForDMInitComplete" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "244" , "publisher_account_id" : "A-4410674" , "publisher_id" : "AfterDawn.com" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0"  }
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
....


POST / HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 731

Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "regular" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "json_send_time" : "2014-12-23.17:54:41:294" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_EndOfSession" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "244" , "publisher_account_id" : "A-4410674" , "publisher_id" : "AfterDawn.com" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0"  }
HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Tue, 23 Dec 2014 21:04:17 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..

The Backdoor connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

H#.Mx

dWi7.wU

zcÁ

.?AVfsURL@@

.?AVfsInternetURLFile@@

.?AVfsInternetURLFileDownloader@@

.?AVfsHttpFile@@

.?AVfsFtpConnection@@

.?AVfsFtpFile@@

.?AVfsHttpConnection@@

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

6'6,60646]6

2(2F2i2

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXps://VVV.verisign.com/cps0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

LOCALS~1\Temp\nsaB4.tmp\webapphost.dll

n Data\Google\Chrome\User Data\Default

=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\webapphost.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp

n\App Paths\IEXPLORE.EXE

geDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1.0.0.1

Download.dll

nsaB4.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\webapphost.dll" (overwriteflag=1)

\webapphost.dll"

PLORE.EXE

gle\Chrome\User Data\Default

dleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

ByStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

4-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe /ByStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb

DVD_Shrink_v3.2.0.15.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe

LORE.EXE

IEXPLORE.EXE

49deca54-7b41-4951-ba0d-e55cf038edeb

hXXp://ude.databssint.com

hXXp://engine.dmccint.com/DecisionEngine.ashx

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico

Icons\icon.png

c62722b7-da76-4ef0-adf0-9118edbfbf93

AfterDawn.com

1572961

hXXp://cms.dmccint.com/MainOffer/1569870/

DVD Shrink v3.2.0.15

Setup.exe

hXXp://cms.dmccint.com/Global/GlobalPage/1569870/

hXXp://business.va.conduit.com/chrome/inline/instafeed/shell.html

6-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

ccmd.smc//:ptth=lrUegaPlabolG

1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

yStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1.3.9.0.140504.01

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\webapp\

1989312

Bayes_glm_only_current_combinations_2014-12-23.csv

Microsoft Windows XP

6.0.2900.5512

%Documents and Settings%\%current user%\Local Settings\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default

/ByStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\client_xml.xml

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\offer.xml

no_dynamic_main_offer_url_supported_in_this_version

%Program Files%\Internet Explorer\iexplore.exe

GenericDM.exe

1.4.0.4.141214.03

svchost.exe_1496:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   wsmallstub.exe:472
   %original file name%.exe:1560

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\DM_loader.gif (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\init.html (97 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\X[1].png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBG[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4357d65f-a22b-4e28-a57c-d632a6270d43[1].jpg (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].html (6038 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp (45350 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PS_searchprotect[1].json (32508 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[2].gif (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\certInlineLB.pfx (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PCOptimumBoost[1].htm (1787 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[2].png (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[2].htm (23341 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\manager.js (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\customframeapi[1].js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Failed.htm (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PCOptimumBoost[1].html (1642 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\994349[1].htm (24471 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\BoxBgNew[1].png (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\icon.png (431 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite wide[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
   %System%\wbem\Logs\wbemprox.log (76 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\System.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[1].htm (27085 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\proxy.html (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\-[1].png (933 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\BoxBgNew[1].png (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\NoneSilentSuccess.htm (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\manager.html (328 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\webapphost.dll (39329 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\NextButton_Sprite-wide-grey[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\InstallationSuccessful[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1514591[1].htm (24993 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\left_text[1].png (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\WelcomeScreen.htm (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AfterDawn[1].png (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\gplay.js (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Success.htm (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\FDMClient.dll (8184 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe (3626 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.