SearchProtectToolbar_pcap_631b98cf4c – Adaware

Backdoor.Win32.Farfli.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 631b98cf4ca36cc609f5e1f61e011463

SHA1: 8145286c6db59500d61deacf10655285919ee57c

SHA256: 55e0600761aef392fec26d78917bb502a19ae0f96108c379ec298e93854c0880

SSDeep: 6144:Yz 92mhAMJ/cPl3izxhjDfuozlx/LVXHSPF0MfB:YK2mhAMJ/cPlUlfH7VXo

Size: 250368 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-06-09 16:19:49

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wsmallstub.exe:1528
%original file name%.exe:1804

The Backdoor injects its code into the following process(es):

Your_Uninstaller.exe:1576

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Your_Uninstaller.exe:1576 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\919447[1].htm (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1201760[1].htm (26835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[2].htm (24705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB3.tmp (45350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\nonadwords_trip[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\PS_searchprotect[1].json (23728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\NextButton_Sprite wide[1].png (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\index[1].html (373 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[1].htm (22704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\icon.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\9ff4d7d9-e509-4157-9272-672e770a13c4[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\nonadwords_trip[1].htm (3611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[4].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBGGoogleDialog[1].png (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2d5611a4-628a-4b0a-bb01-95750affa250[1].png (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[3].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\-[1].png (933 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\NextButton_Sprite wide[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\nonadwords_trip[1].html (0 bytes)

The process wsmallstub.exe:1528 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe (3626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:1804 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (3306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_1508703 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (0 bytes)

Registry activity

The process Your_Uninstaller.exe:1576 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"WebBrowser_embedded.exe" = "6000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Your_Uninstaller.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014122420141225\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1330111199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122420141225]
"CachePrefix" = ":2014122420141225:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D B7 C9 08 CA 3E CB 25 CF 2F DA 82 73 E9 BB 22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Your_Uninstaller.exe" = "6000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wsmallstub.exe:1528 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 FD B0 9A AB E8 46 35 38 9C 29 F1 3D D9 2C BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1804 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 41 E1 E9 06 1B 92 F6 E6 10 62 5D 44 C2 2C 5D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"wsmallstub.exe" = "wsmallstub"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
7ce9c717ec8ff8d1c38d97d436189b53	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe
dd4b2762aa7ddc1314bbbdb42640aa20	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\FDMClient.dll
62008374a494afeea2ee2ae9eee4c8c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\System.dll
07f09c1bf361f757675b77320a08506c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\manager\scripts\WebBrowser_embedded.exe
f64b71ab811b25b1cd2fe801449af25c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB4.tmp\webapphost.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
wsmallstub.exe:1528
%original file name%.exe:1804
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\919447[1].htm (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1201760[1].htm (26835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[2].htm (24705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB3.tmp (45350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\nonadwords_trip[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\PS_searchprotect[1].json (23728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\NextButton_Sprite wide[1].png (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\index[1].html (373 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1199375[1].htm (22704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\icon.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\9ff4d7d9-e509-4157-9272-672e770a13c4[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\nonadwords_trip[1].htm (3611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[4].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\CancelBGGoogleDialog[1].png (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2d5611a4-628a-4b0a-bb01-95750affa250[1].png (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.dotdotdot.min[3].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe (3626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (3306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: 1.3.9.0.140504.0
Product Version: 1.3.9.
Legal Copyright: (c) 2014 ClientConnect Ltd
Legal Trademarks:
Original Filename: Your_Uninstaller.ex
Internal Name: Your_Uninstaller.ex
File Version: 1.3.9.
File Description: Setup.ex
Comments:
Language: English (United States)

Company Name: Product Name: 1.3.9.0.140504.0Product Version: 1.3.9.Legal Copyright: (c) 2014 ClientConnect LtdLegal Trademarks: Original Filename: Your_Uninstaller.exInternal Name: Your_Uninstaller.exFile Version: 1.3.9.File Description: Setup.exComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	74526	74752	4.54396	a8692f5ba740240ef0f9a827376f76f9
.rdata	81920	7445	7680	3.46159	d4f36accffde0bf520f52486679ccf0d
.data	90112	96036	512	2.46008	b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT	188416	32	512	0.273198	439411041ee0b8261668525c5c132cd9
.rsrc	192512	38164	38400	4.05087	2be43a53ce9007d251b1f780a86a734d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 12
f63cfb64d561a27b92ed1383bf8a3145
7ab081c06a806d95715df0140ebf76c0
21540415bebf1bf7b81ba130b1f2f02e
f22ba2f920421decdb1d5eccaeec39ce
db023753606cff3a27bdc934d8b86883
9b1854447ee59987586123985065578f
37b459b0abd85680d80762dd4907a7fb
a1baad9b4e14d667ef4ab3684cbe3de2
4b0746c82b8f5852e37d12ddc3dd1f3d
f96871ecc110019f18c71dfb7dbcc021
944c10805faf474679503608b7a606de
21a1f9dbfbf7b5cb473761b6ef5062a9

