Trojan.NSIS.StartPage_12a64613a1

by malwarelabrobot on June 21st, 2014 in Malware Descriptions.

MemScan:Application.Bundler.Outbrowse.E (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 12a64613a19c4fe9abd460a4bc0705a1
SHA1: 56e0a8bb033b3ac5cb2bf67b20a9b412587043af
SHA256: 2b809adcedccc6fa669b5ae2e78e02835f8550e252224598359f79b341e55191
SSDeep: 24576:lD9484CsoZWCM5PAj7vrhbpODEN6kVYQnon08SFv2:zL4hp rOoN6kVY o0rFO
Size: 943392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wmic.exe:192

The Trojan injects its code into the following process(es):

setup.exe:1004
f.exe:1832
6_Offer_15.exe:1400
%original file name%.exe:1096

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:1004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\components.ini (1218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\InstallOptions.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-header.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-wizard.bmp (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\ioSpecial.ini (9996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\summary.ini (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\options.ini (3918 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\shortcuts.ini (1782 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB5.tmp (0 bytes)

The process f.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (5392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\DynamicOfferScreen[1].htm (850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery.min[1].js (1005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui[1].css (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BuzzIT2Checker11-6[1].exe (7494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_15.exe (2582958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\bodyImg[1].png (8516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\Firefox Setup 26.0[1].exe (3284663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui.min[1].js (8781 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)

The process wmic.exe:192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)

The process 6_Offer_15.exe:1400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp (0 bytes)

The process %original file name%.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB2.tmp (0 bytes)

Registry activity

The process setup.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 03 07 88 05 50 78 10 31 B3 F7 8C 47 FE 1E 98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process f.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CachePrefix" = ":2014062020140621:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E8 9D BA B8 FD 2A 00 5E 21 64 1A 09 31 90 A0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014062020140621\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CacheOptions" = "11"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wmic.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 4B C0 C8 10 BF 09 49 E9 04 84 98 3B ED B8 96"

The process 6_Offer_15.exe:1400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D EB 51 1C D8 21 55 B8 EB A2 D9 4B 8B 5F 30 38"

