Trojan.NSIS.StartPage_3206163c69

by malwarelabrobot on November 6th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.OutBrowse.g (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3206163c6986cb0fca4eb0f5bbbf5389
SHA1: ac67551bad98b7bc7aef32fcacfe4a8922d68ca0
SHA256: 68dc259ab55165a125c47ef144157b0aaa0d4843612148d9873682a583b90df0
SSDeep: 12288:JhY0y9kKjAvxSM6VJK6yLFIDHosSuOr9xycqV2rBEXlGvYCXYBsOQ5t2lzi/WMK1:JhM9 vxX6VE6 ODWuQHZqV6BEXVCXdOi
Size: 643960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1180
wmic.exe:1356

The Trojan injects its code into the following process(es):

ris.exe:688

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nstB3.tmp\getf.dll (3406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ris.zip (57588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsEv3.exe (7769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsEv3.dat (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB3.tmp\ZipDLL.dll (5500 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ris.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsEv3.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB3.tmp (0 bytes)

The process wmic.exe:1356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91415171001.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91415171001.txt (0 bytes)

The process ris.exe:688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91415171001\PreExe_ID_21659.exe (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bottomLine[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\button[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\topLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\topComp[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bodyImg[1].png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dc[1].js (1657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bgImg[1].jpg (691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe (3666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button_over[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nextCase[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (2083 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91415171001.txt (0 bytes)

Registry activity

The process %original file name%.exe:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF EE 65 F3 FB F3 71 D5 6E DC 4E B5 3A 84 A3 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process wmic.exe:1356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 C3 87 6D 46 3B 93 A8 2A 52 1E 2E CA 9F 56 32"

The process ris.exe:688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 1E 1D CB 18 28 97 9A DB 67 E1 CE B7 FC 44 D0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
6bf9db0e306ffa8ab340cd9cc925455d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\91415171001\PreExe_ID_21659.exe
2dc35ddcabcb2b24919b9afae4ec3091 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nstB3.tmp\ZipDLL.dll
a71767cea57b2cb690934abfcd535663 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nstB3.tmp\getf.dll
b8c46e45db4db80bd618e31b88192d7f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ris.exe
6bf9db0e306ffa8ab340cd9cc925455d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Installation
Product Version: 1.3.12.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 229376 3136 3584 2.74126 9472ef2537e262aa0d7222fd4e857841

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 288
59f708cb4c1e9cb0d7591bf5488c0fdc
1d2187e10bf5a261ed3ba7ea80923958
24704cba95937dc9f3b463703eaf389a
64a2d89c4796f6564a2e44a30e56056a
60ccac71810dddf03d8b4b08e1b67083
0b2eaf65786f3441d0c93adbc1caf392
ab69c3cdf419cc15f11778a18a935690
fde4b3f54a055364d42f1d64c406eeb3
30e3658e1ce5bbdcf7b3566def2c1e2f
caca402d9586e83b80d9854de16ee495
c410b3db3bfd97c989f97373e7d5876c
b32c69d5df4fecf4c3ddd931cbcde3f0
e1d1b9032f2906f3cf27c2c5cece7f49
ba145cef08c9d27b39d519cae7cbaf4a
886455cd79e282d66248157256848958
604c3d0e2af4d3e5e696a4881a9ebafe
3d5efb15b3368f450e8305bbac327875
20da33b41866289fab17d51f70ede7e2
871baf5b2459273d6fd19b4c74c3b389
9964f2120a9005301ea28686fc98344c
bad8ece354257fe33b38a7c51bc55266
2100203aa8258050280849408a10285a
517ee19559b9bd596ffed72cc2981832
ecc1cb8bc704e813719c73e4a7e2c645
e4cbbdca3976be927d8a69ca7814440a