Network Activity

URLs

URL	IP
hxxp://23.21.214.196/
hxxp://e8210.g.akamaiedge.net/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None
hxxp://e8210.g.akamaiedge.net/Global/GlobalPage/1199375/?Language=None&Welcome=true
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1201545
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1201545GlobalPage
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/X.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/-.png
hxxp://e8210.g.akamaiedge.net///img/offers/r_db/r_bc/2d5611a4-628a-4b0a-bb01-95750affa250.png
hxxp://e8210.g.akamaiedge.net///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/BoxBgNew.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/button.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBG.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/images/SmallLoader.gif
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/InstallationSuccessful.png
hxxp://engine.va.dmccint.com/DecisionEngine.ashx
hxxp://ec2-23-21-214-196.compute-1.amazonaws.com/
hxxp://e8210.g.akamaiedge.net/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://e8210.g.akamaiedge.net/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1201760
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://e6652.g.akamaiedge.net/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=919447
hxxp://e6652.g.akamaiedge.net/ps/OptimizerPro/offerscreen/global/1/index.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://a1128.g1.akamai.net/customoffers/customframeapi.js
hxxp://e6652.g.akamaiedge.net/LMS/PS_searchprotect/PS_searchprotect.json
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBG.png	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/button.png	23.209.104.116
hxxp://engine.dmccint.com/DecisionEngine.ashx	199.101.114.147
hxxp://dehosting.dmccint.com/customoffers/customframeapi.js	184.84.243.64
hxxp://ude.databssint.com/
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1201545	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/images/SmallLoader.gif	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/-.png	23.209.104.116
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1201760	23.209.104.116
hxxp://cmsstorage.dmccint.com///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/BoxBgNew.png	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/X.png	23.209.104.116
hxxp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie	23.209.100.223
hxxp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true	23.209.104.116
hxxp://storage.stgbssint.com/ps/OptimizerPro/offerscreen/global/1/index.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie	23.209.100.223
hxxp://storage.stgbssint.com/LMS/PS_searchprotect/PS_searchprotect.json	23.209.100.223
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite wide.png	23.209.104.116
hxxp://cms.dmccint.com/CmsThemes/Default/Images/InstallationSuccessful.png	23.209.104.116
hxxp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None	23.209.104.116
hxxp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None	23.209.104.116
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1201545GlobalPage	23.209.104.116
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=919447	23.209.104.116
hxxp://cmsstorage.dmccint.com///img/offers/r_db/r_bc/2d5611a4-628a-4b0a-bb01-95750affa250.png	23.209.104.116
hxxp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None	23.209.104.116

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8752

Expires: Wed, 24 Dec 2014 09:50:46 GMT

Date: Wed, 24 Dec 2014 07:24:54 GMT

Connection: keep-alive

....

GET /DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 174707

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:58 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

....<!doctype html>............<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1201760 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 6149

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:58 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes

<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8083

Expires: Wed, 24 Dec 2014 09:39:41 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8748

Expires: Wed, 24 Dec 2014 09:50:46 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "10ce6d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "10ce6d98c6fd01:0"

Cache-Control: private, max-age=7785

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

Accept-Ranges: bytes

ETag: "ea23644c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2779

Cache-Control: private, max-age=9683

Expires: Wed, 24 Dec 2014 10:06:21 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB792256C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{..........b......w....,.E./.3.@..e....G..];z......f....34...v[...H1....g......'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4...$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@...T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g....,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......

<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "e8b65c98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6035

Cache-Control: private, max-age=12291

Expires: Wed, 24 Dec 2014 10:49:49 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

.PNG........IHDR...J...1.............sRGB.........gAMA......a.....pHYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:DocumentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stRef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...P....IDATx^...N....P...L.).A(...A."1...$<rcK...r....] .E. 8.^..[......o........ @.7.u&... @......(J..... @...'...^z....puu5...c........cmmm:.#@.......g......{..u>|.0.....?~.......i..........(JQ^... @....,p......pyy9lnn.....1_z./....^;..... @`...x....v:nnn....aooo..(J..I...SI...W.....F.......u..OBz.(.%i>.....*........ @.............p}}=lmmMg.......O.9...../&@..............|.m.@............79.....8..... . .8.t||<.A.[.|Vi>.4~}..%g.z.... @...6......J....F..l.........y".W....\..O.-?t..N..... @`...o..K.|.m,J.1.%..V..!-..... .........

<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "caa5998c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "caa5998c6fd01:0"

Cache-Control: private, max-age=8842

Expires: Wed, 24 Dec 2014 09:52:20 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

....

GET /Js/jquery.dotdotdot.min.js?fid=919447 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=10551

Expires: Wed, 24 Dec 2014 10:20:50 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

<<< skipped >>>

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "524e5698c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "524e5698c6fd01:0"

Cache-Control: private, max-age=8841

Expires: Wed, 24 Dec 2014 09:52:20 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "0c67198c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "0c67198c6fd01:0"

Cache-Control: private, max-age=7784

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "10ce6d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "10ce6d98c6fd01:0"

Cache-Control: private, max-age=7784

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "e8b65c98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "e8b65c98c6fd01:0"

Cache-Control: private, max-age=12290

Expires: Wed, 24 Dec 2014 10:49:49 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "caa5998c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "caa5998c6fd01:0"

Cache-Control: private, max-age=8841

Expires: Wed, 24 Dec 2014 09:52:20 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "524e5698c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "524e5698c6fd01:0"

