Trojan-Downloader.Win32.Genome.hurb (Kaspersky), Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ac0a46831c9c3cbc19e898321a86f789
SHA1: c44a8c9ed046da8e731938248b38a5ddd88f3d3c
SHA256: c0db83d5f0d6ba74780777d67bf813b7c891649e12631e369fb248e53190c4c0
SSDeep: 3072:nUc061qnIgiFwmg7y7CJowrIZFoiSkqXFrX1I lCF:r0agTJowrEWLI cF
Size: 99254 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-06 17:31:19
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
install_helper_FF.exe:500
taskkill.exe:1964
taskkill.exe:1240
taskkill.exe:776
BackgroundHost.exe:2036
PCPerformerSetup.tmp:548
%original file name%.exe:396
PCPerformerSetup.exe:284
PCPerformer.exe:476
SpeedTest.exe:1220
regsvr32.exe:788
regsvr32.exe:1272
regsvr32.exe:1432
install_helper_IE.exe:604
speedtest187.exe:356
The Trojan injects its code into the following process(es):
BackgroundHost.exe:1300
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process install_helper_FF.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\settings.json (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\jquery-1.9.1.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\install.rdf (987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\options.xul (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\rjs.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\skin\framework.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\config.js (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\subscriptloader.js (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\content.js (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\icon.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.js (491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.js (1256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.xul (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\background.html (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.png (973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome.manifest (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.xml (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp (0 bytes)
The process BackgroundHost.exe:1300 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
The process PCPerformerSetup.tmp:548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PC Performer\is-TI75V.tmp (673 bytes)
%Program Files%\PC Performer\unins000.dat (9720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Performer\is-FK08C.tmp (32429 bytes)
%Program Files%\PC Performer\is-LO644.tmp (601 bytes)
%Program Files%\PC Performer\is-0MQOJ.tmp (601 bytes)
%System%\roboot.exe (17 bytes)
%Program Files%\PC Performer\is-88KFP.tmp (10177 bytes)
%Program Files%\PC Performer\is-OR8M6.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Performer\Uninstall PC Performer.lnk (722 bytes)
%Program Files%\PC Performer\is-RFK2G.tmp (601 bytes)
%Program Files%\PC Performer\is-J0TH5.tmp (673 bytes)
%Program Files%\PC Performer\is-CLLEA.tmp (601 bytes)
%Program Files%\PC Performer\is-DRJ95.tmp (673 bytes)
%Program Files%\PC Performer\is-US574.tmp (601 bytes)
%Program Files%\PC Performer\is-ET5QL.tmp (601 bytes)
%Program Files%\PC Performer\is-E9OU8.tmp (54184 bytes)
%Program Files%\PC Performer\is-KJP91.tmp (601 bytes)
%Program Files%\PC Performer\is-LDHVJ.tmp (601 bytes)
%Program Files%\PC Performer\is-6F8RF.tmp (46 bytes)
%Program Files%\PC Performer\is-UQFA0.tmp (601 bytes)
%Program Files%\PC Performer\is-EIDVD.tmp (601 bytes)
%Program Files%\PC Performer\is-R0INF.tmp (45 bytes)
%Program Files%\PC Performer\is-JH9KP.tmp (601 bytes)
%Documents and Settings%\All Users\Desktop\PC Performer.lnk (725 bytes)
%Program Files%\PC Performer\unins000.msg (302 bytes)
%Program Files%\PC Performer\is-O468T.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Performer\PC Performer.lnk (737 bytes)
%Program Files%\PC Performer\is-5Q9FR.tmp (601 bytes)
%Program Files%\PC Performer\is-T36CQ.tmp (601 bytes)
%Program Files%\PC Performer\is-0S898.tmp (601 bytes)
%Program Files%\PC Performer\is-QUT18.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\roboot.exe (17 bytes)
%Program Files%\PC Performer\is-UG752.tmp (57 bytes)
%Program Files%\PC Performer\is-3J2TL.tmp (601 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\roboot.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup (0 bytes)
The process %original file name%.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll (2218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\StdUtils.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\speedtest187Setup[1].exe (122458 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\PCPerformerSetup.exe (201724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\PCPerformerSetup_genericv3[1].exe (201724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\country[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
C:\END (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\domain.txt (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\country.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\SpeedTest.exe (122458 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\domain.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\country.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (0 bytes)
The process PCPerformerSetup.exe:284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp\PCPerformerSetup.tmp (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp\PCPerformerSetup.tmp (0 bytes)
The process PCPerformer.exe:476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\PC Performer_UPDATES.job (268 bytes)