URLs

URL IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=3809&distid=14542&productid=13927&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:86:17:36&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&version=4.5
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/seaApp/SeaAppWin8Chk.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
hxxp://stats.l.doubleclick.net/dc.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/topLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/bodyImg.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/bottomLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme4/button.png
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0& 23.21.124.140
hxxp://static.revenyou.com/offers/images/Theme4/topLine.jpg 198.232.124.224
hxxp://data.getserverinfo.com/Installer/Flow?pubid=3809&distid=14542&productid=13927&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:86:17:36&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&version=4.5 50.16.226.114
hxxp://static.revenyou.com/offers/images/Theme4/topComp.png 198.232.124.224
hxxp://stats.g.doubleclick.net/dc.js 74.125.29.157
hxxp://static.revenyou.com/offers/images/Theme4/bgImg.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme4/nextCase.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme4/bottomLine.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme4/button.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme4/bodyImg.png 198.232.124.224
hxxp://cdn.download4desktop.com/Installer/seaApp/SeaAppWin8Chk.exe 198.232.124.192
hxxp://static.revenyou.com/offers/images/Theme4/button_over.png 198.232.124.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Installer/seaApp/SeaAppWin8Chk.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.download4desktop.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:11 GMT
Content-Type: application/octet-stream
Content-Length: 49666
Connection: keep-alive
x-amz-id-2: BTcG74Rlb 3yab0xWc08CYMLthJgAS6 85jbYWZEMhTs3aMQ3srR9 u23iLn0vi1
x-amz-request-id: 661E00C7B90DC5D2
Last-Modified: Tue, 23 Sep 2014 06:22:01 GMT
ETag: "6bf9db0e306ffa8ab340cd9cc925455d"
Server: NetDNA-cache/2.2
Content-Disposition: attachment
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......hC..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..hC.......D...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /offers/images/Theme4/topComp.png HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/png
Content-Length: 1684
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Tue, 12 Mar 2013 18:06:58 GMT
ETag: "08db634c1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...*...0.....g.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...6IDATx..Y{LSW....mK_.....,.....%..q.....23...9..1....p.7..h.3c&g
t;..2g.5f3Q.=..8.M.5....V..[.S...}_[..-m!n....s.wO..........OB...i1.1.
..........`.=8"../..]c....4..=.o=n..^.....d4X.w.AAvF...R......a..-...J
...od......#\.~{.....Y.\.\[email protected].!m..D.S...VSKOE..C....k.."PmXg.{uJ
.....i..B..%......P.........5^*C.i7/.)..p...<.....=........[.P.x.j[
9..h.:E.]wg,..$U}(.....B.p..D.3q....u. ..T......_.....w =3.=.#..`b8fB3
.<`D)~...Z...3......!:U....&..L.NZ.......5...`en{.y..8VD.......v.v.
Y....?[;?*....S.7.....u.......P4-....k...x.....A6#.|......%E..........
.....h..8r........R.g..:.WV.;..d..V....n...h.*.}....!t.A.1....o.N.^..S
C..#[email protected]\p#.p..k...9..).:m).J;.z...#a6z.R........01/'..J...1.0..
..S....\..nJ..a.....q\.....d....W2......B....."T|..q..>.p...9E|....
AF.!..([email protected] ......?]lD..H.E....2.g.$P..*&.]..l.z.&....`O..Y.[W8.
.....T.92\!..8..4.*.dN.......d20..E.8....:..u...2.....-.W.O..0...W...s
....\[^...5.aw5.....es.f.`...P....j..P}........P..A8 ...1g.uw...;P..}.
.f.FTw../~..n.e.7Wl..U)u.6.....N..B..4\5...V.w..M.6......k..E.h<>
;...........uU....w..><F.O.k...... >^...d2.D.6J...j]{F..K..6.
...J3.................N..s........r.]T`...k.Q.*.2/9A.G.....{G..B....X.
8.f.jil.>..O....#...U.5...==.`w.=..A.....;,..bH.R9..*X4.5.auEr.....
=1a.G...M.J*6..=,..p2.y.....p..M.mh........,[email protected].:.......U
....D..M .JBL&..."....J....0(@...a.&...a..........._....X.F..0..!....9
...Y}.}.6..P(.......&.`....`......9|[email protected].&....L.
<<< skipped >>>

GET /offers/images/Theme4/bgImg.jpg HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/jpeg
Content-Length: 10317
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Wed, 13 Mar 2013 15:29:22 GMT
ETag: "0353e89ff1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................,.N.........
......................................................................
........!a....1ATU.Q.."2Bq.r...R...#3C$%.....................Q..!...1A
"a.2.q.......BR#............?.._......${~1.>..?....x<.|b..".K.?m
..E.^...i{k...Hr3{..6........Nc...,.........Nc....w.~..w....r.....S..n
..F.1....o.}....$?.....~-...py!.A.z._.{s...H..}.........$_.>.~G....
w../._{.#.on}...../......>..........[..n..E..}...._n}...../....W..n
..E.....~ ...py .C.z....s...H..}...._n}.........~ ...py ...z.?.....<
;.|a..y...s...H.0.o^U...>........y.....w../._w.*......<.|a..y?.=
....$_......j{o...H>0..........u....]%.......|.......irvo.}>...c
..:.Y.=.....?J......:.$sz...;..l....u.....gO.........:.$,[Q}....t.H...
o.{{;._m..C.....{{?._m..F..^...oh{o...H......[{C..n..F..w........w..5$
s..........<..#...,v........I....5........|...s......O.~.........{.
Xo.OA...,js..;...s.{S.............k......<^X....w.....\.._........&
lt;..........y...........w..R...~.........g..../.qyb.\._...O...D../,_k
...=.h...~.........g....'.qyb.\._...G....\^X..>..{<....>.....
....g...z'.qyb.\._...O..D../,_k...=.i.oz'.qyb.\._...G....\^X..>..{&
lt;..{.>.........g.?..O........c.......\^X..>..{<..{.........
..g.?..O........c....}...|.}.|/..y......../......4~;..E......~...?.}..
x|.}.|/..y...C...,_k...=.i.;..C....s.~..........b.\._...O..C...,_k
<<< skipped >>>