Cache-Control: private, max-age=8841

Expires: Wed, 24 Dec 2014 09:52:20 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

GET /MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 174148

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:51 GMT

Date: Wed, 24 Dec 2014 07:24:51 GMT

Connection: keep-alive

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1201545 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=17952

Expires: Wed, 24 Dec 2014 12:24:04 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "0c67198c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 1076

Cache-Control: private, max-age=7791

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:CBFD1020532511E199C4D6240585BDC2" xmpMM:DocumentID="xmp.did:CBFD1021532511E199C4D6240585BDC2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CBFD101E532511E199C4D6240585BDC2" stRef:documentID="xmp.did:CBFD101F532511E199C4D6240585BDC2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..q<....IDATx.b)--}...p..}.....i...2q u...2... v..F.$3.Z...@...$..&..%..i. ....@......... g5.[0@.j.ua ..T..._f@..0.L.6 N..EP....v.$..}.v.H;..v ....@.....w....`.uP(...@..*..........1.%>.d....IEND.B`.....

<<< skipped >>>

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "524e5698c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 5182

Cache-Control: private, max-age=8848

Expires: Wed, 24 Dec 2014 09:52:20 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR...[...G......9......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "ce177098c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1504

Cache-Control: private, max-age=7790

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

GIF89a.........................v.....5..d..e..........................{......................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981" xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:InstanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentID="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G..@.d. J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G

<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8088

Expires: Wed, 24 Dec 2014 09:39:41 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "caa5998c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "caa5998c6fd01:0"

Cache-Control: private, max-age=8847

Expires: Wed, 24 Dec 2014 09:52:20 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ce177098c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ce177098c6fd01:0"

Cache-Control: private, max-age=7790

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8753

Expires: Wed, 24 Dec 2014 09:50:46 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

GET ///img/offers/r_db/r_bc/2d5611a4-628a-4b0a-bb01-95750affa250.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Sun, 09 Mar 2014 10:05:22 GMT

Accept-Ranges: bytes

ETag: "d6b2ad157f3bcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 41495

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:52 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR.............?.......sRGB.........gAMA......a.....pHYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<....IDATx^..w...u...4/_..........@...=H.n...i...hc'b.....cwB.....r.`HK.V$A/. A.....UU......e..s...|...*]uW.}^.......c..U-..}.r(.....-.............#....---YUU....Xmm...i.d2...h...~.s...~..po.}a.$.......3<........9f.Yg.r....`uuuI08f.1.p .........T__o;w....x........a......q.?y....q......a...:knn...&gb.5j{.}.A.#.`d|.....V.........|....)......|............}X../...4:........00.. .n...v..m...%..m*.JR..@......"_.ehh..#,..."..A...?n...w.!.....}aH.2.X..]r<}...<h`.:..o.>g......].....M.QX .ONN...Wmbb..\.b...~..Bl....n..O<a.<....}...~.......^....&........u....C.. 3.....J..y.-..f..I.r.X...A;u......>.bUc..}.Q/.......C(....1..h..g..{...{q..A..^g.[5?A..L.......v...9s..{\(b..9...g.uKG,...j.C!..1..hK.. ...p.h.A......6...9.Z..G.P..#.X....."..........~...h...?....D..?}.....p.p...*......Ah...$YKLp.Cy....b.,#t...AA.....?...nT|..~.hr;......&.../..c..........9.B@.P...d.u..Y.w..,...k....0<...n=iD..3.....0...!8z....0=...=.....'......Y.U............}.#.@(P&...U(~ ..".[.ZO....8.B@%F(..~...v.Y.\(....:w...W.\...O4.@..4x...1.Bp..q7.h.....zf#DW.}..=T..........{b.,n......g.....z..7......a.h...c..C.~.]..Bd...]".c......w.......F. .>.'...$*..".9A1csb[9..%.<T....(b.:#...e.$...t.O..~ ..k...M.....{.5.....o..."...O.e....W.A....:..=#.h!..z.1.h#L4cn..-....B.rB...A8..CAa.....R..'...c.8...I. ..@d.....H....~.....ub4-u.....i..R.....w..............0cj..L.n......s ....H^...{..XQ...../.V....(.wD.....q_...NXoF.

<<< skipped >>>

GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Sun, 09 Mar 2014 09:08:21 GMT

If-None-Match: "9e6f411e773bcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT

ETag: "9e6f411e773bcf1:0"

Cache-Control: private, max-age=17999

Expires: Wed, 24 Dec 2014 12:24:52 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

....

GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Sun, 09 Mar 2014 09:08:21 GMT

If-None-Match: "9e6f411e773bcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT

ETag: "9e6f411e773bcf1:0"

Cache-Control: private, max-age=17993

Expires: Wed, 24 Dec 2014 12:24:52 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 543

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "dm_version" : "1.4.0.4.141214.03" , "tracking_id" : "" , "json_send_time" : "2014-12-24.4:15:12:982" , "phase" : "Init" , "phase_type" : "regular" , "attempt_number" : "1" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "Is_Test" : "0" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "publisher_account_id" : "A-3330836" , "activated_by_stub" : "1" , "sln" : "29566" , "welcome_screen" : "0" }

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:50 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 587

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:13:638" , "phase" : "AfterNavM" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" }

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:50 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

HTTP/1.1 202 Accepted..Date: Wed, 24 Dec 2014 07:24:50 GMT..P3P: CP="NOI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length: 0..Connection: keep-alive......

