SearchProtectToolbar_pcap_67cf40a67c – Adaware

not-a-virus:AdWare.Win32.InstallMonster.deih (Kaspersky), SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)Behaviour: Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 67cf40a67c0e8b7e9ad656a100e8b671

SHA1: 820baccf4d32888b9ff21feb87b89512bf72f6d1

SHA256: d4812a4e511f8e362545ff28baade85373a4280d59073beff1d92ba4320c2de4

SSDeep: 49152:UfwKBmF54Fm3uTeLMBW1wZvMxPcOe5HFy:Uf9 5Km3RwZEiOe54

Size: 2067072 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: TODO:

Created at: 2014-10-17 23:35:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):

%original file name%.exe:1848
4513006728:372
10065850:1908
6360544393:1164

The PUP injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1848 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%System%\10065850 (12288 bytes)

The process 4513006728:372 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\SPtool.dll (180359 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1.tmp (0 bytes)

The process 10065850:1908 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UXQJ0FO1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3984067087.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0P27CDIR\LRg1n8XGLt9Ry2RE_img3[1].txt (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0542417287.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2199236299.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7E9YUIW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0P27CDIR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6360544393 (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0P27CDIR\spidentifierimpl[1].exe (304535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFWDSVSJ\1342[1].jpg (11613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFWDSVSJ\LRg1n8XGLt9Ry2RE_img1[1].txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UXQJ0FO1\jquery.min[1].js (6968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFWDSVSJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7E9YUIW\wajam_validate[1].exe (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4513006728 (304535 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409 (0 bytes)

Registry activity

The process 4513006728:372 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 5C AA 4C 50 0A 0E 39 0F 1C DF C9 18 1D E1 83"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 10065850:1908 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014120420141205]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014120420141205\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014120420141205]
"CacheLimit" = "8192"

"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014120420141205]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014120420141205]
"CachePrefix" = ":2014120420141205:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 CB 7C C1 FE 26 7D 1B B2 A9 06 A7 A9 4C 7B 02"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040820140409]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 6360544393:1164 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 72 35 FE 26 1A BB E3 C5 D2 BE 00 FC EE A6 34"

Dropped PE files

MD5	File path
484003524ef2000db83cb16ced0a48a1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\4513006728
46f5c497f96e733176b010ff0ee56de3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6360544393
484003524ef2000db83cb16ced0a48a1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\0P27CDIR\spidentifierimpl[1].exe
46f5c497f96e733176b010ff0ee56de3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\U7E9YUIW\wajam_validate[1].exe
06cd61177479373c67080121874a59a3	c:\WINDOWS\system32\10065850

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1848
4513006728:372
10065850:1908
6360544393:1164
Delete the original PUP file.
Delete or disinfect the following files created/modified by the PUP:
%System%\10065850 (12288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\SPtool.dll (180359 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UXQJ0FO1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3984067087.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0P27CDIR\LRg1n8XGLt9Ry2RE_img3[1].txt (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0542417287.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2199236299.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7E9YUIW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0P27CDIR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6360544393 (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0P27CDIR\spidentifierimpl[1].exe (304535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFWDSVSJ\1342[1].jpg (11613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFWDSVSJ\LRg1n8XGLt9Ry2RE_img1[1].txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UXQJ0FO1\jquery.min[1].js (6968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFWDSVSJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7E9YUIW\wajam_validate[1].exe (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4513006728 (304535 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: TODO:

Product Name: TODO:
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: Installer.exe
Internal Name: Installer.exe
File Version: 1.0.0.1
File Description: Internet_Explorer_Update
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	18546	18944	4.46262	189c88c2ecea974696083197962be8f2
.rdata	24576	8482	8704	3.25315	e44aca5a317cdd0a5f10729135a9bf4e
.data	36864	6624	3072	1.70468	ee16d5a701ad2e6c46d500d1e0b098c2
.rsrc	45056	2020832	2020864	5.40615	3e35fd1cf9434952ec792fcde5dd5be8
.reloc	2068480	6926	7168	1.44623	9ae50d7ef8be7756c3d4b385b303778a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 167
db9ec636bc1921c25071e1091af69df8
eb71361c9324b3da97719ce2be2b8431
de2f7da43ca30a8dfbf255c7346f6fb9
d94c026f77a4f4392223cff6a5e771b9
3cf60d9f9bd0e37687fa74c6977af79c
40dd11272e1b74f40e23d7725bdd3f61
1ba21365fb5d6faaf70a298a09d55baf
b6b013b1200f393ee60f75ef0b0b2b99
2679fba5cdcb953b20c06099645e5bbb
09cf493676e4d2eda2aaed88cd6ae747
2292e40af10944af22a0467fa64936d3
7707b66b1ffd45e8680c15c636217747
18145d0b5fef8dcc27b9dfcd8545d1c3
eb707f15285805c4428fb900ad1816f4
916d5a6003570d9a25101cdffb5fc33e
be1c6d00f498129c5cecdec7b7daf4ce
4f03cde5cd1f6f74e8eec85a593f8ef5
2a3a1b9c385041cc37bb070810b4b442
594219b25cdebadaaf2ee4920bfd0414
bd8154720ce973442a39100438a31986
609c5e5a03a3b9cbfc3bed1cc7df4538
d01e8cad8c82a9f3edf7c9ee576a0eb2
725d42c1d300db30169466225135ec2a
1669fea28b2229ab19559b9480c216c5
98b213ff305e663542ccb32f8150bc49
5ccd2cb3a88a30a793165a1534cd80e0