%WinDir%\Tasks\PC Performer_DEFAULT.job (260 bytes)
%Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\log_08-09-2014.log (8116 bytes)
%Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\eng_rcp.dat (3172 bytes)
The process SpeedTest.exe:1220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\bin\DeskTopIcon.ico (16 bytes)
%Program Files%\Speed Test 187\speedtest187.ico (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.exe (71964 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.xpi (9544 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\DeskTopIcon.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper.exe (53430 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_FF.exe (6841 bytes)
%Documents and Settings%\%current user%\Desktop\Speed Test.lnk (1 bytes)
%Program Files%\Speed Test 187\uninstall_nsis.exe (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.crx (8658 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_IE.exe (6841 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp (0 bytes)
The process speedtest187.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Speed Test 187\config.xml (1 bytes)
%Program Files%\Speed Test 187\icon32.png (3 bytes)
%Program Files%\Speed Test 187\AddonsFramework.Typelib64.dll (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\UAC.dll (13 bytes)
%Program Files%\Speed Test 187\options.htm (780 bytes)
%Program Files%\Speed Test 187\icon24.png (2 bytes)
%Program Files%\Speed Test 187\icon48.ico (25 bytes)
%Program Files%\Speed Test 187\ButtonSite.dll (7938 bytes)
%Program Files%\Speed Test 187\json2.min.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\ie9install.bmp (2712 bytes)
%Program Files%\Speed Test 187\content.js (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\help_page.ini (1537 bytes)
%Program Files%\Speed Test 187\jquery-1.9.1.min.js (2410 bytes)
%Program Files%\Speed Test 187\icon24.ico (2 bytes)
%Program Files%\Speed Test 187\icon16.png (1 bytes)
%Program Files%\Speed Test 187\icon64.ico (25 bytes)
%Program Files%\Speed Test 187\background.html (939 bytes)
%Program Files%\Speed Test 187\uninstall.exe (794 bytes)
%Program Files%\Speed Test 187\icon32.ico (10 bytes)
%Program Files%\Speed Test 187\icon16.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\System.dll (11 bytes)
%Program Files%\Speed Test 187\icon128.png (647 bytes)
%Program Files%\Speed Test 187\icon128.ico (25 bytes)
%Program Files%\Speed Test 187\ButtonSite64.dll (10790 bytes)
%Program Files%\Speed Test 187\updater.js (3 bytes)
%Program Files%\Speed Test 187\AddonsFramework.Typelib.dll (2128 bytes)
%Program Files%\Speed Test 187\BackgroundHost.exe (15235 bytes)
%Program Files%\Speed Test 187\BackgroundHost64.exe (15445 bytes)
%Program Files%\Speed Test 187\icon18.png (1 bytes)
%Program Files%\Speed Test 187\rjs.js (1 bytes)
%Program Files%\Speed Test 187\icon64.png (7 bytes)
%Program Files%\Speed Test 187\ScriptHost64.dll (10843 bytes)
%Program Files%\Speed Test 187\button.js (491 bytes)
%Program Files%\Speed Test 187\icon48.png (5 bytes)
%Program Files%\Speed Test 187\ScriptHost.dll (9711 bytes)
%Program Files%\Speed Test 187\updaterWrapper.js (2 bytes)
%Program Files%\Speed Test 187\icon18.ico (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\help_page.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\ie9install.bmp (0 bytes)
Registry activity
The process install_helper_FF.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 E9 41 84 4C 60 95 C6 A4 2C 03 94 02 A5 DC E6"
[HKCU\Software\Mozilla\Firefox\Extensions]
"speedtest187@SpeedTest" = "C:\Documents\speedtest187@SpeedTest"
The process taskkill.exe:1964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 D7 36 8E 13 71 C3 5B C4 6D 48 09 07 4F 42 C3"
The process taskkill.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 68 B1 75 3E 2F 77 8A F1 BA 20 41 9E EE AE 63"
The process taskkill.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 4F 0E 55 A3 41 A8 56 51 C1 45 77 F8 A0 70 0B"
The process BackgroundHost.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\ProgID]
"(Default)" = "Speed Test 187.BackgroundHostObject.1"
[HKCR\AppID\BackgroundHost.EXE]
"AppID" = "{18B9B16E-716F-43DF-A6AD-512C7D2EB983}"
[HKCR\Speed Test 187.BackgroundHostObject.1\CLSID]
"(Default)" = "{D058E340-4C95-4A15-A69F-8EE1AEE76E96}"
[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.BackgroundHostObject"
[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\LocalServer32]
"(Default)" = "%Program Files%\Speed Test 187\BackgroundHost.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD2AF093-42BC-4bde-93F4-07F4C3169D76}]
"AppPath" = "%Program Files%\Speed Test 187"
[HKCR\Speed Test 187.BackgroundHostObject.1]
"(Default)" = "BackgroundHostObject Class"
[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}]
"(Default)" = "BackgroundHostObject Class"
[HKCR\Speed Test 187.BackgroundHostObject]
"(Default)" = "BackgroundHostObject Class"
[HKCR\CLSID\{D058E340-4C95-4A15-A69F-8EE1AEE76E96}\TypeLib]
"(Default)" = "{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}"
[HKCR\Speed Test 187.BackgroundHostObject\CLSID]
"(Default)" = "{D058E340-4C95-4A15-A69F-8EE1AEE76E96}"
[HKCU\Software\Speed Test 187]
"elevationPolicyGuid" = "{DD2AF093-42BC-4bde-93F4-07F4C3169D76}"
[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib]
"(Default)" = "{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}"
[HKCR\Speed Test 187.BackgroundHostObject\CurVer]
"(Default)" = "Speed Test 187.BackgroundHostObject.1"
[HKCR\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}]