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2296

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:20:779" , "phase" : "InStartLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "7797" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_opera

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:57 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2228

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:310" , "phase" : "Android detection start" , "phase_type" : "regular" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "531" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_operating_system" : "Microsoft Windows XP" , "user_service_pack" : "3.0"

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:57 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2294

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:341" , "phase" : "StartingLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_operati

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:58 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2742

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:388" , "phase" : "InitComplete" , "phase_type" : "regular" , "order" : "2.0" , "result" : "Success" , "error_details" : "" , "phase_duration" : "16" , "duration_details" : "EngineMgrCreated:828,BuildUserProfile:6890,retrieveCid:16,sendXML:0,xmlSent:0,startParse:234,endParse:16,StartOffersLoop:562,ValidateMO:16,NavigateFirstSlot:0,ReportInitComplete:0," , "general_status_code" : "1" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_id" : "1201545" , "product_id" : "0" , "product_type" : "Publisher's Offer" , "product_id_version" : "" , "rule_id" : "467134" , "vector_id" : "467727" , "is_parallel" : "0" , "call_service_duration" : "234" , "navigate_mo_duration" : "MONavigationCompleted:3422," , "navigate_global_duration" : "GlobalNavigationCompleted:3547," , "attempt_number" : "1" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_scr

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:57 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2760

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:420" , "phase" : "OfferPresented" , "phase_type" : "regular" , "order" : "3.1" , "result" : "Success" , "error_details" : "" , "phase_duration" : "16" , "duration_details" : "" , "general_status_code" : "2" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_suggestion_number" : "1" , "offer_presented_number" : "1" , "slot_number" : "1" , "position_in_slot" : "1" , "server_settings" : {"DownloadBrowser":"IE","CType":"-1","SearchProvider":"Bing","UserMode":"-1"} , "user_selection_settings" : "" , "condition_type" : "None" , "offer_type" : "Main" , "offer_id" : "1201545" , "root_offer_id" : "1201545" , "rule_id" : "467134" , "vector_id" : "467727" , "product_id" : "0" , "product_id_version" : "" , "product_type" : "Publisher's Offer" , "state" : "" , "installation_type" : "0" , "attempt_number" : "1" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:57 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2250

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "29566" , "json_send_time" : "2014-12-24.4:15:21:451" , "phase" : "ChromeError" , "phase_type" : "regular" , "order" : "" , "result" : "Error" , "error_details" : "error: did not found chrome full path" , "phase_duration" : "15" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "publisher_id" : "URSoftware" , "publisher_internal_id" : "265" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0", "publisher_account_id" : "A-3330836" , "channel_id" : "" , "machine_user_id" : "UPGGLP21ORZ3K5EA1X5F8YY1XNO5CI7N2QS4BF5DK6RX28AKIE0Z6STDXVY7DY/DBVFM8OXVWIBS0XSQ8FJ5NG" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "general_id" : "GID879506" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "26" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2014-12-24.csv" , "user_operating_system" : "Microsoft Windows XP" , "user_

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:58 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

GET /customoffers/customframeapi.js HTTP/1.1

Accept: */*

Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Encoding: gzip

Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT

Accept-Ranges: bytes

ETag: "46a2919a7ac7cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 798

Cache-Control: private, max-age=31536000

Expires: Thu, 24 Dec 2015 07:24:59 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

Vary: Accept-Encoding

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l.....4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W....(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r......Wu.UP....H.w........w.|....8O.:..W|.h..m]L.m...,k..I>......N..~...e.....k.uM8./po\....`]...yu..'Y...?#.4o..a.A..S..j..e<q.}.~...t.O.....H?z..k?J....f...~I..M~s.M...m.|..c...Y~...6.o..0. Z....We6....9.......zo.z..w........\..Rk.....K./..1..D........m.8....h:.l...w.t.0o?J0...h.,..............$=..._.....n.l..... ...F..3.V......U^.Ok]@.....K..b..>...o;..t`m....jZ..|t...Cj......y.[...v..Z...?.|..?......[..]..`.i..A.q..4m.....#.F|U,g..X.......I.'.."....z#.......h.......a..b.K.#L...k.M..-..&...6z..........;....8".F.....

POST /DecisionEngine.ashx HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: engine.dmccint.com

Content-Length: 2509

Connection: Keep-Alive

Cache-Control: no-cache

<OFFER_REQUEST><COMPLETE_COMMAND_LINE>false</COMPLETE_COMMAND_LINE><USER_PROFILE><PUBLISHER_ID_NUM>265</PUBLISHER_ID_NUM><SESSION_ID><![CDATA[080914f4-46db-47a1-8d6d-2e1070d7fb1f]]></SESSION_ID><TRACKING_ID><![CDATA[]]></TRACKING_ID><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DMVersion</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>1.4.0.4.141214.03</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultBrowser</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>IE</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>CurrentToolbar</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>Homepage</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[about:blank]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultSearch</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USE

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/xml; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Dec 2014 07:24:57 GMT