The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8F 92 DF 2B B0 32 3B C9 44 F3 36 F7 0E 49 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
c5c5de801c3d3ee767574893a7df656d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6_Offer_15.exe
cf51b758916e5bf68ba8f0a6b3fb6bf1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll
1c9b45e87528b8bb8cfa884ea0099a85	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll
0cd085ca321c43cb4c1bcf99ab8ea080	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll
666a76d8ed0a06c9404da0d546bf3627	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll
e17ee29b33661a5dfa55c8788adca28f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe
1eea6c1b35191dc177ea83672b9c3fc0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\firefox.exe
8439cd841764fc1d7b1059a21021bdca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll
1fd37aec631eef547ff6c93151c21a5b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll
9440e99ff69d095896660a166bf74866	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll
a24534258c89c992d3e03729e3c42ab3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll
3b9398e0146855b1dc0e3d9769c80f01	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe
b5b3e07dd04eaa1ffceb37ef9f7849fc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe
454830b2ff549241e4b09cd291f4b59d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll
ab7ebfd1d7fe626612d1e815fe4e6df4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll
8a6087b231b529ef6186cd0179b16032	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll
03e9314004f504a14a61c3d364b62f66	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll
2545f8fa1ba4417308df63b952d66fa1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nss3.dll
cf618ddc43b1f48959275961d0142615	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll
689a9eff35da52f70849fdb25034174f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll
0dd74786d22edff0ce5b8e1b1e398618	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe
51bb4983ba8b8f4c712ae7ebb5577cd8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe
a6f5aa4bd602cda7b0a375a6a48d715d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll
5b61c11223e59c1aca4adae6fdd2a775	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe
63e98c05d504e9f30dae364dce50e0f5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\updater.exe
4f5cac0d371454e97d1bd918489792f6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe
abcc2fbcca63a5f6309485ca3ef18e7c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe
de2345b8cbcc6366e20848ec22278cb6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\xul.dll
01944475fa7b6c1f30f931013cf61d1e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\setup.exe
c416bcf6a1bfc274c22c243da87c0f33	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f.exe
67d8f4d5acdb722e9cb7a99570b3ded1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsfB6.tmp\InstallOptions.dll
959ea64598b9a3e494c00e8fa793be7e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsfB6.tmp\System.dll
c17103ae9072a06da581dec998343fc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\System.dll
b8b654dd30c249e00c79f1508a2736e5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BuzzIT2Checker11-6[1].exe
c5c5de801c3d3ee767574893a7df656d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\Firefox Setup 26.0[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Firefox
Product Version: 3.0
Legal Copyright: Firefox
Legal Trademarks: Firefox
Original Filename:
Internal Name:
File Version:
File Description: Firefox
Comments: setup Installer
Language: English (Australia)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	94208	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	286720	3176	3584	2.75375	61886786c758d78857d0529764e4c7bd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 481
9075f446add5ec41257f58f8dc344511
ea27666125c2bb990dab607f47cf310f
3b5c82330cb8a4c16d41e5b26be76f3a
cd8c8443f373d4fa58a9d7aad6058667
a7abf1354079db1f1fb931a6917c583b
b6db55d4bed46aa90ce58aadc61f0341
4cdf363b3c476b9d413e1a373e4f04b3
c27caef5212c8d8e08a6220166ccfb41
f7e26b1c24e4c19ae3029062960031b9
eda611fe56c3a547f83bf1115db44f9c
6682148233fe4b96c56522254edaf00b
6ba3f80e35469236cad9c07a6f11c2c7
a4d28e59dfea0e3e6b6b5c7edc23b509
83aea5cc733a64256da306f24753c7fe
2a8a39c3d4f095499e6c8886afaf92e3
53ed4f24eac3da19d145ec097315b859
77e2a53a7f224993e6ecf2c726ce980f
caeb50584a473d5d396a257119a035f8
18fb56d3368841860c23187cb164d6de
19eaeb3d4fbaf70a4dc6a8f23db48a84
81fd71f835897ec687159c66c60bbf4f
cb17476bf9aad70500f9700c3b097748
09aa24e5705183b3a4d5a91d43cb5ffa
4b4d87ff4186ff61c2599b65ab616c07
9d16845458af46342e3b805425159325
d6b6d43786584ef4a7e6e9034491dce3