GET /offers/images/Theme4/bottomLine.jpg HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/jpeg
Content-Length: 2475
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Wed, 13 Mar 2013 15:29:22 GMT
ETag: "0353e89ff1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................2.N.........
....c.................................................................
...T.........................R..............?..=..}.Y.u~~.;t....s..N..
>....~.;t.....\...}.Y.<.|v.....v.;[.....y.........rv.9..g.......
_w=...ns.*......L...{......U.#...n.=}..k......<G....0z....'ks.qVx.?
_..`..s..N..>....~.;t.....\...}.Y.<.|v.....v.;[.....y.........rv
.9..g......._w=...ns.*......L...{......U.#...n.=}..k......<G....0z.
...'ks.qVx.?_..`..s..N..>....~.;t.....\...}.Y.<.|v.....v.;[.....
y.........rv.9..g......._w=...ns.*......L...{......U.#...n.=}..k......
<G....0z....'ks.qVx.?_..`..s..N..>....~.;t.....\...}.Y.<.|v..
...v.;[.....y.........rv.9..g......._w=...ns.*......L...{......U.#...n
.=}..k......<G....0z....'ks.qVx.?_..`..s..N..>....~.;t.....\...}
.Y.<.|v.....v.;[.....y.........rv.9..g......._w=...ns.*......L...{.
.....U.#...n.=}..k......<G....0z....'ks.qVx.?_..`..s..N..>....~.
;t.....\...}.Y.<.|v.....v.;[.....y.........rv.9..g......._w=...ns.*
......L...{......U.#...n.=}..k......<G....0z....'ks.qVx.?_..`..s..N
..>....~.;t.....\...}.Y.<.|v.....v.;[.....y.........rv.9..g.....
.._w=...ns.*......L...{......U.#...n.=}..k......<G....0z....'ks.qVx
.?_..`..s..N..>....~.;t.....\...}.Y.<.|v.....v.;[.....y.........
rv.9..g......._w=...ns.*......L...{......U.#...n.=}..k......<G.
<<< skipped >>>

GET /offers/images/Theme4/button.png HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/png
Content-Length: 1256
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 22 Oct 2012 15:36:14 GMT
ETag: "0eb27f86ab0cd1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...|..."........9....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx..[_h[U....776M..[..-.u6...!.N.E.......V6A..^...=....^..S.
...Cp8..Nl..Z..-..g.L...m...&M.=.^...............{/y.~...{.9:..p...l..
..'./8...."N.G.@...."7sU.@. ....'z.....\"n8s...B....0..<....X...E,.
..f...-...$..R..9....(...E...._^.......u8...V....%.5zaA..T:.EC..\..\.j
.@.....~p.^P2......f....(..]..1.zeq..H ..6ul..t=.Y#....(r.[.F.....P..c
........Q....m.K...........t<.8.,^.EK./...5..(P#..P...f......).o..L
p.T..z...[[.{..:..z.....`...].P...@Q...>...z...K!.p......,.B..m.A..
1..........|...9.c..............."..Ro.i.0..XD..-A.j.<...b..d....=.
\..b.t.qK9.E.... [email protected]...[... .FI...(`.....p...$.(...
.1.....!......(8.(#.Ig..-8......>..,.v.6...........L.L.../x.Hc#/...
.......9.../{5{..=|...C.J...h[a.n.b...-[A......{.3aYX.QK_.x.P..-....Ws
.Xm....i_......f3...<...5..0y..GOf....:...u..3..klZ>.q.P(|#HKoV8
..................<...-......[.Vr.w.)......f....e.S...k...A..