Network Activity

URLs

URL	IP
hxxp://e6337.g.akamaiedge.net/spidentifier/1.0.2.0/spidentifierimpl.exe
hxxp://e9287.g.akamaiedge.net//spidentifier/1.0.2.0/spidentifierimpl.exe
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://www.wajam.com/download/wajam_validate.exe
hxxp://www.wajam.com/install/valid?v=1&unique_id=5A9377C1B9B59AE7E78D286BF392BB44
hxxp://8.36.40.62/common/gate/installer_gate_client.php?download_id=10065850&mode=getcombo&offers=1081\|1129\|1146\|1043\|1153\|1154\|1147\|1144\|1075\|1157\|1161\|1163\|1164\|1165\|1173\|1171\|1113\|1190\|1191\|1060\|1203\|1204\|1205\|1207\|1172\|1209\|1174\|1210\|1038\|1219\|1212\|1086\|1032\|1122\|1056\|1217\|1127\|1119\|1222\|1195\|1196\|1197\|1198\|1206\|1187\|1224\|1225\|1226\|1227\|1228\|1229\|1231\|1233\|1230\|1220
hxxp://8.36.40.62/common/gate/report.php?download_id=10065850&mode=6&combo_id=9999&os_name=Windows XP&os_add=Service Pack3&os_build=2600&proj_id=1342&offer_id=0&templateid=40
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.10.1/jquery.min.js
hxxp://8.36.40.62/common/installer_logos/1342.jpg
hxxp://8.36.40.62/common/interface/images/LRg1n8XGLt9Ry2RE_img1
hxxp://8.36.40.62/common/interface/images/LRg1n8XGLt9Ry2RE_img3
hxxp://sp-storage.spccinta.com//spidentifier/1.0.2.0/spidentifierimpl.exe
hxxp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img3
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.10.1/jquery.min.js	64.233.161.95
hxxp://installmetrix.com/common/gate/installer_gate_client.php?download_id=10065850&mode=getcombo&offers=1081\|1129\|1146\|1043\|1153\|1154\|1147\|1144\|1075\|1157\|1161\|1163\|1164\|1165\|1173\|1171\|1113\|1190\|1191\|1060\|1203\|1204\|1205\|1207\|1172\|1209\|1174\|1210\|1038\|1219\|1212\|1086\|1032\|1122\|1056\|1217\|1127\|1119\|1222\|1195\|1196\|1197\|1198\|1206\|1187\|1224\|1225\|1226\|1227\|1228\|1229\|1231\|1233\|1230\|1220
hxxp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img1
hxxp://installmetrix.com/common/gate/report.php?download_id=10065850&mode=6&combo_id=9999&os_name=Windows XP&os_add=Service Pack3&os_build=2600&proj_id=1342&offer_id=0&templateid=40
hxxp://sp-storage.conduit-services.com/spidentifier/1.0.2.0/spidentifierimpl.exe	23.64.227.152
hxxp://installmetrix.com/common/installer_logos/1342.jpg
hxxp://sp-installer.conduit-data.com/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /common/interface/images/LRg1n8XGLt9Ry2RE_img3 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: installmetrix.com

Connection: Keep-Alive

Cookie: PHPSESSID=982282244a1a8950d90a204a2414e9a5

HTTP/1.1 200 OK

Date: Thu, 04 Dec 2014 01:34:34 GMT

Server: LiteSpeed

Accept-Ranges: bytes

Connection: close

ETag: "1765-52fd2f63-260ec70baae20673"

Last-Modified: Thu, 13 Feb 2014 20:47:31 GMT

Content-Type: text/plain

Content-Length: 5989

.PNG........IHDR.............8,U.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /common/installer_logos/1342.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: installmetrix.com

Connection: Keep-Alive

Cookie: PHPSESSID=982282244a1a8950d90a204a2414e9a5

HTTP/1.1 200 OK

Date: Thu, 04 Dec 2014 01:34:34 GMT

Server: LiteSpeed

Accept-Ranges: bytes

Connection: Keep-Alive

Keep-Alive: timeout=5, max=100

ETag: "13d30-53e11a02-e9c9d91914d4549d"

Last-Modified: Tue, 05 Aug 2014 17:53:06 GMT

Content-Type: image/jpeg

Content-Length: 81200

Cache-Control: public, max-age=604800

Expires: Thu, 11 Dec 2014 01:34:34 GMT

.PNG........IHDR.............?..B....iCCPICC Profile..x..T.k.A..6n..".Zk..x."IY.hE.6..bk....E.d3I.n6..&......*.E......z.d/J.ZE(..(b..-..nL.....~..7.}ov...r.4......R..il|Bj......A4%U..N$.A.s.{..z..[V.{.w.w........@.G..*...q.Y...<..).t.......9Nyx... =.Y"|@5-..M.S.%.@.H8..qR>.......inf....O......b..N......~N..>.!....?F......?.a.....=..5..`.....5.._.M'.Tq.......V.J.p.8.da.sZHO.Ln....}&....wVQ.y..g....E...0.......HP.E.a..P@.<.14.r?#....{2u$j.tbD.A{6.=.Q..<.("q.C....A.*..O.y..\..V........;..........sM^|..v.WG..yz....?.W.1..5..s...-_...)....U..K.uZ17..l.;=......s...7V..g.jH......U.O^...g..c.)1&v..!.......K...`m.....).m..$.``.../]?[x.F...Q....T....*d4...o...........(./l....mSq...e.ns.....}..nk.~8..X<...R5. ...v.z..).....9R.,.....bR.P.CRR.%.eK...Ub.v....n..9B...Je........R...R.~N.....o...E.x......pHYs............... .IDATx.....]Gu/<3...{U....%[. .2.$.<.C.@....y.@..E...@.....|!@...DBL1.....eK.%[........~.....k.9GW......Ymf......{k.....4..@.3-..K......Z..M..".#..E......$u"....H.K.I.\:....!.1&. .t.......\^...t.uX..b...1d.u....,.K:.o. q......:kG....%.l.1X..N....].7..xU...9.....O..."..#..gp.G...... .K.<..!..>....E......iK1..*C.%......S....Z).1.0.o....e.........l.P!>JS.`..5.YB.....@8..L.....|B..%!r.|d....>....f...bD/. .....V.e.eV.G.SF..Y.C..&d.zJ.6.a......y.,HhHN@.g..T.B..a........c..,..... ..i..2........yCZ......2.uX2...0r.8....]......... ......`..\d....4.E.'..t...tB..%e...g..x..-..."........r.wiC.V7....p.W.....J\(.Zu.t...../eV..k.H.TF....!*?....|".Z...HY..|%.[..K..Y^.......p.........-...B

<<< skipped >>>

GET /ajax/libs/jquery/1.10.1/jquery.min.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Mon, 03 Jun 2013 01:27:22 GMT

Date: Wed, 26 Nov 2014 15:07:26 GMT

Expires: Thu, 26 Nov 2015 15:07:26 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 32862

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 642427

Alternate-Protocol: 80:quic,p=0.02

.............{...0.{....U.sD.N...3.u.4i....&-E..HPB....j.....Yf.B......Mk..`.3g...>..........'..x49...ep.d<.\.......|...*.3q.u..A._..7...<M.e....NO....w.2.6.n.........&.F.h........l.u.......8.D!.Y.m.|}T.\..4_r......n.g.(edn^.1=K...S....X......B...#..JnG.<.J..\nw......{/6p.d........Q.............&{].......\...F...H.....Q.......T.T.F..^.....d1.g........WC.../...n..t..(....7..K.L......../^.<.}:^....#(...a..c......O..Y0.w.x\....'..A..T..r_..7........./.O.'g5.~A.-Dx.?/.....y.E..a-.n.|.`..B..q.......: .E.................U.z.wX.8.....*vq...2..]..'<%..Sr).C.N6....F.......x.........q...,*c...7.\p.G.h.zq...MRVq..u..y.....BH...|.M.*.........*.........-?..h...@p..~.c...:n<....}.,.*|... O.&..@.....\$...U\E. *.{yF.)....(...(V.*.*.nO.P..h[.U.....a....R.b-...o..s..5lY...............'^I[.&Oml.xx.H...e.b....0..Y..l.8...N&.N...Ogs......"|5.o.%,..$u=H....q..1..:..hf>...h.{......3>?3...X..5..Q...l....e..".`.7qq..X..l....z..7......,_.oa..l....=WX.:.Fb0...~T.e........u.%.w.........g.t.(...K=...<Y.3u.gx.....>..d........_..q~y.......D~|..(.. .7.=.%...T@.S.I..xY.DP7......q~........q..\...u......LW.....ac>.`V..........W.W[..K.h0.W..7...iQDw>..[\..z....cQ.T,tv....h..)5..............Vr....p|.........x./.....\.|....c%].l@9.......k.5.kQ5.^..j/b@.a/....;...|/h..F..%..M.H..y...%p.D.{..:c.._...H......ME..N..:TA.....H.........3..:.L...OK......gv&....Y6.5.g.E8_@....MO.s..-....Df...........lup..J.u......P..(...~..W.[Z.....0|.C1....X.....v...HDC....2rz.`..5pl)l..}.g{)..)bB."..8.,A)ao/e..l. {../.A;..u.q.A].%...