URLs

URL	IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0
hxxp://e1005.g.akamaiedge.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topComp.png
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topLine.jpg
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bgImg.jpg
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bottomLine.jpg
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=112047188&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=15&downloadduration=24656&installduration=94
hxxp://smartinstaller.elasticbeanstalk.com/Installer/TrackFinish?reqid=112047188&x=y&clickid=-1
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
hxxp://www.postdownload.net/portal/redirect.php?id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44&d=ez-download.com&p=Firefox&pid=3	162.159.244.195
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bodyImg.png
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button_over.png
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/nextCase.jpg
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button.png
hxxp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44	173.203.239.57
hxxp://thankyou.postdownload.net/css/thanks1.css	173.203.239.57
hxxp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00	166.78.35.128
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.7.1/jquery.min.js
hxxp://ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44	141.101.112.6
hxxp://a1834.g1.akamai.net/js/widgets/clkL.min.js
hxxp://a1834.g1.akamai.net/styles/widget/static/theme2_template8.css
hxxp://a1834.g1.akamai.net/images/addons/icons/25932/Slimcleaner-CA-Ron-All-widget-lp1--25932.png
hxxp://a1834.g1.akamai.net/images/widget/2/addon.png
hxxp://dualstack.counter-817696455.us-east-1.elb.amazonaws.com/blank.gif?t=141669771145&h=a023e0f902a095d8b136fb5b66956e00&cids=pac
hxxp://a1834.g1.akamai.net/images/widget/2/widget.png
hxxp://a1834.g1.akamai.net/images/widget/2/header.png
hxxp://a1834.g1.akamai.net/images/widget/button.png
hxxp://cdn.delivery49.com/images/widget/2/addon.png	208.185.54.241
hxxp://www.ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44	141.101.112.6
hxxp://cdn.delivery49.com/styles/widget/static/theme2_template8.css	208.185.54.241
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png	74.125.29.95
hxxp://cdn.delivery49.com/images/addons/icons/25932/Slimcleaner-CA-Ron-All-widget-lp1--25932.png	208.185.54.241
hxxp://cdn.delivery49.com/images/widget/2/widget.png	208.185.54.241
hxxp://static.revenyou.com/offers/images/Theme11/topComp.png	198.232.124.224
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js	74.125.29.95
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css	74.125.29.95
hxxp://installer.apps-track.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0	54.225.131.135
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css	198.232.124.224
hxxp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&	54.225.131.135
hxxp://static.revenyou.com/offers/images/Theme11/button.png	198.232.124.224
hxxp://cdn.delivery49.com/js/widgets/clkL.min.js	208.185.54.241
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js	74.125.29.95
hxxp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&	54.225.131.135
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js	74.125.29.95
hxxp://cdn.download4desktop.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme11/bodyImg.png	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme11/bgImg.jpg	198.232.124.224
hxxp://installer.apps-track.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=112047188&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=15&downloadduration=24656&installduration=94	54.225.131.135
hxxp://static.revenyou.com/offers/images/Theme11/bottomLine.jpg	198.232.124.224
hxxp://cdn.delivery49.com/images/widget/button.png	208.185.54.241
hxxp://static.revenyou.com/offers/images/Theme11/nextCase.jpg	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme11/topLine.jpg	198.232.124.224
hxxp://download-installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe	23.44.196.61
hxxp://counter.d.delivery49.com/blank.gif?t=141669771145&h=a023e0f902a095d8b136fb5b66956e00&cids=pac	54.225.69.34
hxxp://static.revenyou.com/offers/images/Theme11/button_over.png	198.232.124.224
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png	74.125.29.95
hxxp://installer.apps-track.com/Installer/TrackFinish?reqid=112047188&x=y&clickid=-1	54.225.131.135
apis.google.com	173.194.43.32

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /js/widgets/clkL.min.js HTTP/1.1

Accept: */*

Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.delivery49.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache/2.2.16 (Debian)

Last-Modified: Mon, 12 Aug 2013 15:00:20 GMT

ETag: "ecdb-252-4e3c1620c2900"

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 348

Content-Type: application/javascript

Cache-Control: max-age=43200

Date: Fri, 20 Jun 2014 02:40:40 GMT

Connection: keep-alive

Vary: Accept-Encoding
.............N.0...<.f..H!..).B.#...!.&...%U.vL[..dEk..5...c.....).
.1~.p8fl..0.T....{...". .....q$.....b.....<..HKf.Yz}...~...:..l..."
!...4....`..n.1.m..j........Xd...ak...b([email protected].*.3a..Y...&......*...
....V14..EA...j......P=...^[email protected]..............,..h,-.b.Ig.G.=.....k.
T=........>./...7.]....../..D.... ..F.q......Zo'....._..q.c!6..&...
C..R.......


GET /styles/widget/static/theme2_template8.css HTTP/1.1

Accept: */*

Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.delivery49.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache/2.2.16 (Debian)

Last-Modified: Wed, 11 Aug 2010 13:36:53 GMT

ETag: "204c7-1777-48d8c57b10740"