GET /offers/images/Theme4/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/jpeg
Content-Length: 1264
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Wed, 13 Mar 2013 15:29:22 GMT
ETag: "0353e89ff1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................2.N.........
....R.................................................................
...........................?..........................................
......................................................................
..........................................j.%!%!%!%!%!%!%!%!%!%!%!%!%!
%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!
%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%!%"....R.R.R.R.R.R.R.R.
R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.
R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R-..!.!.!.!.
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.".
..2.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.
B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.
B.B.B.B.E... . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 . . . . . . . . .Q*..................................................
...........
<<< skipped >>>

GET /offers/images/Theme4/bodyImg.png HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/png
Content-Length: 21473
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Wed, 13 Mar 2013 15:31:04 GMT
ETag: "02cac6ff1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e&
lt;..S.IDATx.....$Wy'[email protected] !$a.. ....f.[.\...1x........
A.l.......g..F...`[email protected]./.Z]U..]Uy....}/.E..x....U.Y.Oz.Y..........
.....u.k.h...;w...B!........?'......k...z.8..._..6....2..i.F......7??M
.Q..0hm7ep..Mh.....*...}.....?k......E..$\[email protected]
.\............/...x...'..W...T..Gh.g....6...p}.......i.../.?F.......X.
..?y6[~.lY.Ph..K...6..p}......M........z..vL.].5.......reM.~G...0{q...
...p|.K~..F..q.....0.o<...m3S....J]..y.l...f..f...)..x......;.....{
...H{J..Bw.q..5....%.......3..s..p.H.|.....7.\_.......?......WL.....1.
8C.R.c.s.o..\n)W..c.A.]..}7..&......|b#.............$...]..........w.[
*...lY8&C..i...p...-.x. ....?...t.P.....d<...."....#..w..T(.U]8....
.....p..p..<t.....=........T<.f.G../. ..|.8{."..gM.yz......p..&l
t;t.....;.....m7..J:`W8.T.?..J...|E8.l.0?..n........c3?O....D....{...!
.F..\QU...J....].....~..p...=........u.....(.P...[g..J...x-..N...L....
%.qw............:.......tW......wL.C.=............H......B...7..z.....
.......m..:j.8~]...{.$S......i...~....Z......|.....W_.N.....M...S.....
..~...p...n..^..Ow......1...o.9.kK"f.s..0...Oe.?z.F.l....7.\ ...W..#..
.8....W....o.6c2.M..Z..CO.....l......pa..Ak.=...p...X.iPB}..<F.....
<W u..N..U..k..M^.s(.8......n......aa.O.s.....*V.h.#.._G....KGS[.b.
.;..w..p.vA....%.=.R.X...xl.X........v.&..._.N...8.. .{..n....._^..S.)
.......H......f.7.....l_:!... .........=...Vs8..}..<~"W9....h...x. 
..'0..q,..}x..A....V.:..:..JQ7.......0.R".....Xl,......m ..7.....U
<<< skipped >>>

GET /offers/images/Theme4/nextCase.jpg HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/jpeg
Content-Length: 1213
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Wed, 13 Mar 2013 15:29:22 GMT
ETag: "0353e89ff1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................2...........
....{.................................................................
..........T.!1..a.."b5........................R....1"23A............?.
..5y......}|{m..#..}...f.i...4..WUS.....TLUz.9..b..")..7.....^.....H..
(.$ ....{.. ...xoS...ia..J.i{.Z......w..............U~j...5_.....n....
.v.sW......._..t...}...^w.....|{m...m.k/.s]p......NG .._.S...D._.@....
.2N.....(.H..HC...A.D..v.._.=..r~....(..T..M...aj....#..K...C.k...J@..
@........ ..9.....>.68..z.(...T.T....J..)QR........ak.... ...G.|!.5
.2...... ............S.T.?v...HS......4.j..).(R*Q......c.G.........^.w
e..MNN).....>H...*.""...TruEO.4*..f=...... H.......#.%..E\?T..^....
.YE.>.......Z.U....;9....:.lSo.}.\..?.r([email protected]&.M$I
.9[.S....x.gfK....w)u.O...<8...;.w]....y>....{cC..u...]w...1...4
;.w]....y>....{cC..u...]w...1...4;.w]....y>....{cC..u...]w...1..
.4;.w]....y>....{cC..u...]w...1...4;.w]....y>....{cC..u...]w...1
...4;.w]....y>....{cC..u...]w...1...4;.w]....y>....{cC..u..L...:
a<.J.....3..m...w......PeV.(.(P*P.T.a. .....................
...
<<< skipped >>>