<<< skipped >>>

GET /spidentifier/1.0.2.0/spidentifierimpl.exe HTTP/1.1

User-Agent: 10065850

Host: sp-storage.conduit-services.com

HTTP/1.1 301 Moved Permanently

Location: hXXp://sp-storage.spccinta.com//spidentifier/1.0.2.0/spidentifierimpl.exe

Server: BigIP

Content-Length: 0

Cache-Control: private, max-age=900

Expires: Thu, 04 Dec 2014 01:49:06 GMT

Date: Thu, 04 Dec 2014 01:34:06 GMT

Connection: keep-alive

HTTP/1.1 301 Moved Permanently..Location: hXXp://sp-storage.spccinta.com//spidentifier/1.0.2.0/spidentifierimpl.exe..Server: BigIP..Content-Length: 0..Cache-Control: private, max-age=900..Expires: Thu, 04 Dec 2014 01:49:06 GMT..Date: Thu, 04 Dec 2014 01:34:06 GMT..Connection: keep-alive..

GET //spidentifier/1.0.2.0/spidentifierimpl.exe HTTP/1.1

User-Agent: 10065850

Host: sp-storage.spccinta.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Thu, 04 Dec 2014 04:16:20 GMT

Accept-Ranges: bytes

ETag: "bd95aafde34a6270e612f226404df5e3"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 2592168

Date: Thu, 04 Dec 2014 01:34:06 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@...................................'...@.................................@...........0............t'. ....`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ

<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.conduit-data.com

Content-Length: 225

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"SPidentifier", "environment":"", "machine_ID":"ZJRJCZACPP86RWSEVX8GFL AMAKAC4SSR9BLLZSMMDQNC6VVPQAR3SIEJHJ6K/DKZBYXQYKKQBYUF8ETVHDB W", "result": "success", "failure_reason": "clean_machine", "SP_version": ""}

HTTP/1.1 202 Accepted

Date: Thu, 04 Dec 2014 01:34:27 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

GET /install/valid?v=1&unique_id=5A9377C1B9B59AE7E78D286BF392BB44 HTTP/1.1

Host: VVV.wajam.com

HTTP/1.1 200 OK

Date: Thu, 04 Dec 2014 01:34:30 GMT

Server: Apache/2.4.10 (Ubuntu)

Set-Cookie: PHPSESSID=7cck3ljaubedv71e0vrds4qjn1; path=/; domain=.wajam.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wau=14176568708501376; expires=Fri, 04-Dec-2015 01:34:30 GMT; Max-Age=31536000; path=/; domain=.wajam.com

Set-Cookie: _wal=1417656870; expires=Fri, 04-Dec-2015 01:34:30 GMT; Max-Age=31536000; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=5A9377C1B9B59AE7E78D286BF392BB44; expires=Fri, 04-Dec-2015 01:34:30 GMT; Max-Age=31536000; path=/; domain=.wajam.com

Set-Cookie: _waab=70,59,16,89,98,36,96,24,12,31; expires=Fri, 04-Dec-2015 01:34:30 GMT; Max-Age=31536000; path=/; domain=.wajam.com

Content-Length: 1

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w3|VH 6K|VH 6K; path=/; domain=.wajam.com

0..

GET /download/wajam_validate.exe HTTP/1.1

User-Agent: 10065850

Host: VVV.wajam.com

HTTP/1.1 200 OK

Date: Thu, 04 Dec 2014 01:34:28 GMT

Server: Apache/2.4.10 (Ubuntu)

Last-Modified: Mon, 20 Oct 2014 14:14:11 GMT

ETag: "2c00-505db542da4d7"

Accept-Ranges: bytes

Content-Length: 11264

Connection: close

Content-Type: application/x-msdos-program

Set-Cookie: APPSESSID=w4|VH 6J|VH 6J; path=/; domain=.wajam.com

Cache-control: private

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z~..;...;...;..D'...;../$...;../$...;../$...;..D3M..;...;...;../$...;../$...;..Rich.;..........PE..L...A..R.................0.......`.......p........@.................................................................................................................................................................................................UPX0.....`..............................UPX1.....0...p...&..................@...UPX2.................*..............@..............................................................................................................................................................................................................................................................................................................................................................................................................3.09.UPX!......X,)rA..u..."......&..b....U...E..@...M...U..._B..#Eg......A...........vT2.].?...%"....E.!..M.........?..k..n......}........j!...}w..Y.H.../.J....M..w.{..;s.LB......~.}.A.}..tq...B..@~..{k..@. fi.....w..{..U..P..Q M.L......Q.{<v...>.}..n?.X....*.. M.....R.{.u5P1.n...J..@..w.e......}.@|.>ns..f.Q)....&a.Z.R.7z.1....`..P.=/.k..*.Q.....3..`....Xa...t,aP...u.o..-MM...j@:.R.E.P]s..>.M..d.F..U..;|..E........onY.. ...}7X.3........3..B........I.......L.p......6.#....#...............x.j."B.a...4.X...!fu....'#U....?.....2<...