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 1181

Content-Type: text/css

Cache-Control: max-age=43200

Date: Fri, 20 Jun 2014 02:40:40 GMT

Connection: keep-alive

Vary: Accept-Encoding
...........X.n.:.}. ...vW%%.4.<.O.....k.........m .......j..=..93s.
.....d......... ......`.......?H3.../[email protected]...>Wi..=..QBX....%.v.
{\!........7DN." .V...].S7Co.7M...U.Z^....`~..Ca.$!4... G&6..tj..p.)b.
..}T.....%[email protected]..... .j...A...QX......U.._B.u.........
..*..hk........q.....wA..g..V......yjG=......?\..`.QXC..=..{. ....k...
.;.n6W....iqNH...]..;....]..u..Wr..`.)....7........jq..tY...k>#....
..3^...}..2..:......H..9f....CWI....k.?.0....H5..G...8'T..^.g..F7.( =R
j....?...tsE3......"V...j.....,.|[email protected]/.W.aYw%.....9-".....x.3.Y.I.
)5..T.yi.....0..........d...=......n....;.!.w..8%...C.......|..$.....m
r....Y..rH\...........P .DIE...4'.#..H.S..{...0..DA.....GF......s.....
d0%.H 1../...^`o.6T....!..\O.`.........0.......7..../.d...p.b....q...F
.._U........6... ....^....CT..G-y.Y..y.Gk...O.........9...w...t...`.Z.
.2..VW(%...B..7..Z...P...-.........wg..(...5;.....Q..l........t...cH.i
........9...C.S3.MX.......I0`...".Q..a..<.....<.,.....N.D.p...W.
b....x...[........k.......I.... ~{..&..*..!..^.G.....f..A....@`..0....
r..".T......9q...p_.zA...F..-/0F.xn/...p.>cJ....k.u...Q{.K./.V. ...
.<T.&........os.....H...r._.J.............g..f...=..j.%..."0'8,.kJL
.....D..w.......
<<< skipped >>>

GET /images/widget/2/addon.png HTTP/1.1

Accept: */*

Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.delivery49.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache/2.2.16 (Debian)

Last-Modified: Thu, 27 May 2010 09:24:52 GMT

ETag: "201a2-22a-4878ff6786100"

Accept-Ranges: bytes

Content-Length: 554

Content-Type: image/png

Cache-Control: max-age=43200

Date: Fri, 20 Jun 2014 02:40:40 GMT

Connection: keep-alive

.PNG........IHDR..............5.?....tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE...........................................................
.........""H`.)7.:N#Jd.[x...(Ur.....="Ha....."%Oj........%.......*8.2A
.%1.%2......J_.l...3IDATx....Q...E.'(....3. .K....?..C8uj.8..9/....D..
..D...................................................................
..<B$k...-D.6.k.A$k....D.6.k.!R.!..I]{......M..o................"Y.
...... ..I]{...."Y...........H.&u...dmR...H...`m.6X......`m.6X....&u..
.$:...$...a%.iV.k5......._M.....Q........C.M._..0.@.....`.....IEND.B`.
....

GET /images/widget/2/widget.png HTTP/1.1

Accept: */*

Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.delivery49.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache/2.2.16 (Debian)

Last-Modified: Thu, 27 May 2010 09:24:52 GMT

ETag: "201a5-21f-4878ff6786100"

Accept-Ranges: bytes

Content-Length: 543

Content-Type: image/png

Cache-Control: max-age=43200

Date: Fri, 20 Jun 2014 02:40:40 GMT

Connection: keep-alive
.PNG........IHDR.......d.............tEXtSoftware.Adobe ImageReadyq.e&
lt;...oPLTE)Wu(Vt&Tr.Vp$Rp Nl.A_.=[.;Y.Ig"Pn0Xr.?].Db.B`#Qo.Ge/Wq.@^.C
a.>\.<Z.Hf.Jh%Sq!Om.Ec.Fd'Us.Lj.Mk.Ki-Uo.:X.9W,Tn...&......%tRNS
.....................................?.BO....IDATx....m.P....33.....w.
S..L..g.o.Yk....9. c.........Ms.[..S..k..}.26...!hn h. h.!h^ h.!h.!h. 
h. h> h. h.!h. ..4.~..9....... c.....f...Ms.W..-.26.........gK..[/g
..z36...c....`l06..c....`l06..c....`l06..c....`l....c....`l....c....`l
....c....`[email protected]`.t>....