GET /offers/images/Theme4/button_over.png HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 12:09:12 GMT
Content-Type: image/png
Content-Length: 1274
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 22 Oct 2012 15:36:02 GMT
ETag: "0dd0f16ab0cd1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 12 Nov 2014 12:09:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...|..."........9....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx..[Kl.E..gw............J.Q...p..\..Rz...!A#.KE..=...J.....
6.B....\@....*.m.Kh.H.4..{c......8vHD9.f...>...x....1.Y...A`h\.z |O
....N.c.&../!w C...<3s]......<..v.`.|O.;l.....B...o.t!].6.8|`..M
.df...e...e((.$2Q...tx/.>~W..}.e..a..lF=N......OxHJ. .c..3PR.(:..^.
q<8mn.......ZVaA..MW...#(|i........t.....]C#}..BB....M(*9f.....Fb..
......q.>.......G*.....$.?..m$.....e.<.y.....z...)a.W0-..n..(...
......g[ ..,...}......L.*.r..~...o..wU.A..wN.......N<.rQ...)O...ra.
..[.b....c.........._-.1.S.....:1|k...@u...!..y................}.v..i\
tiP.chx..a...<p.y..N.<|..tAVN1...h}.6.6.7.].....;y..5\..}...N#6/
..v.0.W..R.W.9..j...2...%..V..i..1..n......Ws6my..-.......p.....4.....
[email protected] .....K1B.-....%..z..[..a@Y7.....]F....;.f5
h..j........\..r..`.ef!.A).....u.........}....`.n5d.....LQg...8.J..../
.v'{..R.-k.N.......]9...s...s.......<...d!,....O...lD....z...w.>
|..........`...b..L~?.....9.....Z...?_..>...h{|gY7... .v..!a.&.....
.%.9...C.SgG.....&.".....C..>..2.....Z.nf..BN*..p..?.#.g.?.2.DUp..'
'fv.......lz......O.....B......<L..D.E.q....ALHp.l..j.v.y....[E....
........M.`.6....;8.~..f..u......)....^.\."...7..9..W.t)F_'Uks.....~..
.0...d7r.I.wZ..".f...N.9R.z.....@7[.N.G.......u]......IEND.B`...
<<< skipped >>>


GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 05 Nov 2014 11:27:09 GMT
Expires: Wed, 05 Nov 2014 13:27:09 GMT
Last-Modified: Fri, 03 Oct 2014 00:48:42 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15833
Cache-Control: public, max-age=7200
Age: 2523
Alternate-Protocol: 80:quic,p=0.01
...........={_.:...)....'.$..&.......-..Ms..e9..'...B.g.3#..........3z
?F........z....n.h..@&b.....v.W.A"...<8H.^.....A*......3....~..X?8.
...<..t..)d.......Hf.Q...._. .,`.....a....>...?...v.Aq.G........
.p.........a$y&.....sX7p........ ..M.d..l.K.....t...8..i6....C..XO....
.@....!.....RG.l .}....b$c..B|8..C}!.8..=.e.K....{..K.9..a..nx......%.
.;..F...J...v..n!.L.....g.C@...~..|...=....q.9n_...P.....Tw.o.........
..k.....^:.....O!..b......=...B..,..j8......k.b./.Y..JE...({k.........
(.L..@. ...b;...s.f...k../--..\..A.M..he.q..u.u.$..<.....$......eBf
....,...r{.[.....h....Tup..$?F?2.... .qk...x..;.......}.Y.[)jL........
.}.4.'..Z_...bms.._..I4.r=...f....U}...|......].FG..\.[9...hp......"..
L..J...a..l.=.C..c.............i..2&.......{....T*w..%#ey....A..`.T..Q
.w.....f2...,....J...y.qqA.........BTo....5.W..9]...]b$K%Z.V..b..x1t..
..]..&.P.Qo.A?..W.R..l.........'".. ..D. ..EA.......$US.t...w?.u*rn.:.
.....?...a,.(..0....`.GL....Z...j[8.[.2k8N...4(.x..4j&..V..p.N)0.;k...
....C..= .].;M.|..&..;........M'....Vy.6*..[J.7`n*...Q..O.%4T ...;....
.'J.........xKK.&..^A...;...........a<.783[X......p...c...3j$.....Z
....c.D.....BW................*.1]KQ].zb.... .?~....V>&."..Q$.....&
.sS..Kq........).....{y.V....T...L.09.-.KK:..yH.....4./..Ni.oaM..X..X.
R...l...[...n2.....6.v.Q.......v.C.0........55..z]__.a.j...fJh.....r.6
a.6v3..!.}^0...,...I.w........i.......Q..q ..c;2.p2 .%..:0..14....z...
.b.*Z..*..>...v].....H...V...kVT.]....I ...._..}.f.....^U..a.V]..wd
.N.....9....n1-0..`...B..Q.MB...7...%.!.L~.."H..xNV`?||.H.........
<<< skipped >>>