Content-Length: 19758

...<OFFER_RESPONSE><MAIN_OFFER><OFFER_ID>1201545</OFFER_ID><OFFER_NAME>Your Uninstaller</OFFER_NAME><OFFER_URL>no_dynamic_main_offer_url_supported_in_this_version</OFFER_URL><OFFER_DESCRIPTION /><OFFER_INSTALL_CMD><OFFER_ID>1201545</OFFER_ID><OFFER_STATE>default</OFFER_STATE><DOWNLOAD_URL>hXXp://YourUninstaller.download.dmccint.com/Default.ashx?EnvironmentID=3</DOWNLOAD_URL><INSTALL_COMMAND_LINE>/verysilent</INSTALL_COMMAND_LINE></OFFER_INSTALL_CMD><INSTALLATION_TYPE>1</INSTALLATION_TYPE><PRODUCT_ID /><PRODUCT_TYPE>Publisher's Offer</PRODUCT_TYPE><PRODUCT_VERSION /><ROOT_OFFER_ID>1201545</ROOT_OFFER_ID><DOWNLOAD_URL>hXXp://YourUninstaller.download.dmccint.com/Default.ashx?EnvironmentID=3</DOWNLOAD_URL><OFFER_FILE_NAME /><DOWNLOAD_BACKUP_URL /><CONDITION_TYPE>None</CONDITION_TYPE><TOTAL_STEPS>1</TOTAL_STEPS><SOFTWARE_PRODUCT_VERSION /><ANTI_OFFER /><SUCCESS_CODE /><INSTALLATION_UI_ELEMENTS><UI_ELEMENT><NAME>DownloadBrowser</NAME><VALUE>IE</VALUE></UI_ELEMENT><UI_ELEMENT><NAME>CType</NAME><VALUE>-1</VALUE></UI_ELEMENT><UI_ELEMENT><NAME>SearchProvider</NAME><VALUE>Bing</VALUE></UI_ELEMENT><UI_ELEMENT><NAME>UserMode</NAME><VALUE>-1</VALUE></UI_ELE

<<< skipped >>>

GET /Global/GlobalPage/1199375/?Language=None&Welcome=true HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 186842

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:51 GMT

Date: Wed, 24 Dec 2014 07:24:51 GMT

Connection: keep-alive

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1201545GlobalPage HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:52 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "ac4d4d98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 933

Cache-Control: private, max-age=7791

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR.............e.......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:C8E631185D6711E1A99F8AF4FFA87D51" xmpMM:DocumentID="xmp.did:C8E631195D6711E1A99F8AF4FFA87D51"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C8E631165D6711E1A99F8AF4FFA87D51" stRef:documentID="xmp.did:C8E631175D6711E1A99F8AF4FFA87D51"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Z..G....IDATx.b,--.a``8....01.........{f.......IEND.B`.....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "10ce6d98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2562

Cache-Control: private, max-age=7791

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB26C3E111E3AEC3EB792256C508" xmpMM:DocumentID="xmp.did:72B2EB27C3E111E3AEC3EB792256C508"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB24C3E111E3AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB25C3E111E3AEC3EB792256C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......tIDATx....o\W...{f.........P.hb..VDQ..R!..*6f.... ..T.6..."V(...*..Xb.#!;.H...r.R.3q.nR?.^..~h&.....9..2v.f...|.;.1.(...R..~...N.{6.....[.e.'-..1(..k6[K.V.r.}.^ul...._...3[[.7..S.|p.....3g.Z./_.... Cxw?...G9...BC...R.....Lmnn^.<^o........b...Z...{.`~.....d......x...I0..L..HM....".@..4..`.... ..4..... .I07....$h;..T#...C.H4...v(.iF.v(.IG.v(.)F.....;..0..T#XM.&A...`=.. .)F.(r......<...@.....E...#Xm.... ...:..d#XO.".@......A.R.`.. ..F...%. .IF.W)..l.C#...NZ..b.B.8........./..s.............;.^..E.MY"."....?{.'Y}%....\`....jg...\y.......6a...$~.....s.f~..K/.-.....9...Fu......|.....l

<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "404a5898c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 3937

Cache-Control: private, max-age=8089

Expires: Wed, 24 Dec 2014 09:39:41 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K..........*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?}...}...~..=............G...~,....xi3..e.o..@...WB...4.. u....... ?.H.."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q........l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo...........hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f

<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "caa5998c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2726

Cache-Control: private, max-age=8114

Expires: Wed, 24 Dec 2014 09:40:06 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR...>.........$.=.....sRGB.........gAMA......a.....pHYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:DocumentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stRef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...P....IDATx^...N#K.....%.@.......B.D..$`.3U..j.3.h0..%m..E.iW.'........ ..?.......<<<.......V..i..d...`....S......v... ....S.Y.....r.._677...F..>=~....8z.....yyy)......`~r.>u.s{{...............Y.>5z.......!|....l6 [[[-z..x.........j...o{j..................EN...O..:..#....2....O......S.Y.?.......S.g.>..]b..X75eV]s....!|.//...#|........S..........j!|...........j....\u...:'''.....;;;C.........UM...O...?OOO..........F...?.W...U....X.............%v....O..!|..../X.4.....!|.......!|.......!|.......!|.......!|.......!|.......!|

<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "0c67198c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "0c67198c6fd01:0"