GET /images/widget/button.png HTTP/1.1

Accept: */*

Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.delivery49.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache/2.2.16 (Debian)

Last-Modified: Thu, 11 Mar 2010 15:16:22 GMT

ETag: "c981-3fd-48187e5c05d80"

Accept-Ranges: bytes

Content-Length: 1021

Content-Type: image/png

Cache-Control: max-age=43200

Date: Fri, 20 Jun 2014 02:40:40 GMT

Connection: keep-alive
.PNG........IHDR...,...,.......u.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE.....MV..k.*.....k~.:...D..K|.S.)a..9r.9.......WS.....6....
....{[email protected]..:.#l.D|.6E....F3..j.$"d._..S..P../..p.-[."..IB..
..`r.3g.Em.6m..K..0....I...`.$...U..g..{.[^.1l.XW....~N..Y..I..p.I"].g
.&...7..h.&...e. Z..Q..X..(z.U.?...W.A?r.5..e....ls.;@..c. T......<
n....XtRNS............................................................
............................x......'IDATx...[[email protected] ..........4
m=.....h..7qs.:.m.....Ln.............bVCI Q..p.;.7..~....c..D...L...T.
...N\...s.B).-D,....L7"..>..N.B.........i.........=.r,b...S‰..)..

GET /portal/redirect.php?id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44&d=ez-download.com&p=Firefox&pid=3 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.postdownload.net

Connection: Keep-Alive


HTTP/1.1 302 Found

Server: cloudflare-nginx

Date: Fri, 20 Jun 2014 02:40:38 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=de31ac9442f6e3dbef24cd96afed1578d1403232038616; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.postdownload.net; HttpOnly

X-Powered-By: PHP/5.4.9-4ubuntu2

Set-Cookie: PHPSESSID=9b5gqb8ik08b1b7rlvbvd02ke0; path=/

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

location: hXXp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44

Vary: Accept-Encoding

CF-RAY: 13d49a5154dc0779-EWR
0..HTTP/1.1 302 Found..Server: cloudflare-nginx..Date: Fri, 20 Jun 201
4 02:40:38 GMT..Content-Type: text/html..Transfer-Encoding: chunked..C
onnection: keep-alive..Set-Cookie: __cfduid=de31ac9442f6e3dbef24cd96af
ed1578d1403232038616; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; d
omain=.postdownload.net; HttpOnly..X-Powered-By: PHP/5.4.9-4ubuntu2..S
et-Cookie: PHPSESSID=9b5gqb8ik08b1b7rlvbvd02ke0; path=/..Expires: Sat,
 26 Jul 1997 05:00:00 GMT..Cache-Control: no-store, no-cache, must-rev
alidate, post-check=0, pre-check=0..Pragma: no-cache..location: http:/
/thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3
RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd6
4vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44..Vary: 
Accept-Encoding..CF-RAY: 13d49a5154dc0779-EWR..0..<<< skipped >>>

GET /pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download-installer.cdn.mozilla.net

Connection: Keep-Alive

GET /pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download-installer.cdn.mozilla.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Last-Modified: Thu, 05 Dec 2013 20:15:56 GMT

ETag: "4ae3bf9-16ece88-4eccf3278b700"

Server: Apache

X-Backend-Server: ftp4.dmz.scl3.mozilla.com

Content-Type: application/octet-stream

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

Content-Length: 24039048

X-Cache-Info: cached

Cache-Control: max-age=314046

Expires: Mon, 23 Jun 2014 17:54:13 GMT

Date: Fri, 20 Jun 2014 02:40:07 GMT

Connection: keep-alive

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........w....g...g.
..g...l...g.y.i...g...m...g...c...g...f.l.g.9.:...g..5V...g.=.a...g.Ri
ch..g.................PE..L....I.Q.....................p...p..........
. ....@...............................................................
..........\...p.... ..\l............n.p ..............................
............................................................UPX0.....p
..............................UPX1................................@...
.rsrc....p... ...n..................@.................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......2.03.UPX!......rb................&.......V...N.....13..Fx.Nt.H.
[email protected].....^......41V3..F`.".FT.X...-\.P.,&.Vj...S...lZ
N.P.J j...,..$^..k.. ..e....,0.4.p8.P(m[[email protected].<T..o..s.${..l....
[email protected].#..E..'..w....Etu..@0;.....
j.....v....Yt..`..t....H.. n....t...V.P.Z..M...E...e......@\..o...<
......G..R...f;V.d.E....e._...Z....\.P.Q..w.n..[.H..7V=.Sn..`...P..Q.c
1...........E...;....:../...u......~.."\y}...D.2............Pl...;....
...C.P.u.........E.]......D.Kx..-.st~..fx.'.&..{h>Ah.M..u.;Y..^