GET /Installer/Flow?pubid=3809&distid=14542&productid=13927&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:86:17:36&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&version=4.5 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: data.getserverinfo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Nov 2014 12:09:07 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 18300
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8/$.Fmkcsez_oajgRvjdo
"8..'.PbaJay 5..% O_fGew1,.3 .&!NenjjoG_j_!6" '.
KkmaobpIB.2 % >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7  .Ev`MME 7.!(
"Cs]PKJ/.9."*.;jfk^hcHil`.5. ).NbfcmMME 7.gptn5'*]go_bp.
rc](Znmm,pr_^c)\mj).kfd`jn(Bvh`iiaJ^a^pP]qael:ga_cocc95$_anmga70052-.g
^_aj<-37-/!\mrhsnyg_52*$psr^ir8 -.gjatnl;!\a[;- g^=0!anZed7/"e
vo]mg_i7/., MYo^ 7'0("?_\dmglh`hD_oY.3 .&!=nrdndksp_rNeeF
]tl 7.!("N\qjnr.4,-, @^a^aqcua"8()'.NoilktgjfMZrb.9)1*.&
lt;dlao_o]natJ\mc.4,-, Nd`^n>`sarGikoZji.9,, Qamms^fNbfcm;jfk^hcHil
`.5. ).B]nPpf<lAe_bgbms.5mpr_|({ KgnmCu_!6" '.KkcBrd.: .$.
<mjjnjeloLtic.4/("Kjfdmgw[seolOqk^q.4!.-1()0.*.LdcKct.5..EEDU_
JJ;<E]J;[email protected]`neZWEd\plmnbtZWOdgblqrX\Apjm^lqPdnsgjfWUSkcmot_
gdWUQb[q_hNmgo^aqv.x FF=TXJL=@H_K<;CBLB.RKFRR9M>ZYMd]racHmhrb]sx
 z.@F>W\=TNRCILZNQBL.Oodoo\kcYVRaap^`Kkmq_bp"*.J``Ibs50"8
..CDCVYKKC?GWH:AECMA Qj^op_o_[XMg^jjlmcn[XWgi\jpqYVBqrp`foOcomhknZWMib
lpn`hlZWK`Zp`bOnor`[ou.y.GGEWZDJ<[email protected]@SSAP@TWLc^lbdPpjl`\r
y.{.HI@QZ<SOLDJT][email protected]_m]WUQb[q_hNmgo^aq. .RckgmmL^gd.: N]\kae
Jqktc^lDF.O_f., Kjj]s`nH@"8-).,0).@hw_tkJ_dbl!60*.AnP_fnEkrGikoZj
i.9-, @p`NPI.9.hroh5(-af0*dmrfn^ps_q/.aje*Blpn`hlcm'N^_o]gLrmo]^mE
bhdnia*K`Zp`bOnor`[ohnbhb]nbtj``,brd., @p`NPI,!6"folk3-,^k-.bjoil
copdn3,^gh(Gkms]lj`j*Lc^lbdPpjl`\rD_marg^'N^_o]gLrmo]^mmm_m_al_qm^
e _wa"*.;jfk^hcHil`.5..*]`nrg`jZmwm_<_tg_.(\_olhar]d\8<
<<< skipped >>>