<<< skipped >>>

GET /common/gate/installer_gate_client.php?download_id=10065850&mode=getcombo&offers=1081|1129|1146|1043|1153|1154|1147|1144|1075|1157|1161|1163|1164|1165|1173|1171|1113|1190|1191|1060|1203|1204|1205|1207|1172|1209|1174|1210|1038|1219|1212|1086|1032|1122|1056|1217|1127|1119|1222|1195|1196|1197|1198|1206|1187|1224|1225|1226|1227|1228|1229|1231|1233|1230|1220 HTTP/1.1

User-Agent: 10065850

Host: installmetrix.com

HTTP/1.1 302 Found

Date: Thu, 04 Dec 2014 01:34:31 GMT

Server: LiteSpeed

Connection: Keep-Alive

Keep-Alive: timeout=5, max=100

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Location: hXXp://beta.installmetrix.com:5000/getcombo?download_id=10065850&mode=getcombo&offers=1081|1129|1146|1043|1153|1154|1147|1144|1075|1157|1161|1163|1164|1165|1173|1171|1113|1190|1191|1060|1203|1204|1205|1207|1172|1209|1174|1210|1038|1219|1212|1086|1032|1122|1056|1217|1127|1119|1222|1195|1196|1197|1198|1206|1187|1224|1225|1226|1227|1228|1229|1231|1233|1230|1220

Content-Type: text/html

Content-Length: 1148

<!DOCTYPE html>.<html style="height:100%">.<head><title> 302 Found..</title></head>.<body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">.<div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;">. <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1>.<h2 style="margin-top:20px;font-size: 30px;">Found..</h2>.<p>The document has been temporarily moved to <A HREF="%s">here</A>.</p>.</div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;">.<br>Proudly powered by <a style="color:#fff;" href="hXXp://VVV.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>.....

<<< skipped >>>

GET /common/gate/report.php?download_id=10065850&mode=6&combo_id=9999&os_name=Windows XP&os_add=Service Pack3&os_build=2600&proj_id=1342&offer_id=0&templateid=40 HTTP/1.1

User-Agent: 10065850

Host: installmetrix.com

HTTP/1.1 200 OK

Date: Thu, 04 Dec 2014 01:34:32 GMT

Server: LiteSpeed

Connection: close

X-Powered-By: PHP/5.4.31

Set-Cookie: PHPSESSID=982282244a1a8950d90a204a2414e9a5; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html

Content-Length: 0

GET /common/interface/images/LRg1n8XGLt9Ry2RE_img1 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: installmetrix.com

Connection: Keep-Alive

Cookie: PHPSESSID=982282244a1a8950d90a204a2414e9a5

HTTP/1.1 200 OK

Date: Thu, 04 Dec 2014 01:34:34 GMT

Server: LiteSpeed

Accept-Ranges: bytes

Connection: close

ETag: "de2-52fd2880-b3fb5a4c2d641939"

Last-Modified: Thu, 13 Feb 2014 20:18:08 GMT

Content-Type: text/plain

Content-Length: 3554

.PNG........IHDR...f...!..... .......pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...M....V>VyV.V

<<< skipped >>>

Map

The PUP connects to the servers at the folowing location(s):

Strings from Dumps

10065850_1908:

.text

`.rdata

@.data

.rsrc

@.reloc

u(SSSSSh

PSSSSSSh

f;T$.uBf

QSShx'V

tFHt:Ht.Ht"Hu`

j%XtL9E

t'SShl

SSSSh

tWSShW

tl9_ tgSSh

u$SShe

FTCP

u.Ph

tAHt.HHt

FtPW

SSh@B

s%j.Zf

RegOpenKeyTransactedW

RegCreateKeyTransactedW

CCmdTarget

RegDeleteKeyTransactedW

CNotSupportedException

CHttpFile

RegDeleteKeyExW

TaskDialogIndirect

CMDITabProxyWnd

CMDIChildWndEx

CMDIFrameWndEx

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

CMFCToolBarsKeyboardPropertyPage

GetProcessWindowStation

operator

hXXp://installmetrix.com/common/gate/report.php?download_id=%s&mode=%d&combo_id=%d&os_name=%s&os_add=%s&os_build=%s&proj_id=%s&offer_id=%s&templateid=%s

first url

Windows 8

Windows Server 2012

Windows 7

Windows Server 2008 R2

Windows Vista

Windows Server 2008

Windows XP Professional x64 Edition

Windows Server 2003

Windows XP

Windows 2000

WebStroller=I

GetWindowsDirectoryW

GetCPInfo

KERNEL32.dll

CreateDialogIndirectParamW

GetKeyState

SetWindowsHookExW

UnhookWindowsHookEx

GetKeyNameTextW

MapVirtualKeyW

GetAsyncKeyState

GetKeyboardLayout

GetKeyboardState

MapVirtualKeyExW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

MSIMG32.dll

COMDLG32.dll

WINSPOOL.DRV

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

COMCTL32.dll

UrlUnescapeW

SHLWAPI.dll

ole32.dll

OLEAUT32.dll

oledlg.dll

GdiplusShutdown

gdiplus.dll

OLEACC.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

HttpQueryInfoW

InternetOpenUrlW

WININET.dll

IMM32.dll

WINMM.dll

.?AVCCmdUI@@

.PAVCMemoryException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.?AVCHttpFile@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AVCMFCToolBarCmdUI@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.PAVCOleDispatchException@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÃ

.?AVCCmdTarget@@

.PAVCException@@

.?AVCWebGrab@@

.?AVCWebGrabSession@@

.PAVCInternetException@@

.PAVCFileException@@

.?AVCWebPage@@

"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

background:url(hXXp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img1);

background:url(hXXp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img3);

if(document.getElementById("opt_checkbox1") != null)

document.getElementById("opt_checkbox1").disabled = true;

document.getElementById("opt_checkbox1").checked = true;

if(document.getElementById("opt_checkbox2") != null)

document.getElementById("opt_checkbox2").disabled = true;

document.getElementById("opt_checkbox2").checked = true;

if(document.getElementById("opt_checkbox3") != null)

document.getElementById("opt_checkbox3").disabled = true;

document.getElementById("opt_checkbox3").checked = true;

if(document.getElementById("opt_checkbox4") != null)

document.getElementById("opt_checkbox4").disabled = true;

document.getElementById("opt_checkbox4").checked = true;

if(document.getElementById("opt_checkbox5") != null)

document.getElementById("opt_checkbox5").disabled = true;

document.getElementById("opt_checkbox5").checked = true;

if(document.getElementById("checkbox_div") != null)

document.getElementById("checkbox_div").style.display = "none";

document.getElementById("opt_checkbox1").disabled = false;

document.getElementById("opt_checkbox2").disabled = false;

document.getElementById("opt_checkbox3").disabled = false;

document.getElementById("opt_checkbox4").disabled = false;

document.getElementById("opt_checkbox5").disabled = false;

document.getElementById("checkbox_div").style.display = "block";

Software Updater

By clicking "Next", I agree to the Terms of Use and Privacy Policy.

background:url(hXXp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img5);

div.progress {

background:url(hXXp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img9);

div.progressIndicator {

background:url(hXXp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img10);

div.progressVal {

.hidden {

position: absolute !important;

.focus {

background-color: #eee !important;

g_progress1.setValue("pb1",val);

g_progress2.setValue("pb2",val);

$(document).ready(function() {

this.valMax = max;

this.showVal = showVal;

this.divWidth = 0;

this.width = this.$container.width();

this.left = Math.round(this.$container.offset().left);

this.top = Math.round(this.$container.offset().top);

this.$container.append('

');

this.$container.append('

');

$('#' container_id '_progDiv').css('width', '0%');

this.$container.append('

');

this.$container.append('