"(Default)" = "BackgroundHost"
[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\BackgroundHost.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD2AF093-42BC-4bde-93F4-07F4C3169D76}]
"AppName" = "BackgroundHost.exe"
[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 64 1B 7E 02 CD 39 22 9F F9 18 12 9B 5D B7 52"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD2AF093-42BC-4bde-93F4-07F4C3169D76}]
"Policy" = "3"
[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}]
"(Default)" = "IBackgroundHost"
[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0]
"(Default)" = "BackgroundHost 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
"BackgroundHost.exe" = "1"
[HKCR\TypeLib\{0471A919-4EC9-4BA1-BA53-5490B91EC7DD}\1.0\FLAGS]
"(Default)" = "0"
The process BackgroundHost.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080920140810\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 C1 59 21 D9 B6 34 EB 48 2D E0 AF B8 4C F4 8A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080920140810]
"CachePrefix" = ":2014080920140810:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]
The process PCPerformerSetup.tmp:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoTutorial" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: Setup Version" = "5.5.2 (u)"
[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoScanOnLaunch" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: User" = "%CurrentUserName%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: App Path" = "%Program Files%\PC Performer"
"Publisher" = "PerformerSoft LLC"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoScanPMUI" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"InstallDate" = "20140809"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"MinorVersion" = "10"
[HKCU\Software\PerformerSoft\PC Performer]
"TrialType" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"DisplayIcon" = "%Program Files%\PC Performer\PCPerformer.exe"
"HelpLink" = "http://www.Performersoft.com/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"QuietUninstallString" = "%Program Files%\PC Performer\unins000.exe /SILENT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\PerformerSoft\PC Performer\LANG]
"LangID" = "0"
[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"MaxFixLimit" = "100"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"DisplayName" = "PC Performer"
[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"TELNO" = "(800) 871-7907"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"URLInfoAbout" = "http://www.Performersoft.com/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"InstallLocation" = "%Program Files%\PC Performer\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: Icon Group" = "PC Performer"
"UninstallString" = "%Program Files%\PC Performer\unins000.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"Inno Setup: Language" = "en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\PerformerSoft\PC Performer\LANG]
"LangID" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C D1 5B 41 3A BA 2D FB 93 2C F0 B7 A3 1D CF D5"
[HKCU\Software\PerformerSoft\PC Performer\LANG]
"LangCode" = "en"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"DisplayVersion" = "11.10"
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1]
"MajorVersion" = "11"
The process %original file name%.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"INSTALL_URL" = "http://performersoft.com/pcperformer/welcome/index.php?cid=4751"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"RENEWALURL" = "http://performersoft.com/pcperformer/buy/pcp-buy-redirect.php?renew=1&cid=4751"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 10 02 4F 31 9B 2F 63 35 35 FF 3E DF 93 C4 68"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"UNINSTALL_URL" = "http://performersoft.com/pcperformer/afteruninstall.php?cid=4751"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"RCPURL" = "http://performersoft.com/pcperformer/buy/pcp-buy-redirect.php?cid=4751"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process PCPerformerSetup.exe:284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 E0 EA B9 3F 86 A1 9C 43 94 0D BA BB 9E 44 19"
The process PCPerformer.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}]
"(Default)" = "Microsoft DirectInputDevice8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
"TrapPollTimeMilliSecs" = "15000"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\PerformerSoft\PC Performer]
"StartAutoScanPMUI" = "0"
[HKCU\Software\Licenses]
"{K7C0DB872A3F777C0}" = "98 D2 7E 56 43 16 1F 05 48 6E 02 90 27 91 BF BE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1371634005"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}\InprocServer32]
"(Default)" = "%System%\dinput8.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "PCPerformer.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\PerformerSoft\PC Performer]
"FirstRun" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\PerformerSoft\PC Performer]
"Expired" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 12 8C C9 8B 70 C6 C4 75 16 B8 FC DC 03 79 0D"
[HKCU\Software\Licenses]
"{R7C0DB872A3F777C0}" = "4A 8D 7D 4C"
"{IB278E36AA51C7412}" = "01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Licenses]
"{0B278E36AA51C7412}" = "56 3E A8 0E 0B A2 A7 A6 41 06 53 98 78 A5 44 A3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RDReminder" = "%Program Files%\PC Performer\PCPerformer.exe -rem"
The Trojan deletes the following value(s) in system registry:
[HKCR\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}]
"0"
The process SpeedTest.exe:1220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 FA 88 C3 3C BC D9 1C 6E 49 D0 0A 4F A0 C8 53"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"CertificateRevocation" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"Publisher" = "Speed Analysis"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"UninstallString" = "%Program Files%\Speed Test 187\uninstall_nsis.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process regsvr32.exe:788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}]
"(Default)" = "IUI"
[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\AddonsFramework.DLL]
"AppID" = "{19975B78-1907-4DD6-A437-4C48120F46A4}"
[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}]
"(Default)" = "IExposedContent"
[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0]
"(Default)" = "AddonsFramework 1.0 Type Library"
[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}]
"(Default)" = "IBrowserEvents"
[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\AddonsFramework.Typelib.dll"
[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}]
"(Default)" = "IExposed"
[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}]
"(Default)" = "IBackgroundEvents"
[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}]
"(Default)" = "IExtensionContent"
[HKCR\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}]
"(Default)" = "AddonsFramework"
[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}]
"(Default)" = "IButton"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 19 58 98 DE 27 0D 8F CB 4F 7F 4E E1 07 FA 43"
[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}]
"(Default)" = "IBrowserFrame"
[HKCR\TypeLib\{D5B70EEE-9F28-4368-A960-670C5D543131}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"
[HKCR\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}]
"(Default)" = "IContentEvents"
[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}]
"(Default)" = "IInternalEvents"
[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}]
"(Default)" = "IContextMenuItem"
[HKCR\Interface\{BBBE01ED-0F1E-44DB-88C1-5CC1AEE3B462}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}]
"(Default)" = "IBrowser"
[HKCR\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}]
"(Default)" = "IExtension"
[HKCR\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\TypeLib]
"(Default)" = "{D5B70EEE-9F28-4368-A960-670C5D543131}"
[HKCR\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
The process regsvr32.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 33 08 73 49 9D EF 4A 65 81 E1 A5 22 2B C4 64"
[HKCR\AppID\{562B9317-C08A-444A-9482-62080DD851AE}]
"(Default)" = "ButtonSite"
[HKCR\Speed Test 187.Navbar.1]
"(Default)" = "Navbar Class"
[HKCR\Speed Test 187.Navbar.1\CLSID]
"(Default)" = "{06FD8960-0295-4029-A3FA-E0027664272F}"
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\ProgID]
"(Default)" = "Speed Test 187.Navbar.1"
[HKCR\Speed Test 187.Navbar\CLSID]
"(Default)" = "{06FD8960-0295-4029-A3FA-E0027664272F}"
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\TypeLib]
"(Default)" = "{196FE301-0D95-4194-BFB8-3A174AAD6ED2}"
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\InprocServer32]
"(Default)" = "%Program Files%\Speed Test 187\ButtonSite.dll"
[HKCR\Speed Test 187.Navbar]
"(Default)" = "Navbar Class"
[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"
[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\ButtonSite.dll"
[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{196FE301-0D95-4194-BFB8-3A174AAD6ED2}\1.0]
"(Default)" = "ButtonSiteLib"
[HKCR\AppID\ButtonSite.DLL]
"AppID" = "{562B9317-C08A-444A-9482-62080DD851AE}"
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}]
"(Default)" = "Navbar Class"
[HKCR\Speed Test 187.Navbar\CurVer]
"(Default)" = "Speed Test 187.Navbar.1"
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.Navbar"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\TypeLib]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\VersionIndependentProgID]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\Programmable]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\ProgID]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}\InprocServer32]
[HKCR\CLSID\{06FD8960-0295-4029-A3FA-E0027664272F}]
The process regsvr32.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Speed Test 187.ScriptHostObject\CurVer]
"(Default)" = "Speed Test 187.ScriptHostObject.1"
[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\InprocServer32]
"(Default)" = "%Program Files%\Speed Test 187\ScriptHost.dll"
[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.Tool"
[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\VersionIndependentProgID]
"(Default)" = "Speed Test 187.ScriptHostObject"
[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib]
"(Default)" = "{30CC01EB-B247-44A6-8E32-59736942ECC0}"
[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Speed Test 187"
[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\ProgID]
"(Default)" = "Speed Test 187.Tool.1"
[HKCR\Speed Test 187.ScriptHostObject.1\CLSID]
"(Default)" = "{4A3FC207-C86D-4F11-890A-CA9F75578303}"
[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\ProgID]
"(Default)" = "Speed Test 187.ScriptHostObject.1"
[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\InprocServer32]
"(Default)" = "%Program Files%\Speed Test 187\ScriptHost.dll"
[HKCU\Software\Speed Test 187]
"installId" = "BD0CAE40-FA0F-485f-886C-43C15CEFD364"
