Trojan.NSIS.StartPage_02e90f0452

by malwarelabrobot on November 9th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.OutBrowse.g (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 02e90f0452e20643095ac58a111697f7
SHA1: eabef83d89987ef31db16f6075c2c0016ab126be
SHA256: 24673d0df8263c796d6473def979c2f455e73d4a8a52d8e32fec375a950a846a
SSDeep: 12288:/2WL31Mxq/hzKNKmo1CK9u5UESdHVc6pGfh9:/N3v/hzm wK9u5UESdHVcLfh
Size: 567408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1912
wmic.exe:680
%original file name%.exe:344

The Trojan injects its code into the following process(es):

bacfcabebjgi.exe:1072

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process bacfcabebjgi.exe:1072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dc[1].js (1657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\91415466317\GGG21659.exe (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe (3666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (2083 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91415466317.txt (0 bytes)

The process wmic.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91415466317.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91415466317.txt (0 bytes)

The process %original file name%.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\insHv5.exe (388801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bacfcabebjgi.zip (56564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\cc.dll (3709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insHv5.bacfcabebjgi (8368 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bacfcabebjgi.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insHv5.bacfcabebjgi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa7E.tmp (0 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process bacfcabebjgi.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 79 69 B2 61 91 11 8E 30 AF 40 FE FB E4 40 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wmic.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 02 72 4D AE 58 1A 0A D3 2A 2C FE 37 1B E7 CF"

The process %original file name%.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 54 F8 F5 3B 06 EE F0 DE B2 CB 34 25 CB F6 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
6bf9db0e306ffa8ab340cd9cc925455d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\91415466317\GGG21659.exe
d14366f2e2214b172c1f4a2c9c9a18f2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bacfcabebjgi.exe
40bdbf12dea7136c9b26c2b7d5e4a25d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv7F.tmp\cc.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv7F.tmp\nsisunz.dll
6bf9db0e306ffa8ab340cd9cc925455d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Acoustica-CD-DVD-Label-Maker-3-33
Product Version: 1.28.19.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 229376 8488 8704 2.94796 574922401b3d7ffddd845987303f9562

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=5126&distid=21858&productid=21046&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&version=4.7
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/seaApp/SeaAppWin8Chk.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topLine.jpg
hxxp://stats.l.doubleclick.net/dc.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bodyImg.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bottomLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button.png
hxxp://static.revenyou.com/offers/images/Theme8/bgImg.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/nextCase.jpg 198.232.124.224
hxxp://direct.the-apps-track.com/Installer/Flow?pubid=5126&distid=21858&productid=21046&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&version=4.7 54.243.189.40
hxxp://static.revenyou.com/offers/images/Theme8/button.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/topLine.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/button_over.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/bottomLine.jpg 198.232.124.224
hxxp://stats.g.doubleclick.net/dc.js 74.125.29.157
hxxp://static.revenyou.com/offers/images/Theme8/topComp.png 198.232.124.224
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0& 54.243.189.40
hxxp://static.revenyou.com/offers/images/Theme8/bodyImg.png 198.232.124.224
hxxp://cdn.download4desktop.com/Installer/seaApp/SeaAppWin8Chk.exe 198.232.124.192


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Installer/seaApp/SeaAppWin8Chk.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.download4desktop.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Nov 2014 22:11:24 GMT
Content-Type: application/octet-stream
Content-Length: 49666
Connection: keep-alive
x-amz-id-2: orE/meEPgyqAPRpvGmvSqCeyClP5Y4vsM3wyDblyS4JVBYz5jI1V0lTayBQmr4qM
x-amz-request-id: 5F2A3AD899BB9BD1
Last-Modified: Tue, 23 Sep 2014 06:22:01 GMT
ETag: "6bf9db0e306ffa8ab340cd9cc925455d"
Server: NetDNA-cache/2.2
Content-Disposition: attachment
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......hC..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..hC.......D...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /offers/images/Theme8/topComp.png HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Sat, 08 Nov 2014 22:11:25 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/bgImg.jpg HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Sat, 08 Nov 2014 22:11:25 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/bottomLine.jpg HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Sat, 08 Nov 2014 22:11:25 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/button_over.png HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Nov 2014 22:11:25 GMT
Content-Type: image/png
Content-Length: 921
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT
ETag: "f072da2a092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sat, 15 Nov 2014 22:11:25 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...;IDATx..Z;o.1..Y.D...W."$=D..*[email protected].
...........;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.s
h..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[[email protected].
...y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?
7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.
......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K.....
...YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\
D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........
Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N.......
.*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..t
svP!.U0.q.......9z.e [email protected]............. .>=...{WVim...
.f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o
[email protected].^......IEND.B`...