');

$('#' container_id '_progVal').html('0%');

if (this.showVal == false) {

$('#' container_id '_progVal').addClass('hidden').attr('aria-hidden', 'true');

progressbar.prototype.setValue = function(container_id,val) {

var percent = val * 100 / this.valMax;

this.$container.attr('aria-valuenow', Math.round(percent));

$('#' container_id '_progDiv').css('width', percent '%'); //Math.round(percent) '%');

$('#' container_id '_progVal').html(this.$container.attr('aria-valuenow') '%');

progressbar.prototype.getProgress = function() {

return this.$container.attr('aria-valuenow');

progressbar.prototype.positionHandle = function($handle, val) {

var handleHeight = $handle.outerHeight(); // the total height of the handle

var handleWidth = $handle.outerWidth(); // the total width of the handle

valPos = ((val - this.min) / (this.max - this.min)) * this.width this.left;

xPos = Math.round(valPos - (handleWidth / 2));

yPos = Math.round(this.top (this.height / 2) - (handleHeight / 2));

$handle.css('top', yPos 'px');

$handle.css('left', xPos 'px');

$handle.attr('aria-valuenow', val);

if (/1$/.test($handle.attr('id')) == true) {

this.val1 = val;

this.val2 = val;

if (this.showVals == true) {

this.updateValBox($handle, Math.round(valPos));

progressbar.prototype.updateValBox = function() {

var $valBox = $('#' $handle.attr('id') '_val');

var boxWidth = $valBox.outerWidth();

yPos = $handle.css('top');

xPos = Math.round(valPos - (boxWidth / 2)) 'px';

$valBox.css('top', yPos);

$valBox.css('left', xPos);

$valBox.text($handle.attr('aria-valuenow'));

background:url(hXXp://installmetrix.com/common/interface/images/LRg1n8XGLt9Ry2RE_img7);

10065850

C:\WIND

CCC.jjj

SSShzzz

var x = document.cookie;

1 2$2(2,2

4L4]4w4

040:0`0}0

>&>,>"?9?

11?1^1

!171!2-2~2

=.=;=$>4>

8â€ž8S8b8p8

8Â8v8

5,626;6~6

515

4 4$4(4,4

> >$>(>,>0>4>8>

6 6$6(6,6064686

2 2$2(2,20242\2`2|2

= =$=(=,=0=4=8=

: :$:(:,:0:

? ?(?0?`?

;$;,;8;\;|;

7 7$7(7,7074787

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

KERNEL32.DLL

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

Advapi32.dll

res://%s/%s

res://%s/%d

Acomctl32.dll

Acomdlg32.dll

Ashell32.dll

accKeyboardShortcut

wuser32.dll

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

Bf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

hXXp://

@WININET.DLL

SHELL32.DLL

lXXxXXXXXXXX

dwmapi.dll

UxTheme.dll

eShell32.dll

%s:%x:%x:%x:%x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

kernel32.dll

Af:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

mfcm100u.dll

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

&%d %s

Df:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

COMCTL32.DLL

USER32.DLL

KeyboardManager

MSG_CHECKEMPTYMINIFRAME

%sDockingManager-%d

MFCLink_UrlPrefix

MFCLink_Url

%sPane-%d%x

%sPane-%d

%sBasePane-%d%x

%sBasePane-%d

windows

ShowCmd

K%c%d%c%s

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

HHex={X,X,X}

C%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

Of:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

ENABLE_KEYS

KEYS_MENU

KEYS

ORICHED20.DLL

RGB(%d, %d, %d)

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Software\Microsoft\NET Framework Setup\NDP\v2.0.50727

Software\Microsoft\NET Framework Setup\NDP\v1.1.4322

Software\Microsoft\.NETFramework\Policy\v1.0

%s %s

hXXp://%s

Downloading %s...

Installing %s...

hXXp://installmetrix.com/common/gate/installer_gate_client.php?download_id=%s&mode=prechecking

hXXp://installmetrix.com/common/gate/installer_gate_client.php?download_id=%s&mode=getcombo&offers=%s

%s is being installed

H:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

.html

chrome

firefox

opera

%USERPROFILE%

amitest.txt

/s /t /i ElectroLyrics /u hXXp://VVV.amoninst.com/index.php

I/s /t /i WebStroller

hXXp://sp-storage.conduit-services.com/spidentifier/1.0.2.0/spidentifierimpl.exe

hXXps://sp-storage.spccinta.com/spidentifier/spidentifierstub/SPIdentifier.exe

hXXp://val.costmin.info

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Test|Result|1;

hXXp://VVV.wajam.com/download/wajam_validate.exe

Webstroller - Amonetize

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

%s = %s

Read %d bytes (%0.1f Kb/s)

Read %d bytes

Resolving name for %s

Resolved name for %s

Unknown status: %d

%System%\10065850

hXXp://totalnethits.biz/apps/softwareupdater.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\0542417287.html

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\2199236299.html

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3984067087.html

hXXp://myfreedl.com/thankyou/index3.php

Please read the following important information and terms before continuing:

s Settings/Options tab. Learn more

If you elect to change your browser settings via Search Protect, your settings preferences will be applied to Chrome

, Firefox

If you elect to change your browser settings via your web browser, Search Protect will be disabled for that setting, therefore its ability to prevent third-party software from changing your settings will be halted.

In Chrome, browser settings can be changed via the Chrome menu or wrench icon. In Firefox, settings can be changed via the Firefox button or Tools menu. In Internet Explorer, settings can be changed via the gear icon or Tools menu. For all three browsers, new tab setting can be restored by opening a new tab and clicking

You can uninstall Search Protect at any time by using the standard uninstall process that is available as part of your operating system. In Microsoft Windows

Additional information for some versions of Search Protect is available on our help page.

, and Chrome

home page and search settings. Learn more

hXXps://sp-storage.spccinta.com/sp-downloader.exe

) THAT GOVERNS THE USE OF AND ACCESS TO THE SPPEDCHECKAPP WEBSITE (AVAILABLE AT: hXXp://speed-check.me/ (THE

1. LICENSE.Â We hereby grant you a personal, non-exclusive, non-transferable, non-assignable, non-sub-licenseable, revocable, limited license to install and use the Software on a personal computer and personally use the Software for the activities enabled via the Software solely in accordance with and subject to the terms set forth herein, the privacy policy set forth inÂ privacy policy, and in any accompanying user documentation. The Software may not be used for any other purposes. You may not use the Software if you are under 13 years of age or if you are not the owner or approved administrator of the computer on which you activated the Software. Note that additional terms and conditions may apply to you during the use of the Software due to third party services and content provisioning.Â

The Software is an Internet speed checker, letting you know your web-browsing speed; it is provided to you free of charge but will be sponsored by Sponsored Content (together with the technical support, updates and upgrades will be herein refer to as the