<<< skipped >>>

GET /offers/images/Theme11/topComp.png HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Date: Fri, 20 Jun 2014 02:40:38 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme11/bgImg.jpg HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Date: Fri, 20 Jun 2014 02:40:38 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme11/button_over.png HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 20 Jun 2014 02:40:38 GMT

Content-Type: image/png

Content-Length: 921

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT

ETag: "f072da2a092ce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Fri, 27 Jun 2014 02:40:38 GMT

X-Cache: HIT

Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...;IDATx..Z;o.1..Y.D...W."%=D..*[email protected].
...........;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.s
h..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[[email protected].
...y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?
7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.
......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K.....
...YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\
D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........
Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N.......
.*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..t
svP!.U0.q.......9z.e [email protected]............. .>=...{WVim...
.f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o
[email protected].^......IEND.B`.....


GET /offers/images/Theme11/nextCase.jpg HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Date: Fri, 20 Jun 2014 02:40:38 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>....<<< skipped >>>

GET /widget/render/hash/a023e0f902a095d8b136fb5b66956e00 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d.delivery49.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Vary: Accept-Encoding

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

Date: Fri, 20 Jun 2014 02:39:52 GMT

Connection: Keep-Alive

X-Powered-By: PHP/5.4.28-1~dotdeb.1

Content-Length: 1205
...........V.r.6.}.L...L....dY.K.$..K..u.Q...H,). ...%.......tA....N..
r4.\.vv...>;.u2.....]).....o'$.)..'..M...7...I..dj............s....
..2Z.#m.:=. o ...a..4#.x0....W.Tv......7..,0>.#[email protected]....
[email protected]\.$s.f.B..0i.....Vw.r..vH.93..h...w..b
%...S.......R/....J..V...AZ...R.....7h%.N...0}.ReXQ...a..9<........
....\X...fRpL..-_.n..[.9k..~.vx..&..........q...v.u[..oh3#*G..ni...**.
.$.J.(.e.F.H-......I....$*...m0........g\E...F..~m......8K3y....{.....
PW.!e6L.,V......%[email protected]...&..!.3..PB..AYy.....&.;Q4 ..!mN..0.|Mj..@
....8...A....B..ju../..5.|.....z..f...i!...a..E/......mv.....f...w.C[1
u#'JV@0~.R[.b.qk[......`^JP|0....:7.).|.....~Kd...@8........_.Q......c
A.J_..n.......B!..0e.Ua..Q ...H.......C. s.?.........T2uu.e.>.6...O
..W..H.^..|g.YU2yV.. s^.>..O.n.dz.....]~>y..o?......eq...F..CV..
R..V.z.K[.~.E?JQfx...p.2<.*|)e....*..Z0.T..&..?.C..Sj...b7..3A.3$.Z
/...E........M...x...;.........9............7.._...d:."......../Krf.X.
w......[...) .6...e..P..8.I.'...8p........!.;...0r:.....BZm.2.I...8.[.
G..... ......b'.';[..{.K.........=.. .....k....D......s......o`....!..
.(......a...S.7=.Y...Z&v}Lz...j.D...r.d?98.w.I..y>.....8..-..;..&..
|..(.9.8~..nG...W.../... .sv...*.........<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/css; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Fri, 20 Jun 2014 02:29:14 GMT

Expires: Fri, 20 Jun 2014 03:29:14 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 6091

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 650

Alternate-Protocol: 80:quic
[email protected]..~...e.#K.$.#A..=.!%J|iz...
;@Z.:...y..}..........X.H~{G...O~......-.M^[email protected]........
....!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.W
O8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h
.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ....
....... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}..
.t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>.....
.|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8
a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}[email protected]^...S2.gn.h......;V.
yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or
..%X...78.I.>[email protected].<.W 
EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M..
. ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k
:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<
;._.. J.YK.:9.H}3....U.B..$..W..f$l]^[email protected].,(."
......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V
.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l
..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v.
.~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4..
.1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!
pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t..
.M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/jquery-ui.min.js HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Fri, 20 Jun 2014 02:09:36 GMT