GET //offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: direct.the-apps-track.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 08 Nov 2014 22:11:26 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 11957
Connection: keep-alive
<html>.    <head>.      <title>5 - NonProduct (iheav
enDownloadManager)</title><script type='text/javascript'>v
ar _gaq = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.
push(['_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker
', true]);..                                            _gaq.push(['_t
rackPageview']);..                                            (functio
n() {..                                              var ga = document
.createElement('script'); ga.type = 'text/javascript'; ga.async = true
;..                                              ga.src = ('https:' ==
 document.location.protocol ? 'hXXps://' : 'hXXp://')   'stats.g.doubl
eclick.net/dc.js';..                                              var 
s = document.getElementsByTagName('script')[0]; s.parentNode.insertBef
ore(ga, s);..                                            })();</scr
ipt><style type='text/css'>body      {          width:100%; h
eight:100%; margin:0px; padding:0px; font-size:font-family:helvetica; 
font-size:12px;}   .divLeadpName      {         border-bottom-style:gr
oove;border-bottom-width: thin; padding-left:61px; padding-top:9px; fo
nt-size:font-family:helvetica; font-style:italic; font-size:25px;     
            font-weight:bold; color:black; position:absolute;   width:
 100%; background-color: #fff; ba}   #divTop         {display: none}  
#divMiddle      {background-color: #efecec; height: 100%;} #middle    
{background-color: #fff;} .divOnNext      {          position:abso
<<< skipped >>>


GET /offers/images/Theme8/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Sat, 08 Nov 2014 22:11:25 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/bodyImg.png HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Nov 2014 22:11:25 GMT
Content-Type: image/png
Content-Length: 1914
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT
ETag: "36dd864c691ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sat, 15 Nov 2014 22:11:25 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM
..z&..............u0...`..:....p..Q<...0PLTE.......................
.........................{.......IDATx......:..`..p..J.4.ty.:......)v.
.\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..].
.8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.
\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._.
.d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..&
gt;).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../
..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o
..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F
]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W
7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8..
......KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y.
.)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z
%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y.
..... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S..
...W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>[email protected])e
M.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J..
.,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.
*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.
J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....
X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*
<<< skipped >>>

GET /offers/images/Theme8/nextCase.jpg HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Sat, 08 Nov 2014 22:11:25 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/button.png HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Nov 2014 22:11:26 GMT
Content-Type: image/png
Content-Length: 458
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT
ETag: "1b5642f092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sat, 15 Nov 2014 22:11:26 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi.......
.../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f.
..p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C......
.$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....
-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^
.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`...