3. PERMISSIONS.Â By installing the Software you are giving us your express permission to: (a) scan your operating system and installed software to ensure compatibility of the Software with other software installed on your computer and to otherwise avoid collision of functionality; (b) operate in a proxy configuration as part of the Software and the Services (as defined under sections 1 to this License Agreement). Proxy is a server that acts as an intermediary for requests from clients seeking resources from other servers. If you wish to revert such proxy configuration to its original state, you have to completely uninstall the Software or use the opt out option that will be provided to you by us within some of the Services; (c) we may, now or in the future, use features or components to counter third party attempts to modify or replace your proxy configuration without notifying you or get your permission to do so; Such third parties may include (without limitation) malicious programs and other harmful code that, in some cases, may compromise your system (collectively or in separate

). You are hereby giving us your permission to use such features automatically without prior notification to you. Such features and components will act to protect your then-current proxy configurations, however we cannot guarantee 100% success and in no case we will be responsible for any Un-permitted Access or changes made to your system preferences or proxy configurations or to any damage that might have been caused to you due to Un-permitted Access; (d) to install automated updates to the Software on your computer as set forth in section 7; (e) place a small icon of the Software in your operating system

s icon tray, from which you will be able to operate the Software.

6. UPDATES/UPGRADES;Â We may or may not notify you at our discretion of available updates or upgrades. You hereby agree and acknowledge that we will periodically install automated updates without priory notify you and without any action on your part. Some updates/upgrades may be optional and some may be mandatory in order to operate the Software, maintain software compatibility, provide security updates, bug fixes or other Services or offer new features, functionality or versions.

7. CHANGES TO SOFTWARE OR LICENSE AGREEMENT;Â We reserve the right to change, modify, suspend, or discontinue any aspect of the Software or related Services at any time. We may also impose limits on certain features or restrict your access to parts or all of the Software without notice or liability. We reserve the right, at our sole and absolute discretion, to change, modify, add to or delete any of the terms and conditions of this License Agreement at any time, including without limiting the availability of any feature of the Software. Material changes will be disclosed to you through the Software and the Services. Your continued use of the Software, following any revision of the Software or this License Agreement, constitutes your complete and irrevocable acceptance of any and all such changes.

12.2. Waiver: Any failure of us to exercise or enforce any right or provision of this License Agreement will not operate as a waiver of such right or provision.

12.6. This License Agreement operates to the fullest extent permissible by applicable law. If any provision of this License Agreement is unlawful, void or unenforceable, that provision is deemed severable from this License Agreement and does not affect the validity and enforceability of any remaining provisions.

12.7. FeedBack; we want your feedback. Feel free to contact us at: support@speed-check.me

hXXp://dte.cachelocal.net/apps/dist/3333-5621_SpeedCheck.exe

HKEY_CURRENT_USER\Software\AppDataLow\Software\SpeedCheck;HKEY_CURRENT_USER\Software\SpeedCheck;

Rockettab adds a useful dock at the top of popular websites, which provides related search

results and ads which are not affiliated with the underlying websites. Please review all of the

hXXp://d2xrc29r3pc49q.cloudfront.net/release/rt-installer.exe

HKEY_CURRENT_USER\Software\Search Extensions;

hXXp://dl.softservers.net/111001500/OptimizerPro.exe

HKEY_CURRENT_USER\Software\Optimizer Pro|BuyNowURL;

You acknowledge and agree that by clicking on the "I AGREE" button (or similar buttons or links as may be designated by DESKTOP DOCK to show your acceptance of this Agreement and/or your agreement to download and install the Desktop Dock), you expressly acknowledge and agree to be bound by, the Terms of Service and Privacy Policy applicable to the DESKTOP DOCK Website and the content, services and features provided on or through the Desktop Dock, and any new versions or updates thereof. Both the Terms of Service and Privacy Policy can be accessed through the DESKTOP DOCK Website. For the Terms of Service, seeÂ hXXp://VVV.desktopdock.net/TOSÂ . For the Privacy Policy, seehXXp://VVV.desktopdock.net/PrivacyÂ .

2.1.1. Desktop Dock will permit third parties to, display advertising and other information within the interface of the Desktop Dock and/or in connection with the display of content and programming. Desktop Dock or the Desktop Dock serves, and permits third parties to serve, advertisements within or adjacent to the content and programming delivered to you by the Desktop Dock. You understand and agree that Desktop Dock, or applicable third parties, may include content-targeted advertisements or other related information, including content delivered via SSL/TSL, as further described in the Desktop Dock Privacy Policy. Your correspondence or business dealings with, or participation in promotions of, advertisers found on or through Desktop Dock, including payment and delivery of related goods or services, and any other terms, conditions, warranties or representations associated with such dealings, are solely between you and such advertiser.

2.1.2. Desktop Dock will take organizational and technical measures intended to protect the privacy and integrity of the computer resources (or other applicable device) you are utilizing, however, you acknowledge and agree that this is not a representation or warranty of Desktop Dock.

3.2.1. Operate or utilize the Desktop Dock in a manner that violates any applicable local, state, national or international law or governmental regulation, policy procedure or ordinance;

3.2.2. Operate or utilize the Desktop Dock, including the content, programming, services and features contained on or through the Desktop Dock, if this license has been terminated by Desktop Dock;

3.2.3. Operate or utilize the Desktop Dock , including the content, programming, services and features contained on or through the Desktop Dock , in a manner that violates the Terms of Service or Privacy Policy;

3.2.4. Operate or utilize the Desktop Dock for non-personal or commercial purposes or for the benefit of any third party or charge any person for the use or distribution of the Desktop Dock;

3.2.5. sell, assign, rent, lease, distribute, export, import, act as intermediary or provider, act as a service bureau, or otherwise grant rights in the Desktop Dock , including, without limitation, through sublicense, to any other person or entity;

3.2.6. Remove any proprietary notices from the Desktop Dock, or from any content, services, programming, or features contained on or through the Desktop Dock;

3.2.7. undertake, cause, permit or authorize the modification, creation of derivative works, translation, reverse engineering, decompiling, disassembling or hacking of the Desktop Dock Â and/or data and/or content or programming transmitted, processed or stored by Desktop Dock Â or other users of the Desktop Dock ;

3.2.8. use any unlicensed or unauthorized copies of the Desktop Dock;

3.2.9. collect any information or communication about the users of the Desktop Dock Â by monitoring, interdicting or intercepting any process of or communication initiated by the Desktop Dock Â or by developing or using any software or any other process or method that engages or assists in engaging in any of the foregoing;

3.2.10. use any type of bot, spider, virus, clock, timer, counter, worm, software lock, drop dead device, packet-sniffer, Trojan-horse routing, trap door, time bomb or any other codes or instructions that are designed to be used to provide a means of surreptitious or unauthorized access or that are designed to monitor, distort, delete, damage or disassemble the Desktop Dock or its ability to communicate and function with other computers running the Desktop Dock;