Expires: Fri, 20 Jun 2014 03:09:36 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 51558

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 1829

Alternate-Protocol: 80:quic
............iw...0....d...-.@......."...x{,y.<....n.M....ZB...w...A
P...9.L,.k_n..n.{.......V..G..<........}......n.........l..Y....z3.
.................E1.-.uz..........ZXI..rZm....../[email protected].....
.yUlB..U#..L...1p.>...2...].....M(...J.....e..I......5...9...e.....
&.........W..y...f./..j..}^....r...n.._7.j.o..v.i./a.7uq......r.%.,...
...j9..Y.s......@..$...... \...H...=....?....y...}W..b].G..|-....wG.N.
O<.H.Q...'w......H.....*.....?..Uo..n..Z=..U...I...*..,[email protected]...
..l.[@E1.....jq<..V.d.=.n......,..o... .gY.G....N%$f..u..."J.....xv
rR..$.q..i....l..m7....p...]./!.......JF0..^.. ...Q.....H..q...._wr"9.
.S].I/_.....~M...Z..U5..^q.z..U...k..........Q.........v...[.v..`:UJvI
o^-...........n.;..{o....p.CliS-J..w27...F.....v .{...t..........g._._
...~z......wz.......gP.K.....W....w/.ym......B.cH....?~..~/.~..../....
_.........4..s........x..z|...^|.../.._..?.z..............?.......?=..
....N......_<...3.n..I/..../ e.Rd../U...|...O.....Pi.~.....=.5..%~z
...oh..?.._~J.?.?.....0....g.. ....0....W...x....W.k|)....h....n...7Y.
...c..l.Y..._...3.D.f.,n..G?.'h...*.l...ZN...R...q..F.;.*/f6T.q-3.....
...Z.n..y\&.].......*.C..p..I.U.Z/....`..W..k<.Pn]....OtJR...P...j.
n...z]W''..z.o.b.....m...K...u.)..%.v{.8p9..T....4U......X..U.o'...T..
...D...G.tc.3o....8./.a.NK^...........q?I.0.....)-..m.\[email protected]......
\..{.>........D..n..Gp..)R:...>.D ....d.nV.......C....pWe.?Xl.B.
....6} .Q.4...j....^.6q..3..>5w\.....'.@....&6...?ok..$.;....[...!V
o........vx}{s.L.dA...6......8.r......bt.>"a........0...I~;....<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Fri, 20 Jun 2014 02:11:48 GMT

Expires: Fri, 20 Jun 2014 03:11:48 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3457

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 1697

Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B.
...6...._.d.c.......*...V......|U.......w-...p..>Z..........`......
......`............`............`............`............`...........
.`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.
x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1
..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."..
.-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C....
.y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ
..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH
...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._&l
t;....p.p....`............`..b.......:............:.............Xj)...
w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7...
..;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:
.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O..
...m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....
3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD.
.M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;
....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n
.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x....
.].?/..9r......h...]^}M....<....;..........p.p....`........}.....n.
.~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M...
...j..4.%..x......!ij....bXcT..^ file.
Delete or disinfect the following files created/modified by the Trojan:%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\components.ini (1218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\InstallOptions.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-header.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-wizard.bmp (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\ioSpecial.ini (9996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\summary.ini (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\options.ini (3918 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\shortcuts.ini (1782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (5392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\DynamicOfferScreen[1].htm (850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery.min[1].js (1005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui[1].css (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BuzzIT2Checker11-6[1].exe (7494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_15.exe (2582958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\bodyImg[1].png (8516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\Firefox Setup 26.0[1].exe (3284663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui.min[1].js (8781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12

No thanks, continue to lavasoft.com

close x

Discover the new adaware antivirus 12

Our best antivirus yet