GET /Installer/Flow?pubid=5126&distid=21858&productid=21046&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&cookieeula=&cookieprivacy=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&version=4.7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: direct.the-apps-track.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 08 Nov 2014 22:11:08 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 20492
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8/$.Fmkcsez_oajgRvjdo
"8..'.PbaJay 5..% O_fGew1,.3 .&!NenjjoG_j_!6" '.
KkmaobpIB.2 % >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7  .Ev`MME 7.!(
"Cs]PKJ/.9."*.;jfk^hcHil`.5. ).NbfcmMME 7.gptn5'*]go_bp.
rc](Znmm,pr_^c)\mj).kfd`jn(Bvh`iiaJ^a^pP]qael:ga_cocc95$_anmga71-833.g
^_aj<.1./.!\mrhsnyg_52*$psr^ir8 -.gjatnl;![jhif_onobp[og_j_<=cmp
koba^'B@-BQ<(E___k)M_f]m&1*-2"dd]5 .f_71"iq\_b6.#
_wpepiYg6..&!Nar`.5&/).@`dgoajg_i>`pa 5..% >hsevgmmn^qO_
fGewn.5. ).O]ympl.3 .&!Afd`[obtb.9)1*.HmhklnhknP\l`.8*  .Dgn[m^n^h
buR_o].3 .&!Olc`h<_rblHjsr\dg.8-&!Ripom\eMc`dnCmhe\gbIcma&q
uot;8..'.A^hQqn?n;c^ah\nt"8ojp^{)u!Loqo=s^ 7.!("Nm]@qc.4
!., >ghimk_mpTwk].3.).LkngoauZrfimPyn`k.3 /'2)13.$.KcdEdu"
8..CDCVYKKC?GWH:AECMA Qj^op_o_[XMg^jjlmcn[XWgi\jpqYVBqrp`foOcomhknZWMi
blpn`hlZWK`Zp`bOnor`[ou.y.GGEWZDJ<[email protected]@SSAP@TWLc^lbdPpjl`\
ry.{.HI@QZ<SOLDJT][email protected]_m]WUQb[q_hNmgo^aq. .RcbC`r41.9. FF=TXJ
L=@H_K<;CBLB.RkfrrYm^ZYGh_rmngamZYQhjdmrkWUArlqanrQ]mlglh[XUldfnm_i
f[XSc\j^aNoisacrw.w.FH?X[LM>9GXK>=GENC.KJ?RT;QA\ZN]\kaeJqktc^lw.
z.BJAY]>MMKCKN^QSCM.Nhdqq`neZWK`Zp`bOnor`[o.*.LdlopoF\fc.4!Oe_m[cIp
lnd_tGH.M^e.&!Lrm_m^mGA.9.11.*'.?iq`usMa^`k 7* .IqRYdmDllHjsr\
dg.8.&!AxcPJG.8.bspp8*'_e/ ^nsnq`jq^p0(bkm-Dfnm_ifdn/Q`Ym\fMln
peao?`gcocb Sc\j^aNoisacrjh`ga^hcurcb&`qc.&!AxcPJG  7.gptn5
9;*]j.(ckwln]moco--_ok*Ailr^fkar-N]\kaeJqktc^lB^lblh_/Q`Ym\fMlnpea
<<< skipped >>>


GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=21858&leadp=21046&countryid=71&sysbit=32&imgurl=&cookieproductname=65-99-111-117-115-116-105-99-97-45-67-68-45-68-86-68-45-76-97-98-101-108-45-77-97-107-101-114-45-51-45-51-51&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Nov 2014 21:20:46 GMT
Expires: Sat, 08 Nov 2014 23:20:46 GMT
Last-Modified: Fri, 03 Oct 2014 00:48:42 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15833
Cache-Control: public, max-age=7200
Age: 3039
Alternate-Protocol: 80:quic,p=0.01
...........={_.:...)....'.$..&.......-..Ms..e9..'...B.g.3#..........3z
?F........z....n.h..@&b.....v.W.A"...<8H.^.....A*......3....~..X?8.
...<..t..)d.......Hf.Q...._. .,`.....a....>...?...v.Aq.G........
.p.........a$y&.....sX7p........ ..M.d..l.K.....t...8..i6....C..XO....
.@....!.....RG.l .}....b$c..B|8..C}!.8..=.e.K....{..K.9..a..nx......%.
.;..F...J...v..n!.L.....g.C@...~..|...=....q.9n_...P.....Tw.o.........
..k.....^:.....O!..b......=...B..,..j8......k.b./.Y..JE...({k.........