[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}]
"(Default)" = "ITool"
[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0\0\win32]
"(Default)" = "%Program Files%\Speed Test 187\ScriptHost.dll"
[HKCR\Speed Test 187.Tool\CLSID]
"(Default)" = "{20EFA753-0D46-4E16-B58D-648F591861CB}"
[HKCR\Speed Test 187.Tool\CurVer]
"(Default)" = "Speed Test 187.Tool.1"
[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"(Default)" = "Speed Test 187"
[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\TypeLib]
"(Default)" = "{30CC01EB-B247-44A6-8E32-59736942ECC0}"
[HKCR\AppID\{562B9316-C08A-444A-9482-62080DD851AE}]
"(Default)" = "Speed Test 187"
[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}]
"(Default)" = "Tool Class"
[HKCR\Speed Test 187.ScriptHostObject\CLSID]
"(Default)" = "{4A3FC207-C86D-4F11-890A-CA9F75578303}"
[HKCR\TypeLib\{30CC01EB-B247-44A6-8E32-59736942ECC0}\1.0]
"(Default)" = "ScriptHost 1.0 Type Library"
[HKCR\AppID\ScriptHost.DLL]
"AppID" = "{562B9316-C08A-444A-9482-62080DD851AE}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 FA 50 DC 79 5C 75 04 C5 95 AF 41 CC A0 A2 4C"
[HKCR\Speed Test 187.Tool]
"(Default)" = "Tool Class"
[HKCR\Speed Test 187.ScriptHostObject]
"(Default)" = "Speed Test 187"
[HKCR\CLSID\{4A3FC207-C86D-4F11-890A-CA9F75578303}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib]
"Version" = "1.0"
[HKCR\Speed Test 187.Tool.1]
"(Default)" = "Tool Class"
[HKCR\Speed Test 187.ScriptHostObject.1]
"(Default)" = "Speed Test 187"
[HKCR\Speed Test 187.Tool.1\CLSID]
"(Default)" = "{20EFA753-0D46-4E16-B58D-648F591861CB}"
[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\TypeLib]
"(Default)" = "{30CC01EB-B247-44A6-8E32-59736942ECC0}"
[HKCR\CLSID\{20EFA753-0D46-4E16-B58D-648F591861CB}\InprocServer32]
"ThreadingModel" = "Apartment"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"NoExplorer" = "1"
The process install_helper_IE.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 94 9A 83 33 77 FB 09 6B 33 26 CB 37 E0 17 41"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"Flags" = "0"
[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{4A3FC207-C86D-4F11-890A-CA9F75578303}" = "51 66 7A 6C 4C 1D 3B 1B 17 DD 25 57 5E 99 7D 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A3FC207-C86D-4F11-890A-CA9F75578303}]
"Version" = "*"
The process speedtest187.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"URLInfoAbout" = "http://www.speedanalysis.com/"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"DisplayIcon" = "%Program Files%\Speed Test 187\uninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Internet Explorer\MINIE]
"CommandBarEnabled" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"Publisher" = "Speed Test"
"DisplayName" = "Speed Test 187"
"instdir" = "%Program Files%\Speed Test 187"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A AB AF FD D4 EE 9F 67 4F 23 83 93 34 C5 78 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Speed Test 187]
"UninstallString" = "%Program Files%\Speed Test 187\uninstall.exe"
"DisplayVersion" = "3.0.0.0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 6f3836f88650b30d234607ea90ac8513 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll |
| db2927610df2ff9888b394a3c8a918db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\PCP SpeedTest_187\PCPerformerSetup.exe |
| 34c00546ff4ef8a79d0a64d0b960a787 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\PCP SpeedTest_187\SpeedTest.exe |
| bd23a611a8a2c22a6944f92825164ffa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\install_helper.exe |
| bd23a611a8a2c22a6944f92825164ffa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\install_helper_FF.exe |
| bd23a611a8a2c22a6944f92825164ffa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\install_helper_IE.exe |
| 23bcac4a7c2f60a37937a9b484d18cda | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\speedtest187\speedtest187.exe |
| 34c00546ff4ef8a79d0a64d0b960a787 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\speedtest187Setup[1].exe |
| db2927610df2ff9888b394a3c8a918db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\PCPerformerSetup_genericv3[1].exe |
| 585a696b6f4b05ad834bdc914bcb67c4 | c:\Program Files\PC Performer\CleanSchedule.exe |
| 03a4ba08f44d8c0efa2bbd9c7b3ad341 | c:\Program Files\PC Performer\PCPerformer.dll |
| 26135c4c84d63aa01b4bb20d8d2208ec | c:\Program Files\PC Performer\PCPerformer.exe |
| a0c2f8f26ac379d5ff10073cb86c6822 | c:\Program Files\PC Performer\isxdl.dll |
| 3363b73d1a770440bd96214026dbd53e | c:\Program Files\PC Performer\unins000.exe |
| 71a2dca8f626fcef8bff7e2c17c67a7f | c:\Program Files\PC Performer\xmllite.dll |
| e2cb5a6f64c60aaceb387e4d5146ac54 | c:\Program Files\Speed Test 187\AddonsFramework.Typelib.dll |
| 1ff1e74d7d66ba59900398511ace3cb6 | c:\Program Files\Speed Test 187\AddonsFramework.Typelib64.dll |
| 668796a2b31e2d971dc78872b2f7da2a | c:\Program Files\Speed Test 187\BackgroundHost.exe |
| fa7bd72fcddd1e370f936a9386f5f358 | c:\Program Files\Speed Test 187\BackgroundHost64.exe |
| b9ceee3108905b38e5ae32ab44968a56 | c:\Program Files\Speed Test 187\ButtonSite.dll |
| fd77f02f5047e9bc75ff9c8ac642905d | c:\Program Files\Speed Test 187\ButtonSite64.dll |
| b7d7ca9989bff651582021d283cffd76 | c:\Program Files\Speed Test 187\ScriptHost.dll |
| 169366dbbd04f38604c29dfc2d4773f1 | c:\Program Files\Speed Test 187\ScriptHost64.dll |
| 98b17f4587d8236a883077ad8d67c4ab | c:\Program Files\Speed Test 187\uninstall.exe |
| ea3cca7c354681ada6fb436537713011 | c:\Program Files\Speed Test 187\uninstall_nsis.exe |