3.2.11. with the exception of completely deleting the Desktop Dock from your computer, and those actions permitted by your manual use of the user interface provided as part of the Desktop Dock, take any action, including downloading and/or using third party software, that (1) modifies the settings of the Desktop Dock as it functions with your computer, or (2) otherwise modifies, alters, blocks or interferes with the functioning of the Desktop Dock;

3.2.12. attempt to hack the Desktop Dock Â or any communication initiated by the Desktop Dock Â or to defeat or overcome any encryption and/or other technical protection methods implemented by Desktop Dock Â with respect to the Desktop Dock Â and/or data and/or content or programming transmitted, processed or stored by Desktop Dock Â or other users of the Desktop Dock ;

3.2.13. Interfere with or in any manner compromise any of Desktop Dock ' security measures; or

3.2.14. Alter, modify, delete, or otherwise interfere with or in any manner compromise any content, programming, advertising, services and/or features contained on or through the Desktop Dock, including, without limitation, the Desktop Dock

4.1.1. Desktop Dock, in its sole discretion, may discontinue or suspend your right to access the Desktop Dock or content delivered by Desktop Dock at any time for any reason, and may at any time suspend or terminate any license hereunder without prior notice for any reason.

4.1.2. Desktop Dock reserves the right to add or remove features or functions, or to provide upgrades, updates or programming fixes, to the Desktop Dock at any time in its sole discretion. You agree to accept any and all such upgrades, updates or programming fixes presented to you, including version updates.

4.1.3. When installed on your computer, the Desktop Dock may periodically communicate with Desktop Dock servers and/or Desktop Dock installed by other users.

4.1.4. Desktop Dock has no obligation to make available to you any subsequent versions of its software applications.

4.1.5. You can uninstall the Desktop Dock at any time, in your sole discretion, by using your computer

7.1. The links provided either through or framed within the Desktop Dock and any website operated by Desktop Dock or its affiliates are provided as a courtesy only, and the sites they link to are not under the control of Desktop Dock in any manner whatsoever. Therefore, Desktop Dock is in no manner responsible for the contents of any such linked site or any link contained within a linked site, including any changes or updates to such sites. Desktop Dock is providing these links merely as a convenience, and the inclusion of any link does not in any way imply or express affiliation, endorsement of or sponsorship by Desktop Dock of any linked site and/or any of its content therein.

10.1. THE DESKTOP DOCK IS PROVIDED "AS IS" AND THERE ARE NO WARRANTIES, CLAIMS OR REPRESENTATIONS MADE BY DESKTOP DOCK, EITHER EXPRESS, IMPLIED, OR STATUTORY, WITH RESPECT TO THE DESKTOP DOCK, INCLUDING, BUT NOT LIMITED TO WARRANTIES OF QUALITY, PERFORMANCE, NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE, NOR ARE THERE ANY WARRANTIES CREATED BY COURSE OF DEALING, COURSE OF PERFORMANCE, OR TRADE USAGE. FURTHER, DESKTOP DOCK DOES NOT REPRESENT OR WARRANT THAT THE DESKTOP DOCK WILL ALWAYS BE AVAILABLE, ACCESSIBLE, UNINTERRUPTED, TIMELY, SECURE, ACCURATE, COMPLETE, ERROR-FREE, OR WILL OPERATE WITHOUT PACKET LOSS, NOR DOES DESKTOP DOCK WARRANT ANY CONNECTION TO OR TRANSMISSION FROM THE INTERNET, OR ANY QUALITY OF TRANSMISSIONS OF DATA MADE THROUGH THE DESKTOP DOCK.

11.1. IN NO EVENT SHALL DESKTOP DOCK , ITS AFFILIATES, PARENT COMPANIES, SUBSIDIARIES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS OR BUNDLED SOFTWARE PROVIDERS BE LIABLE WHETHER IN CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED), PRODUCT LIABILITY OR STRICT LIABILITY OR OTHER THEORY), FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION ANY LOSS OF DATA, SERVICE INTERRUPTION, COMPUTER FAILURE OR PECUNIARY LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE DESKTOP DOCK , INCLUDING ANY DAMAGES RESULTING THEREFROM, EVEN IF DESKTOP DOCK Â HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.3. Investigation; Disclosure. Desktop Dock reserves the right to investigate occurrences which may involve any violations of this Agreement, the Terms of Service or Privacy Policy, and may involve, and cooperate with, law enforcement authorities in prosecuting users who have participated in such violations. You expressly acknowledge and agree that Desktop Dock may disclose information provided by you to comply with law enforcement or any legal, governmental or regulatory order or action.

12.4. Reservation of Rights; Modification. Desktop Dock reserves all rights not expressly granted in this Agreement. Desktop Dock may modify this Agreement at any time by providing such revised Agreement to you or posting the revised Agreement on the Desktop Dock Website. Your continued use of the Desktop Dock shall constitute your acceptance to be bound by the terms and conditions of such revised Agreement.

Â 12.9.1. Agreement: this End User License Agreement, as may be renewed, modified and/or amended from time to time.

Â 12.9.2. Intellectual Property Rights: any and all intellectual property rights, including but not limited to copyrights, trademarks and patents, as well as knowhow and trade secrets contained in or relating to the Desktop Dock or the Desktop Dock Website.

Â 12.9.3. Desktop Dock: refers to Howard Software Ltd, a company registered in U.K.

Â 12.9.4. Desktop Dock : the software distributed by Desktop Dock Â (including all software and code in such software) that provides for, among other matters, the digital distribution of video and other content, and all future programming fixes, updates and upgrades thereof. The term "Desktop Dock

Â 12.9.5. Desktop Dock Â Website: any and all elements, contents and the 'look and feel' of the website available under the URLVVV.desktopdock.com, among other URLs, from which website the Desktop Dock Â can be downloaded.

Â 12.9.6. Privacy Policy: means the privacy policy set forth by Desktop Dock from time to time at VVV. desktopdock.com/privacy with respect to the collection of information from users of the Desktop Dock.

Â 12.9.7. Terms of Service: means the agreement between Desktop Dock Â and you for the use of the Desktop Dock Â and the content, services and features provided on or through the Desktop Dock , which can be found by visiting the TOS page on this site;

Â 12.9.8. You: you, the end user of the Desktop Dock, also used in the form "your" where applicable.

14.0. The Software Products runs off an ad-supported platform. During general internet usage on sites where Software Products operates, users may see advertisement. The type of ad is dependent on the content of the page as you generally browse the internet. Software Products is not related to or endorsed by the underlying website. These advertisements will be identified with the Software Products Name or Logo.

Desktop Dock is ad-supported software and displays advertisements during your web browsing experience. By clicking "Next Step", you agree to the Desktop Dock EULA and Privacy Policy and consent to install Desktop Dock. The software can be removed any time via the Add/Remove Programs Utility.

hXXp://ogdelivery.com/DesktopDock/Setup.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DesktopDock;HKEY_CURRENT_USER\Software\DesktopDock;

Consumer Input (softpublisher)

Download the software to join the Consumer Input Research Panel, provided by Compete, and register to receive $5 or more in gift cards for each survey you successfully complete!