(.L..@. ...b;...s.f...k../--..\..A.M..he.q..u.u.$..<.....$......eBf
....,...r{.[.....h....Tup..$?F?2.... .qk...x..;.......}.Y.[)jL........
.}.4.'..Z_...bms.._..I4.r=...f....U}...|......].FG..\.[9...hp......"..
L..J...a..l.=.C..c.............i..2&.......{....T*w..%#ey....A..`.T..Q
.w.....f2...,....J...y.qqA.........BTo....5.W..9]...]b$K%Z.V..b..x1t..
..]..&.P.Qo.A?..W.R..l.........'".. ..D. ..EA.......$US.t...w?.u*rn.:.
.....?...a,.(..0....`.GL....Z...j[8.[.2k8N...4(.x..4j&..V..p.N)0.;k...
....C..= .].;M.|..&..;........M'....Vy.6*..[J.7`n*...Q..O.%4T ...;....
.'J.........xKK.&..^A...;...........a<.783[X......p...c...3j$.....Z
....c.D.....BW................*.1]KQ].zb.... .?~....V>&."..Q$.....&
.sS..Kq........).....{y.V....T...L.09.-.KK:..yH.....4./..Ni.oaM..X..X.
R...l...[...n2.....6.v.Q.......v.C.0........55..z]__.a.j...fJh.....r.6
a.6v3..!.}^0...,...I.w........i.......Q..q ..c;2.p2 .%..:0..14....z...
.b.*Z..*..>...v].....H...V...kVT.]....I ...._..}.f.....^U..a.V]..wd
.N.....9....n1-0..`...B..Q.MB...7...%.!.L~.."H..xNV`?||.H.........
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_344:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bacfcabebjgi.exe /PID=5126 /SUBPID=0 /NETWORKID=1 /DISTID=21858 /CID=0 /PRODUCT_ID=21046 /SERVER_URL=`omn7).`ip`[o're_,]pnn%ok_`e-_ok /CLICKID= /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=9^hspnh_a ><(=TA'K]bcg%HZibl,/-1. /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1414250079 /VM=2 /DS1= /RUNTIME_WELCOMEIMAGEURL= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /HIDEX=1 /IS_DYNAMIC_ENCRYPTED=true
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\insHv5.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bacfcabebjgi.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bacfcabebjgi.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\insHv5.exe
sisunz.dll
1.2.2
Extract: %f
%u byte%c
(%u byte%c)
%d.%d%d Ë%c
inflate 1.2.2 Copyright 1995-2004 Mark Adler
GetProcessHeap
nsisunz.dll
operator
GetProcessWindowStation
portuguese-brazilian
%U7$\
}7d.IY
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bacfcabebjgi.zip
bacfcabebjgi.zip
BACFCA~1.ZIP
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7F.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7E.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7F.tmp
/PID=5126 /SUBPID=0 /NETWORKID=1 /DISTID=21858 /CID=0 /PRODUCT_ID=21046 /SERVER_URL=`omn7).`ip`[o're_,]pnn%ok_`e-_ok /CLICKID= /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=9^hspnh_a ><(=TA'K]bcg%HZibl,/-1. /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1414250079 /VM=2 /DS1= /RUNTIME_WELCOMEIMAGEURL= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /HIDEX=1 /IS_DYNAMIC_ENCRYPTED=true
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
WUSER32.DLL
00000000
1.28.19.1