Cache-Control: private, max-age=9213

Expires: Wed, 24 Dec 2014 09:58:26 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "10ce6d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "10ce6d98c6fd01:0"

Cache-Control: private, max-age=7790

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8088

Expires: Wed, 24 Dec 2014 09:39:41 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/InstallationSuccessful.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "e87a6698c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 2670

Cache-Control: private, max-age=9213

Expires: Wed, 24 Dec 2014 09:58:26 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

.PNG........IHDR...#...".......`.....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:F1E913D3555911E18CA7F85F751BB1C7" xmpMM:DocumentID="xmp.did:F1E913D4555911E18CA7F85F751BB1C7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F1E913D1555911E18CA7F85F751BB1C7" stRef:documentID="xmp.did:F1E913D2555911E18CA7F85F751BB1C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>~. .....IDATx..W]l.U.>........t...V~.X ...I@HA.'~.D. .J4....o.V.&...X.B.E...M$}....l...o.P..g........w.eKA.....nw.....}.9.`.n....r.|?(J..7 .;.....`.,.a.8Op....O..f..*.m..... g..(.../.f0.E.......L..........Ru.r.....J.....`2..O..*8....@.....X...@|..@..,S..K.....P=.#..n....D.P..Y.x.:T.t.......Qv.n4..P6......x$.\....a.....#0}.W...y:.*.@.q...OJ.....pdIi..#9s.a...F..a....."P....H........].H....x4...O/.<.....h:.J<b)..[....y....|f.a.....cy a..#..K2.z~I..ZS....HM...[,Wj@..0..D.4a.d.HQ..?.sp...6.....g:....2#...X.V.,.@.S.<....)....%.....p.&......M....$.b.......I.>hI.O.c.6AW'....C<1..F[..

<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8088

Expires: Wed, 24 Dec 2014 09:39:41 GMT

Date: Wed, 24 Dec 2014 07:24:53 GMT

Connection: keep-alive

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1199375/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8087

Expires: Wed, 24 Dec 2014 09:39:41 GMT

Date: Wed, 24 Dec 2014 07:24:54 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: image/png..Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT..ETag: "404a5898c6fd01:0"..Cache-Control: private, max-age=8087..Expires: Wed, 24 Dec 2014 09:39:41 GMT..Date: Wed, 24 Dec 2014 07:24:54 GMT..Connection: keep-alive......

GET /DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 174691

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:58 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "0c67198c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "0c67198c6fd01:0"

Cache-Control: private, max-age=9207

Expires: Wed, 24 Dec 2014 09:58:26 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ce177098c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ce177098c6fd01:0"

Cache-Control: private, max-age=8876

Expires: Wed, 24 Dec 2014 09:52:55 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=7784

Expires: Wed, 24 Dec 2014 09:34:43 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8082

Expires: Wed, 24 Dec 2014 09:39:41 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "ea23644c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "98a6d98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2779

Cache-Control: private, max-age=8111

Expires: Wed, 24 Dec 2014 09:40:10 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ce177098c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ce177098c6fd01:0"

Cache-Control: private, max-age=8876

Expires: Wed, 24 Dec 2014 09:52:55 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

GET /ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 35920

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 21 Aug 2014 07:42:36 GMT

Accept-Ranges: bytes

ETag: "03ea67913bdcf1:ded"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=86400

Expires: Thu, 25 Dec 2014 07:24:58 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

...............7.(._.^...Lk..".......QlY....e.%..f...H.*.d&....\......s3k......8...d".@..CI..3k..b./..........>.>.....^<.\.M:x..g_>{<..ON.{......'...x......d....2QI..........70.. ...........8/.O^}sr.@O...<V...J..3......Y)z..~..''.E.....7R...|,..%oD.8..........K....7.JO....(..;.>.#.S.J...'.....M.@..SrY..s..N....o..|.j`.'....]......!..._}..|..4........2.K..l.S<./d.c^n....".\.\]q........E.J..M\\&Y4.n..*...k.CS..W..N&.>}#..,..8N..,.\.. ..4.).......L6.w.y..E....q...D./.4..%.._S..x-.r.*...k>.......u...../U.F....z[.\....F..Jv.A.;l..........(?x....|......%...M...,.w...A0.......-.!..........b..I.(H.JV .M.. .\^)l.......j.IFE.8eB......}.\..4..L......'.......?.......A......D.dW.......5......E~.,..U.QX..?..f..A..o..a....2OwJN]b*....'.o{c.....`.Q..*6_?J.Lc`&.4.5j...x...]Q.E......alG..b0..-.<..?...BB..w....o\...~8.gza2..|...h..@... vP..G.<z.Q...NV...8.3....E..V.......S..%.....[.o...x._.p)..L..P.C.........1..u?XBm...o.......f........{..0.05C.A..NX.N.).<E..`M....'...t0~PN..V..g...m4...o.%I.I. ...A..S.N...7.....m...N.WI.3....oi....F.-..a.e|.....v...E.X.3.V ..w!.n*[..|....u....q...x....]....Uk.....~.-:...m.\..q..d....e!ev.......?H...............~]...{.xp).x..0>.".S/...u._.c.N.=b.........G..*)D...%.O@.q..t2.$.....A.......0....t.}..7N2d.n....g..N(..~.I....H....... `.[.....S.&.?lo...`=.....\.<....N{[...4...] `..}n.,.....i...6[.eE...]?.D..[....a=|..}.[(.._@!"..C.~.Q.w...\.|.t....q".o!....R'1sG....z..2..M^.n'...`...Nz'.....!..6... v....,.S\.R.}b.?&.....,.....ep..........dL.L>.{G...!...