GET //offers/DynamicOfferScreen?offerid=5&distid=14542&leadp=13927&countryid=71&sysbit=32&imgurl=&dfb=0&hb=2&isagg=0&external=0&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: direct.the-apps-track.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Nov 2014 12:09:08 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 11407
Connection: keep-alive
<html>.    <head>.      <title>5 - NonProduct (p0six
spwn-v1.0.8)</title><script type='text/javascript'>var _ga
q = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.push([
'_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker', tru
e]);..                                            _gaq.push(['_trackPa
geview']);..                                            (function() {.
.                                              var ga = document.creat
eElement('script'); ga.type = 'text/javascript'; ga.async = true;..   
                                           ga.src = ('https:' == docum
ent.location.protocol ? 'hXXps://' : 'hXXp://')   'stats.g.doubleclick
.net/dc.js';..                                              var s = do
cument.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga
, s);..                                            })();</script>
;<style type='text/css'>body      {          width:100%; height:
100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-s
ize:12px; }        .divLeadpName      {          margin-left:61px; mar
gin-top:9px; font-size:font-family:helvetica; font-style:italic; font-
size:25px;                                   font-weight:bold; color:b
lack; position:absolute;     }            .divOnNext      {          p
osition:absolute; bottom:11px; right:28px; width:124px; height:35px; c
ursor:pointer;                                   background:url("http:
//static.revenyou.com/offers/images/Theme4/button.png");}         
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1180:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.exe /PID=3809 /SUBPID=0 /NETWORKID=1 /DISTID=14542 /CID=0 /PRODUCT_ID=13927 /SERVER_URL=`omn7).`ar\&b^rp_qrepdfah,`il /CLICKID= /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1409080336 /VM=2 /DS1= /RUNTIME_WELCOMEIMAGEURL= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /IS_DYNAMIC_ENCRYPTED=true
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\instructionsEv3.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\instructionsEv3.exe
\\?\unc\
zcÁ
65708<8`9
<'</<5<;<|<
5 5$5(5,5
-*!$%d:ZU1N
GetCPInfo
ZipDLL.dll
Error: %s
Could not extract %s
Error: Could not extract %s
Extract : %s
Extracting %d files and directories
Extracting contents of %s to %s
Extracting the file %s from %s to %s
%s (%s)
Incorrect password set for the file being decrypted
1.1.4
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.zip
ionsEv3.dat
ris.zip
NSTRU~1.DAT
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB3.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB3.tmp
/PID=3809 /SUBPID=0 /NETWORKID=1 /DISTID=14542 /CID=0 /PRODUCT_ID=13927 /SERVER_URL=`omn7).`ar\&b^rp_qrepdfah,`il /CLICKID= /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1409080336 /VM=2 /DS1= /RUNTIME_WELCOMEIMAGEURL= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /IS_DYNAMIC_ENCRYPTED=true
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
1.3.12.1

ris.exe_688:

.text
`.rdata
@.data
.rsrc
@.reloc
.CGy,
SShL9J
<9%u3
FTPj
YPSSSh
,4,56,789
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
%d/%d/%d %d:%d:%d
X:X:X:X:X:X
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
GetProcessHeap
RowKey
3.7.16.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
922337203685477580
SQLITE_
?API call with %s database connection pointer
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s\etilqs_
%s\%s
cannot limit WAL size: %s
2nd reference to page %d
invalid page number %d
%s(%d)
keyinfo(%d
%r %s BY term out of range - should be between 1 and %d
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
duplicate column name: %s
too many columns on %s
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_stat%d
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
a JOIN clause is required before %s
cannot modify %s because it is a view
table %s may not be modified
Cforeign key mismatch - "%w" referencing "%w"
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
no such index: %s
SCAN TABLE %s %s%s(~%d rows)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
sqlite_master
sqlite_temp_master
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowid<?)
%s (rowid>?)
%s (rowid>? AND rowid<?)
%s (rowid=?)
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s AS %s
%s TABLE %s
%s SUBQUERY %d
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
foreign key constraint failed
unable to use function %s in the requested context
zeroblob(%d)
CREATE TABLE %Q.%s(%s)
%s %T cannot reference objects in database %s
default value of column [%s] is not constant
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
no such collation sequence: %s
%s - %s
malformed database schema (%s)
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s.%s
%s-shm
bind on a busy prepared statement: [%s]
%s: %s
%s: %s.%s
%s: %s.%s.%s
misuse of aliased aggregate %s
not authorized to use function: %s
too many terms in %s BY clause
EXECUTE %s%s SUBQUERY %d
%.*s"%w"%s
%s%.*s"%w"
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
invalid name: "%s"
automatic extension loading failed: %s
d-d-d d:d:d
d:d:d
d-d-d
M@d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
BmTindexed columns are not unique
Recovered %d frames from WAL file %s
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
btreeInitPage() returns error code %d
unable to get the page. error code=%d
Page %d:
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
sqlite3_get_table() called with two or more incompatible queries
no such vfs: %s
%s mode not allowed: %s
no such %s mode: %s
MJ delete: %s
-mjX9X
MJ collide: %s
%s-mjXXXXXX9XXz
database %s is locked
cannot detach database %s
no such database: %s
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
unknown database: %s
unknown database %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
PRIMARY KEY must be unique
constraint %s failed
%s.%s may not be NULL
database schema is locked: %s
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
misuse of aggregate: %s()
constraint failed at %d in [%s]
abort at %d in [%s]: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot open savepoint - SQL statements in progress
statement aborts at %d: [%s] %s
cannot use index: %s
at most %d tables in a join
cannot open value of type %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
no such trigger: %S
unable to open database: %s
database %s is already in use
too many attached databases - max %d
sqlite_sequence
there is already an index named %s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such table: %s
%s.%s.%s
too many references to "%s": max 65535
sqlite_subquery_%p_
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot open %s column for writing
no such column: "%s"
indexed
foreign key
cannot open view: %s
cannot open virtual table: %s
sqlite_altertab_%s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_%s_%d
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
view %s is circularly defined
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
*** in database %s ***
unsupported encoding: %s
foreign_key_check
foreign_key_list
no such column: %s
there is already another table or index with this name: %s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
-- TRIGGER %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
Error %d has occurred.
Error %u in WinHttpReadData.
Error %u in WinHttpQueryDataAvailable.
F%D,3
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WINHTTP.dll
PSAPI.DLL
KERNEL32.dll
EnumChildWindows
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
GetCPInfo
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
zcÁ
{A0386B19-B7E7-4BE7-B567-ABF77CBB6E60} = s `ATLExeServer'
`ATLExeServer.EXE'
val AppID = s {A0386B19-B7E7-4BE7-B567-ABF77CBB6E60}
ForceRemove {FA20B59B-21AA-44FC-8A68-450979B7CC90} = s 'CBrowserExternals Class'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{03771AEF-400D-4A13-B712-25878EC4A3F5}'
ForceRemove {622D38AD-B4A9-4170-8192-5B865C6A5DCE} = s 'CBrowserExternalImp Class'
ForceRemove {6D4506CE-F855-4657-AA38-DB6B1F733982} = s 'CBrowserExternal Class'
stdole2.tlbWWW
~cmdWd
OpenUrlW
urlWd
method OpenUrl
Created by MIDL version 7.00.0555 at Tue Aug 19 20:05:12 2014
llo%srt
<BUTTON onclick='window.external.OnClick(theBody, "red");'>Red</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "green");'>Green</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "blue");'>Blue</BUTTON>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
0 0'030?0
6#6'6 6/6
; ;*;5;9;>;
5 5$5(5,585<5
9 9$9(9,909
? ?$?(?,?0?4?8?<?@?
8 8$8(8,8084888
6 6$6(6,606
7 7$7(7,70747
9 9(909<9`9
6 6$6(6,6064686
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gRUNTIME_WELCOMEIMAGEURL
THANKYOU_URL
EXE_CMDLINE
EXE_URL
SERVER_URL
execmdline
exeurl
\Microsoft\Windows\Cookies
cookies.sqlite
sqlite
\Mozilla\Firefox\Profiles
Found cookie in Chrome!
SELECT value,last_access_utc FROM cookies WHERE host_key LIKE '%
\..\Local Settings\Application Data\Google\Chrome\User Data\Default\
\..\Local\Google\Chrome\User Data\Default\
Chrome_WidgetWin_1
Exception opening/reading chrome cookies
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
OLEACC.DLL
SELECT url FROM moz_places WHERE url LIKE '%
places.sqlite
\PreExe_ID_
\default.html
Safari.exe
Opera.exe
firefox
chrome
http\shell\open\command
Opera.HTML
IE.AssocFile.HTM
FirefoxHTML
ChromeHTML
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Mozilla\Mozilla FireFox
SOFTWARE\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
virtualoffercmd
\PostCheck.exe
opera
&welcomeimgurl=
&chromev=
CHROMEVERSION
@@exeurl
AntivirusesRegKeys
RegKey64
RegKey32
PostExe
PreExe
ReportName
RegKey
ExeURL2
ExeURL
OfferURL
{A33DE4AA-9646-4E33-9E44-E472C6312E2F}
OLEAUT32.DLL
Mscoree.dll
888816666554443
6666554443
!6666554443
virtualoffercmd:
/REPORTURL=
_2nd.exe
VirtualOfferCmd
VirtualOfferCMD
VIRTUALOFFERCMD
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KKERNEL32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ris.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1180
    wmic.exe:1356

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nstB3.tmp\getf.dll (3406 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ris.zip (57588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\instructionsEv3.exe (7769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\instructionsEv3.dat (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nstB3.tmp\ZipDLL.dll (5500 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\91415171001.txt (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\91415171001\PreExe_ID_21659.exe (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bottomLine[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\button[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\topLine[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\topComp[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bodyImg[1].png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dc[1].js (1657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bgImg[1].jpg (691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe (3666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button_over[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nextCase[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (2083 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now