| b1ec55fff33635ba5faf87c95b2b53ac | c:\WINDOWS\system32\roboot.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
install_helper_FF.exe:500
taskkill.exe:1964
taskkill.exe:1240
taskkill.exe:776
BackgroundHost.exe:2036
PCPerformerSetup.tmp:548
%original file name%.exe:396
PCPerformerSetup.exe:284
PCPerformer.exe:476
SpeedTest.exe:1220
regsvr32.exe:788
regsvr32.exe:1272
regsvr32.exe:1432
install_helper_IE.exe:604
speedtest187.exe:356 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\settings.json (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\jquery-1.9.1.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon18.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\install.rdf (987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon16.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\options.xul (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\rjs.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.ico (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon64.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\skin\framework.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\config.js (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon128.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\subscriptloader.js (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\content.js (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\icon.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.js (491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.js (1256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.xul (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon24.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\background.html (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\framework.png (973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome.manifest (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon32.ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\icon48.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ffe6.tmp\chrome\content\button.xml (1 bytes)
%Program Files%\PC Performer\is-TI75V.tmp (673 bytes)
%Program Files%\PC Performer\unins000.dat (9720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Performer\is-FK08C.tmp (32429 bytes)
%Program Files%\PC Performer\is-LO644.tmp (601 bytes)
%Program Files%\PC Performer\is-0MQOJ.tmp (601 bytes)
%System%\roboot.exe (17 bytes)
%Program Files%\PC Performer\is-88KFP.tmp (10177 bytes)
%Program Files%\PC Performer\is-OR8M6.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Performer\Uninstall PC Performer.lnk (722 bytes)
%Program Files%\PC Performer\is-RFK2G.tmp (601 bytes)
%Program Files%\PC Performer\is-J0TH5.tmp (673 bytes)
%Program Files%\PC Performer\is-CLLEA.tmp (601 bytes)
%Program Files%\PC Performer\is-DRJ95.tmp (673 bytes)
%Program Files%\PC Performer\is-US574.tmp (601 bytes)
%Program Files%\PC Performer\is-ET5QL.tmp (601 bytes)
%Program Files%\PC Performer\is-E9OU8.tmp (54184 bytes)
%Program Files%\PC Performer\is-KJP91.tmp (601 bytes)
%Program Files%\PC Performer\is-LDHVJ.tmp (601 bytes)
%Program Files%\PC Performer\is-6F8RF.tmp (46 bytes)
%Program Files%\PC Performer\is-UQFA0.tmp (601 bytes)
%Program Files%\PC Performer\is-EIDVD.tmp (601 bytes)
%Program Files%\PC Performer\is-R0INF.tmp (45 bytes)
%Program Files%\PC Performer\is-JH9KP.tmp (601 bytes)
%Documents and Settings%\All Users\Desktop\PC Performer.lnk (725 bytes)
%Program Files%\PC Performer\unins000.msg (302 bytes)
%Program Files%\PC Performer\is-O468T.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Performer\PC Performer.lnk (737 bytes)
%Program Files%\PC Performer\is-5Q9FR.tmp (601 bytes)
%Program Files%\PC Performer\is-T36CQ.tmp (601 bytes)
%Program Files%\PC Performer\is-0S898.tmp (601 bytes)
%Program Files%\PC Performer\is-QUT18.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I78HR.tmp\roboot.exe (17 bytes)
%Program Files%\PC Performer\is-UG752.tmp (57 bytes)
%Program Files%\PC Performer\is-3J2TL.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\Hash_HMAC.dll (2218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\StdUtils.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\speedtest187Setup[1].exe (122458 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\PCPerformerSetup.exe (201724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\PCPerformerSetup_genericv3[1].exe (201724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\country[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
C:\END (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\domain.txt (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\country.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PCP SpeedTest_187\SpeedTest.exe (122458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-D10K8.tmp\PCPerformerSetup.tmp (7386 bytes)
%WinDir%\Tasks\PC Performer_UPDATES.job (268 bytes)
%WinDir%\Tasks\PC Performer_DEFAULT.job (260 bytes)
%Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\log_08-09-2014.log (8116 bytes)
%Documents and Settings%\%current user%\Application Data\PerformerSoft\PC Performer\eng_rcp.dat (3172 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\bin\DeskTopIcon.ico (16 bytes)
%Program Files%\Speed Test 187\speedtest187.ico (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.exe (71964 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.xpi (9544 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\DeskTopIcon.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper.exe (53430 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_FF.exe (6841 bytes)