Online activities: This includes the search terms you enter and the results of such searches, the videos you view, the products you shop for online, information you enter into forms, the materials you download or upload, the advertisements you see, information and content on web pages you visit or with which you interact and may include personal, financial and health information.

Information on secure pages: This includes information and content from protected or secure pages that you access, such as online accounts or the content of complete and incomplete consumer transactions when you are checking out through a website

s shopping cart, even if the website makes this information unreadable to others.

System information: This includes information about the computer and browser that you are running on, including the IP address of the computer, how the software is operating, and which other applications are installed or running.

Filtering of certain personally identifiable or sensitive information - Compete has established certain procedural and technical privacy rules designed to try to avoid the use of certain types of personally identifiable and sensitive information that can be identified by those processes, such as credit card numbers, social security numbers, email addresses and email content from most web-based email accounts. Despite our efforts, certain personally identifiable or sensitive information might get through the privacy rules and procedures. However, we do not knowingly use any inadvertently retained personally identifiable or sensitive information in our services.

If you participate in any other research panels or programs run by us (whether directly or indirectly, and regardless of device and applicable policy for each such other program), by joining this program you agree that we may use any information we have about you to match the data collected through this program with the data collected through such other panels and programs (including data collected in the past), and use the combined

data pursuant to the most restrictive applicable privacy policy. If you are upgrading the Software from an older version, re-joining this research program, or otherwise accepting the latest version of this Policy, you agree that after doing so, your data previously collected by Compete under your prior participation in the program may be used as described in this Policy. You may always uninstall the Software by following the instructions provided here. You may always uninstall the Software by following the removal instructions provided here hXXps://VVV.consumerinput.com/removal/.

By clicking "Next" you are agreeing to the Consumer Input End User License Agreement and Privacy Policy and consent to install Consumer Input and automatically enable it on your Firefox, Internet Explorer and Chrome browsers. You may always uninstall the Software by following the removal instructions provided here.

hXXps://securehost-2.com/offers/InstallMetrix_ConsumerInput_new.exe

HKEY_CURRENT_USER\Software\ConsumerInput;

NOTICE TO USER:Â THE TERMS BELOW ARE A BINDING AGREEMENT. BY CLICKING "I ACCEPT" BELOW OR BY DOWNLOADING, INSTALLING OR ACTIVATING OR USING THIS SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS LICENSE AGREEMENT, THAT YOU UNDERSTAND IT, AND THAT YOU AGREE TO BE BOUND BY ITS TERMS. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT, PROMPTLY EXIT THIS PAGE WITHOUT DOWNLOADING, INSTALLING OR ACTIVATING THE SOFTWARE. YOU UNDERSTAND THAT YOU WILL BE INSTALLING CERTAIN SOFTWARE ON YOUR COMPUTER SYSTEM, AND YOU EXPRESSLY CONSENT TO SUCH INSTALLATION ON YOUR COMPUTER.

username and password (or other login information) are secure. Your Device and all Data on such Device is at risk if you let someone use your account inappropriately. You should not reveal your password to other users. Licensor will not ask you to reveal your password. If you forget your password, you can request to have a new password sent to your registered e-mail address. You agree to immediately notify Licensor of any unauthorized use of your VuuPC

account or password. Licensor will not be liable for any losses or damage arising from unauthorized use of your account or password, and you agree to indemnify and hold Licensor harmless for any improper or illegal use of your account.

No Warranty.Â The software and documentation is provided "AS-IS". Licensor expressly disclaims any warranties (including with regard to the performance of the software) and without limitation, express or implied warranties of merchantability, fitness for a particular purpose or non-infringement. Licensor does not warrant that the software or documentation will meet your requirements, that the operation of the software will be continuous or error-free, that the software will operate as intended or at all under all conditions, that any defects in the software will be corrected by licensor, that the software or documentation will not infringe a third party's intellectual property rights or that any modifications to or enhancements of the software or documentation will be provided by licensor.

Software Updates; Toolbar; Changes.Â The installation and use of the Software is currently not for charge, but Licensor may begin charging for the installation or use of the Software or part thereof at any time. Licensor reserves the right to update or modify the Software at any time, from time to time in its sole discretion, including without limitation to increase or change functionality. You understand the installation of the Software is concomitant with the installation of a toolbar in your browser. Such toolbar is an integral part of the Software, and you agree that Licensor may install and update any such toolbar in your browser. Licensor may modify the toolbar, according to Licensor's commercial requirements. You understand that installation of the Software may be accompanied by a change in your browser home page, certain computer settings and the redirection of certain Internet search traffic. By installing or using the Software you expressly agree that Licensor may perform the actions enumerated in this Section 10.

Compliance with Laws.Â You agree to comply with all applicable local, state, national and foreign laws, rules, and regulations, including, but not limited to, all applicable import and export laws and regulations, in connection with their performance, access and use of the Software and the Services. Licensor does not guarantee that the Software and Services shall be appropriate or available for use in any particular location and you are responsible for compliance with local laws to the extent applicable.

High Risk Activities.Â The Software is not fault-tolerant and is not designed, manufactured or intended for use or resale as or with on-line control equipment in hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life support machines or weapon systems in which the failure of the Software or Services could lead directly to death, personal injury or severe physical or environmental damage ("High Risk Activities"). Accordingly, Licensor specifically disclaims any express or implied warranty of fitness for High Risk Activities.

Publicity.Â Licensor shall have the right to publish the identification of you as a user of the Service. You agree that Licensor may use any logo or name associated with you on Licensor's web site and other marketing materials in order to identify you as Licensor's customers.

Beta Version.Â This Section 14 applies with respect to any Beta version of the Software made available to you for testing and feedback. You acknowledge that the Beta version you are evaluating may contain bugs, errors and other problems and is provided to you on an "as-is" basis. You further acknowledge the importance of communication between you and Licensor during your use of the Beta Services and hereby agree to receive related correspondence and updates from Licensor. During the Beta program, you may be asked to provide feedback regarding the Software and Services and you hereby grant to Licensor a perpetual, royalty-free, sublicensable through multiple tiers of sublicensees, worldwide license to use and incorporate such feedback into any Licensor product or service at any time at the sole discretion of Licensor.

Modifications. Licensor may modify this Agreement from time to time at its sole discretion, and shall modified Agreement shall be available atÂ VVV.VuuPC.comÂ website and shall be effective immediately to your use of the Software. You should check often to see if Licensor has modified this Agreement. Licensor shall provide you with a copy of any significant modifications to this Agreement, including without limitation via email, and such modifications shall be effective immediately upon your receipt thereof.

hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage;

1.0.0.1

InstallerManager.exe

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents

%s [Recovered]