bacfcabebjgi.exe_1072:

.text
`.rdata
@.data
.rsrc
@.reloc
.CGy,
<9%u3
FTPj
SShT#J
YPSSSh
,4,56,789
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
%d/%d/%d %d:%d:%d
X:X:X:X:X:X
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
GetProcessHeap
RowKey
3.7.16.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
922337203685477580
SQLITE_
?API call with %s database connection pointer
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s\etilqs_
%s\%s
cannot limit WAL size: %s
2nd reference to page %d
invalid page number %d
%s(%d)
keyinfo(%d
%r %s BY term out of range - should be between 1 and %d
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
duplicate column name: %s
too many columns on %s
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_stat%d
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
a JOIN clause is required before %s
cannot modify %s because it is a view
table %s may not be modified
Cforeign key mismatch - "%w" referencing "%w"
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
no such index: %s
SCAN TABLE %s %s%s(~%d rows)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
sqlite_master
sqlite_temp_master
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowid<?)
%s (rowid>?)
%s (rowid>? AND rowid<?)
%s (rowid=?)
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s AS %s
%s TABLE %s
%s SUBQUERY %d
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
foreign key constraint failed
unable to use function %s in the requested context
zeroblob(%d)
CREATE TABLE %Q.%s(%s)
%s %T cannot reference objects in database %s
default value of column [%s] is not constant
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
no such collation sequence: %s
%s - %s
malformed database schema (%s)
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s.%s
%s-shm
bind on a busy prepared statement: [%s]
%s: %s
%s: %s.%s
%s: %s.%s.%s
misuse of aliased aggregate %s
not authorized to use function: %s
too many terms in %s BY clause
EXECUTE %s%s SUBQUERY %d
%.*s"%w"%s
%s%.*s"%w"
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
invalid name: "%s"
automatic extension loading failed: %s
d-d-d d:d:d
d:d:d
d-d-d
M@d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
BmTindexed columns are not unique
Recovered %d frames from WAL file %s
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
btreeInitPage() returns error code %d
unable to get the page. error code=%d
Page %d:
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
sqlite3_get_table() called with two or more incompatible queries
no such vfs: %s
%s mode not allowed: %s
no such %s mode: %s
MJ delete: %s
-mjX9X
MJ collide: %s
%s-mjXXXXXX9XXz
database %s is locked
cannot detach database %s
no such database: %s
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
unknown database: %s
unknown database %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
PRIMARY KEY must be unique
constraint %s failed
%s.%s may not be NULL
database schema is locked: %s
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
misuse of aggregate: %s()
constraint failed at %d in [%s]
abort at %d in [%s]: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot open savepoint - SQL statements in progress
statement aborts at %d: [%s] %s
cannot use index: %s
at most %d tables in a join
cannot open value of type %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
no such trigger: %S
unable to open database: %s
database %s is already in use
too many attached databases - max %d
sqlite_sequence
there is already an index named %s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such table: %s
%s.%s.%s
too many references to "%s": max 65535
sqlite_subquery_%p_
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot open %s column for writing
no such column: "%s"
indexed
foreign key
cannot open view: %s
cannot open virtual table: %s
sqlite_altertab_%s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_%s_%d
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
view %s is circularly defined
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
*** in database %s ***
unsupported encoding: %s
foreign_key_check
foreign_key_list
no such column: %s
there is already another table or index with this name: %s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
-- TRIGGER %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
Error %d has occurred.
Error %u in WinHttpReadData.
Error %u in WinHttpQueryDataAvailable.
F%D,3
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WINHTTP.dll
KERNEL32.dll
EnumChildWindows
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
GetCPInfo
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
zcÁ
ForceRemove {FA20B59B-21AA-44FC-8A68-450979B7CC90} = s 'CBrowserExternals Class'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{1C62C813-C4DA-49F8-900A-3216A55B9191}'
ForceRemove {622D38AD-B4A9-4170-8192-5B865C6A5DCE} = s 'CBrowserExternalImp Class'
ForceRemove {3CFB4437-E091-4766-8FE6-36664BD143CF} = s 'CBrowserExternal Class'
stdole2.tlbWWW
~cmdWd
OpenUrlW
urlWd
method OpenUrl
Created by MIDL version 7.00.0555 at Tue Oct 07 17:48:24 2014
<BUTTON onclick='window.external.OnClick(theBody, "red");'>Red</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "green");'>Green</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "blue");'>Blue</BUTTON>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
55
1 292$9;=
0%1X1P2
0#0'0 0/030
>%>->5>[>
7_7)8=:\;
7 9$9(9,9094989
: :$:(:,:8:
< <$<(<,<
:$:,:8:\:|:
0 0$0@0\0|0
9 9$9(9,9094989
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gRUNTIME_WELCOMEIMAGEURL
THANKYOU_URL
EXE_CMDLINE
EXE_URL
SERVER_URL
execmdline
exeurl
\Microsoft\Windows\Cookies
cookies.sqlite
sqlite
\Mozilla\Firefox\Profiles
Found cookie in Chrome!
SELECT value,last_access_utc FROM cookies WHERE host_key LIKE '%
\..\Local Settings\Application Data\Google\Chrome\User Data\Default\
\..\Local\Google\Chrome\User Data\Default\
Chrome_WidgetWin_1
Exception opening/reading chrome cookies
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
OLEACC.DLL
SELECT url FROM moz_places WHERE url LIKE '%
places.sqlite
\default.html
Safari.exe
Opera.exe
firefox
chrome
http\shell\open\command
Opera.HTML
IE.AssocFile.HTM
FirefoxHTML
ChromeHTML
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Mozilla\Mozilla FireFox
SOFTWARE\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
virtualoffercmd
\MNA.exe
opera
eimgurl=
&chromev=
CHROMEVERSION
@@exeurl
AntivirusesRegKeys
RegKey64
RegKey32
PostExe
PreExe
ReportName
RegKey
ExeURL2
ExeURL
OfferURL
I.tlb
OLEAUT32.DLL
Mscoree.dll
888816666554443
6666554443
!6666554443
virtualoffercmd:
downloud.exe
ad.exe
oad.exe
/REPORTURL=
_2nd.exe
VirtualOfferCmd
VirtualOfferCMD
VIRTUALOFFERCMD
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KKERNEL32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bacfcabebjgi.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:1912
    wmic.exe:680
    %original file name%.exe:344

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\button[1].png (458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dc[1].js (1657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\91415466317\GGG21659.exe (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe (3666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button_over[1].png (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bodyImg[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (2083 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\91415466317.txt (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\insHv5.exe (388801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bacfcabebjgi.zip (56564 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\cc.dll (3709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\insHv5.bacfcabebjgi (8368 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now