<<< skipped >>>

GET /ps/OptimizerPro/offerscreen/global/1/index.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/919447/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 4506

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 11 Dec 2014 13:59:41 GMT

Accept-Ranges: bytes

ETag: "804477b54a15d01:528"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=31536000

Expires: Thu, 24 Dec 2015 07:24:59 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

...........Z...7...z.........;.....o..Hb.n..,..U<R1."kH...#.......'.s.I..V.$;.U.P./... )_......?.y%.........{!&'...........?....{.hz*...AG..4....'b.....f..z.>.:..].....G.9?....S..........r.J,......?..>....f...%LC\.C.6N....0..|.@...y...''H..n;c..#.=....g.dru..TW..D)h...e......F...z..D4...$.m....i......... T...:.......2.....B......~f...x....kQ^g...Q.>......n..}=...z.|W.}..@.km.!.F.......u.s.u.ul..j.W<^vx....I.......Ji....C=.. .?:=....|..4'...=.s.....7D.>....T.t..4w^.?..gq...y..q..>...t.gP..YgB.....B...y...5C...D..zZi..P.`.)..;Pz..u..'k.b{Nl....xa.Q.7.V....^...\."x.)..\L....Co...0.......b{A.......V....kA/.Hz.O......D...L...O.';........q...).....g...x...W.w.......x..._.'a$.<y..^lG.D.8..NX.p. .3Z..jA.;Kds..n..\.......o\2z.x...=.X.N.TYz-.8G..0n}BSCt.La....wQ../..qU.?....(/F.S<..X....}F.."e6U.H...:{$r...Q...e....]#|u..gO..we>..z.0z.S.V...#.........L..:\.]....o...>...".C........c.....(m-..h..~V...'.wqT..Q.#^.....J........D...b...Cr..B.X<J.y..d.;.q2w1..Q..{.5...a./.s...-=L$G.=.,%[.9.w.....:..u......n....{br....i......2...HV...hi..t.......t.u..........?....t....]e..M....}.~..q2.b...nR....Mq.(.](.%......_r.hT..T~.......]....W.?.E.H~..hD......55..N..r....*...K....{9.......R]R....... .......\U..a.nruI.... z..p..[..-.Zz...(..t .........N,!..}............@x...,.1n..R..w>J..".Q............ I..p..r..].P.=...I.;.=...J<..t.!....er..AG.o^.....s ....b$0...n{.!....\"..lDJ..i]......b....hn1..Th.]....i..9.N*..E....~..k..[0?..q..$r.4..._..h..<.?N.u..........cN.........V.i..5....'...5..d..NnD

<<< skipped >>>

GET /LMS/PS_searchprotect/PS_searchprotect.json HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie#cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept: application/json, text/javascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 250005

Content-Type: application/json

Last-Modified: Wed, 17 Dec 2014 11:45:53 GMT

Accept-Ranges: bytes

ETag: "a8cc23ef19d01:ded"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=7200

Expires: Wed, 24 Dec 2014 09:24:59 GMT

Date: Wed, 24 Dec 2014 07:24:59 GMT

Connection: keep-alive

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

{"Product":"PS_SearchProtect","LastUpdate":1345880,"Translations":{"ar":{"Keys":{"@@AcceptAndInstallButton@@":{"Text":"\u0623\u0648\u0627\u0641\u0642 & \u0648\u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\u064a\u062a"},"@@Body_text_1st_paragraph@@":{"Text":"\u064a\u064f\u0631\u062c\u0649 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637 \u0627\u0644\u0647\u0627\u0645\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u0645\u062a\u0627\u0628\u0639\u0629."},"@@Body_text_1st_paragraph_2@@":{"Text":"\u0643\u062c\u0632\u0621 \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0628\u0631\u0646\u0627\u0645\u062c\u060c \u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u064b\u0627 \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0628\u062d\u062b. \u064a\u064f\u0631\u062c\u0649 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637 \u0642\u0628\u0644 \u0627\u0644\u0627\u0633\u062a\u0645\u0631\u0627\u0631."},"@@Body_text_2nd_paragraph@@":{"Text":"\u0642\u0645 \u0628\u062a\u062b\u0628\u064a\u062a \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0628\u062d\u062b \u0644\u062a\u0639\u064a\u064a\u0646 \u0627\u0644\u0635\u0641\u062d\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0648\u0627\u0644\u0628\u062d\u062b \u0627\u0644\u0627\u

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 738

Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "technical" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "json_send_time" : "2014-12-24.4:15:21:341" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_WaitForDMInitComplete" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "265" , "publisher_account_id" : "A-3330836" , "publisher_id" : "URSoftware" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0" }

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:58 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 727

Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "regular" , "installation_session_id" : "080914f4-46db-47a1-8d6d-2e1070d7fb1f" , "json_send_time" : "2014-12-24.4:15:21:420" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_EndOfSession" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "5a97c212-9d8d-4368-bcfc-7f7b8f3c3752" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "265" , "publisher_account_id" : "A-3330836" , "publisher_id" : "URSoftware" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0" }

HTTP/1.1 202 Accepted

Date: Wed, 24 Dec 2014 07:24:57 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

HTTP/1.1 202 Accepted..Date: Wed, 24 Dec 2014 07:24:57 GMT..P3P: CP="NOI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length: 0..Connection: keep-alive..

GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/1199375/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141214.03&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT

Accept-Ranges: bytes

ETag: "9e6f411e773bcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 5253

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 12:24:52 GMT

Date: Wed, 24 Dec 2014 07:24:52 GMT

Connection: keep-alive

.PNG........IHDR................/....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:EA751F92A50111E3BCC1DD2AE70EC44D" xmpMM:DocumentID="xmp.did:EA751F93A50111E3BCC1DD2AE70EC44D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EA751F90A50111E3BCC1DD2AE70EC44D" stRef:documentID="xmp.did:EA751F91A50111E3BCC1DD2AE70EC44D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.L......IDATx..[.pT.y.....v%...@.$$....B..6.......6!..........[;.gR;$v..=yP..Lk;.[.nhp.....l...0.#@H..._......;.g.;...H ....7.}....|....?W...?NF #..N.T.dY&I.(.......;.M......Y........D.._.=|....D".3...r:..p82..L&..L[...$uuu........&....'EQH..)..............pY,.;&...K..u N{8.^388....._...p.......6r0..T............z..\.. ..z.U..u...w....8y....`.Y\...ps.................~Q..'.H.b...(....T.M..a..r7.*=$...P.Bu..9.;G..]~....h..s.?..`. gL......z...uuuS..H...%:~z.......HQ.....L.\.%....y..Z.1..:..U.%..Z.`.=...s..=wCs..Z...r..|H...'.,./.1..\..i.cJ..FG...g.....@R}?....d.HKk...(..L.......aZ4t.V..R...L.mmm

<<< skipped >>>

GET ///img/Logos/r_41/r_27/9ff4d7d9-e509-4157-9272-672e770a13c4.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1199375/1201760/?mainofferId=1201545&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Sun, 09 Mar 2014 09:08:21 GMT

If-None-Match: "9e6f411e773bcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Sun, 09 Mar 2014 09:08:21 GMT

ETag: "9e6f411e773bcf1:0"

Cache-Control: private, max-age=17994

Expires: Wed, 24 Dec 2014 12:24:52 GMT

Date: Wed, 24 Dec 2014 07:24:58 GMT

Connection: keep-alive

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

Your_Uninstaller.exe_1576:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

H#.Mx

dWi7.wU

zcÃ

.?AVfsURL@@

.?AVfsInternetURLFile@@

.?AVfsInternetURLFileDownloader@@

.?AVfsHttpFile@@

.?AVfsFtpConnection@@

.?AVfsFtpFile@@

.?AVfsHttpConnection@@

6'6,60646]6

2(2F2i2

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXps://VVV.verisign.com/cps0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

Nullsoft Install System v2.46.5-Unicode

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

LOCALS~1\Temp\nsvB4.tmp\webapphost.dll

n Data\Google\Chrome\User Data\Default

=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

conPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\webapphost.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp

n\App Paths\IEXPLORE.EXE

geDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

0d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1.0.0.1

Download.dll

nsvB4.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\webapphost.dll" (overwriteflag=1)

\webapphost.dll"

PLORE.EXE

gle\Chrome\User Data\Default

dleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

ByStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe /ByStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f

Your_Uninstaller.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\080914f4-46db-47a1-8d6d-2e1070d7fb1f\Your_Uninstaller.exe

LORE.EXE

IEXPLORE.EXE

080914f4-46db-47a1-8d6d-2e1070d7fb1f

hXXp://ude.databssint.com

hXXp://engine.dmccint.com/DecisionEngine.ashx

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico

Icons\icon.png

5a97c212-9d8d-4368-bcfc-7f7b8f3c3752

1201545

hXXp://cms.dmccint.com/MainOffer/1199375/

Setup.exe

hXXp://cms.dmccint.com/Global/GlobalPage/1199375/

hXXp://business.va.conduit.com/chrome/inline/instafeed/shell.html

d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

G/moc.tniccmd.smc//:ptth=lrUegaPlabolG

1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

se MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

yStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1.3.9.0.140504.01

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\webapp\

1511843

Naive_recommender_Bayesian_adjust_2014-12-24.csv

Microsoft Windows XP

6.0.2900.5512

%Documents and Settings%\%current user%\Local Settings\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default

/ByStub BundleIDGuid=5a97c212-9d8d-4368-bcfc-7f7b8f3c3752 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=080914f4-46db-47a1-8d6d-2e1070d7fb1f MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1199375/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=265 PublisherName=URSoftware AcountId=A-3330836 MainOfferKey=1201545 MainOfferName=Your Uninstaller DynamicOfferCount=0 IsSilent=true Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1199375/ MOBrowserInline=false MOInstallationType=1 IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\client_xml.xml

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB4.tmp\offer.xml

no_dynamic_main_offer_url_supported_in_this_version

%Program Files%\Internet Explorer\iexplore.exe

GenericDM.exe

1.4.0.4.141214.03

svchost.exe_340:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512