%Documents and Settings%\%current user%\Desktop\Speed Test.lnk (1 bytes)
%Program Files%\Speed Test 187\uninstall_nsis.exe (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\speedtest187.crx (8658 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\speedtest187\install_helper_IE.exe (6841 bytes)
%Program Files%\Speed Test 187\config.xml (1 bytes)
%Program Files%\Speed Test 187\icon32.png (3 bytes)
%Program Files%\Speed Test 187\AddonsFramework.Typelib64.dll (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\UAC.dll (13 bytes)
%Program Files%\Speed Test 187\options.htm (780 bytes)
%Program Files%\Speed Test 187\icon24.png (2 bytes)
%Program Files%\Speed Test 187\icon48.ico (25 bytes)
%Program Files%\Speed Test 187\ButtonSite.dll (7938 bytes)
%Program Files%\Speed Test 187\json2.min.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\ie9install.bmp (2712 bytes)
%Program Files%\Speed Test 187\content.js (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\help_page.ini (1537 bytes)
%Program Files%\Speed Test 187\jquery-1.9.1.min.js (2410 bytes)
%Program Files%\Speed Test 187\icon24.ico (2 bytes)
%Program Files%\Speed Test 187\icon16.png (1 bytes)
%Program Files%\Speed Test 187\icon64.ico (25 bytes)
%Program Files%\Speed Test 187\background.html (939 bytes)
%Program Files%\Speed Test 187\uninstall.exe (794 bytes)
%Program Files%\Speed Test 187\icon32.ico (10 bytes)
%Program Files%\Speed Test 187\icon16.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk5.tmp\System.dll (11 bytes)
%Program Files%\Speed Test 187\icon128.png (647 bytes)
%Program Files%\Speed Test 187\icon128.ico (25 bytes)
%Program Files%\Speed Test 187\ButtonSite64.dll (10790 bytes)
%Program Files%\Speed Test 187\updater.js (3 bytes)
%Program Files%\Speed Test 187\AddonsFramework.Typelib.dll (2128 bytes)
%Program Files%\Speed Test 187\BackgroundHost.exe (15235 bytes)
%Program Files%\Speed Test 187\BackgroundHost64.exe (15445 bytes)
%Program Files%\Speed Test 187\icon18.png (1 bytes)
%Program Files%\Speed Test 187\rjs.js (1 bytes)
%Program Files%\Speed Test 187\icon64.png (7 bytes)
%Program Files%\Speed Test 187\ScriptHost64.dll (10843 bytes)
%Program Files%\Speed Test 187\button.js (491 bytes)
%Program Files%\Speed Test 187\icon48.png (5 bytes)
%Program Files%\Speed Test 187\ScriptHost.dll (9711 bytes)
%Program Files%\Speed Test 187\updaterWrapper.js (2 bytes)
%Program Files%\Speed Test 187\icon18.ico (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RDReminder" = "%Program Files%\PC Performer\PCPerformer.exe -rem" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 25152 | 25600 | 4.45121 | 1a752074fcd11165f6f148ea63ebe068 |
| .rdata | 32768 | 6346 | 6656 | 3.38143 | 7eb0899a4b6211f8bc545228417d92ad |
| .data | 40960 | 419452 | 512 | 0.94179 | b0b1d7c362f8cc76541b7fce5014e602 |
| .ndata | 462848 | 839680 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 1302528 | 2552 | 2560 | 3.15979 | a507cfd8d1f72e833c66c1724b493d32 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://api.ibario.com/utils/dns | |
| hxxp://www.ibbalance.com/service/country.php | |
| hxxp://api.ibario.com/events | |
| hxxp://www.ibbalance.com/files/components/speedtest187Setup.exe | |
| hxxp://www.ibbalance.com/files/products/PCPerformerSetup_genericv3.exe | |
| hxxp://loadbalancer1.ibariocorp.com/speedtest/?cid=4751 | |
| hxxp://gp1.wac.v2cdn.net/js/130131868.js | |
| hxxp://e6640.g.akamaiedge.net/js/geo2.js | |
| hxxp://googleapis.l.google.com/css?family=Open Sans:400,600,700,800 | |
| hxxp://loadbalancer1.ibariocorp.com/speedtest/media/style.css | |
| hxxp://loadbalancer1.ibariocorp.com/speedtest/media/bg.jpg | |
| hxxp://googlehosted.l.googleusercontent.com/static/fonts/opensans/v9/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot | |
| hxxp://code.jquery.netdna-cdn.com/jquery-1.9.1.min.js | |
| hxxp://www-google-analytics.l.google.com/analytics.js | |
| hxxp://googleapis.l.google.com/ajax/libs/jquery/1.9.1/jquery.min.js | |
| hxxp://www-google-analytics.l.google.com/collect?v=1&_v=j24&a=1357867663&t=pageview&_s=1&dl=http://www.performersoft.com/speedtest/?cid=4751&ul=en-us&de=utf-8&dt=PerformerSoft Speed Test&sd=32-bit&sr=1276x846&vp=1276x697&je=0&fl=11.6 r602&_u=ME~&cid=476553240.1407549896&tid=UA-42277600-10&z=1548146158 | |
| hxxp://loadbalancer1.ibariocorp.com/speedtest/media/speed-analisys.png | |
| hxxp://loadbalancer1.ibariocorp.com/speedtest/media/body-bg.jpg | |
| hxxp://loadbalancer1.ibariocorp.com/component/js/swfobject.js | |
| hxxp://loadbalancer1.ibariocorp.com/component/img/banner-pcp.png | |
| hxxp://loadbalancer1.ibariocorp.com/component/img/banner-sa.png | |
| hxxp://ib.anycast.adnxs.com/ttj?id=3222726&referrer=[REFERRER_URL] | |
| hxxp://loadbalancer1.ibariocorp.com/component/img/whitebg.png | |
| hxxp://loadbalancer1.ibariocorp.com/speedtest/media/PaUkffsP_bigger.gif | |
| hxxp://loadbalancer1.ibariocorp.com/speedtest/media/footer.jpg | |
| hxxp://ib.anycast.adnxs.com/bounce?/ttj?id=3222726&referrer=[REFERRER_URL] | |
| hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222726&referrer=[REFERRER_URL] | |
| hxxp://ib.anycast.adnxs.com/ttj?id=3222725&referrer=[REFERRER_URL] | |
| hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222725&referrer=[REFERRER_URL] | |
| hxxp://a1961.g.akamai.net/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf | |
| hxxp://a1961.g.akamai.net/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf?clickTAG=http://nym1.ib.adnxs.com/click?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRkD13e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEACwB-gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQgYgb0cIAA./referrer=http%3A%2F%2Fwww.performersoft.com%2Fspeedtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftrack.popmog.com%2Fc%2F2047049%2Fclick%3Fsubid%3D3222725%26sspdata%3Dnym1CI-6-b6Ohsq7bRACGP65wuLIrLjqZCIPMTkzLjEzOC4yNDQuMjMxKAEw1IOWnwU. | |
| hxxp://a1961.g.akamai.net/ANX_async_usersync.js | |
| hxxp://pagead.l.doubleclick.net/pagead/conversion.js | |
| hxxp://pagead.l.doubleclick.net/pagead/conversion/993973503/?random=1407549900333&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751 | |
| hxxp://www-google-analytics.l.google.com/ga.js | |
| hxxp://pagead.l.doubleclick.net/pagead/conversion/983437618/?random=1407549900333&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751 | |
| hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=183511789&utmhn=www.performersoft.com&utmcs=utf-8&utmsr=1276x846&utmvp=1260x697&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=PerformerSoft Speed Test&utmhid=1357867663&utmr=-&utmp=/3850509559/goal&utmht=1407549900552&utmac=UA-16085399-2&utmcc=__utma=125033355.476553240.1407549896.1407549901.1407549901.1;+__utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DACAAAAAAAAAAAAAAAAB~ | |
| hxxp://loadbalancer1.ibariocorp.com/component/logics.swf?nocache=9082 | |
| hxxp://pagead46.l.doubleclick.net/pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 | |
| hxxp://loadbalancer4.ibariocorp.com/cookie.php?cid=4751 | |
| hxxp://pagead46.l.doubleclick.net/pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 | |
| hxxp://www-google-analytics.l.google.com/cse/intl/en/images/google_custom_search_watermark.gif | |
| hxxp://www-google-analytics.l.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896 | |
| hxxp://e3821.dspe1.akamaiedge.net/en_US/fbds.js | |
| hxxp://www-google-analytics.l.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956 | |
| hxxp://loadbalancer1.ibariocorp.com/component/config.xml | |
| hxxp://loadbalancer1.ibariocorp.com/component/gateway.php | |
| hxxp://www-google-analytics.l.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y | |
| hxxp://www-google-analytics.l.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y | |
| hxxp://loadbalancer1.ibariocorp.com/component/graphics.swf?nocache=413332.6606824994 | |
| hxxp://www.zulagames.com/cookie.php?cid=4751 | |
| hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=183511789&utmhn=www.performersoft.com&utmcs=utf-8&utmsr=1276x846&utmvp=1260x697&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=PerformerSoft Speed Test&utmhid=1357867663&utmr=-&utmp=/3850509559/goal&utmht=1407549900552&utmac=UA-16085399-2&utmcc=__utma=125033355.476553240.1407549896.1407549901.1407549901.1;+__utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DACAAAAAAAAAAAAAAAAB~ | |
| hxxp://code.jquery.com/jquery-1.9.1.min.js | |
| hxxp://www.performersoft.com/speedtest/?cid=4751 | |
| hxxp://cdn.adnxs.com/ANX_async_usersync.js | 67.132.183.48 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222725&referrer=[REFERRER_URL] | |
| hxxp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js | |
| hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 | |
| hxxp://ib.adnxs.com/bounce?/ttj?id=3222726&referrer=[REFERRER_URL] | |
| hxxp://www.performersoft.com/speedtest/media/bg.jpg | |
| hxxp://www.google.com.ua/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y | |
| hxxp://connect.facebook.net/en_US/fbds.js | |
| hxxp://cdn.adnxs.com/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf?clickTAG=http://nym1.ib.adnxs.com/click?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRkD13e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEACwB-gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQgYgb0cIAA./referrer=http%3A%2F%2Fwww.performersoft.com%2Fspeedtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftrack.popmog.com%2Fc%2F2047049%2Fclick%3Fsubid%3D3222725%26sspdata%3Dnym1CI-6-b6Ohsq7bRACGP65wuLIrLjqZCIPMTkzLjEzOC4yNDQuMjMxKAEw1IOWnwU. | 67.132.183.48 |
| hxxp://ib.adnxs.com/ttj?id=3222725&referrer=[REFERRER_URL] | |
| hxxp://www.google-analytics.com/analytics.js | |
| hxxp://www.performersoft.com/speedtest/media/footer.jpg | |
| hxxp://www.performersoft.com/component/gateway.php | |
| hxxp://fonts.googleapis.com/css?family=Open Sans:400,600,700,800 | |
| hxxp://www.appregis.com/service/country.php | |
| hxxp://www.performersoft.com/component/logics.swf?nocache=9082 | |
| hxxp://www.performersoft.com/component/graphics.swf?nocache=413332.6606824994 | |
| hxxp://ib.adnxs.com/ttj?id=3222726&referrer=[REFERRER_URL] | |
| hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 | |
| hxxp://www.googleadservices.com/pagead/conversion/983437618/?random=1407549900333&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751 | 173.194.43.77 |
| hxxp://cdn3.optimizely.com/js/geo2.js | 23.218.45.136 |
| hxxp://cdn.adnxs.com/p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf | 67.132.183.48 |
| hxxp://www.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956 | |
| hxxp://www.performersoft.com/component/img/banner-sa.png | |
| hxxp://www.performersoft.com/component/img/whitebg.png | |
| hxxp://www.google.com/cse/intl/en/images/google_custom_search_watermark.gif | |
| hxxp://www.google.com.ua/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y | |
| hxxp://cdn.optimizely.com/js/130131868.js | |
| hxxp://www.performersoft.com/speedtest/media/PaUkffsP_bigger.gif | |
| hxxp://www.googleadservices.com/pagead/conversion.js | 173.194.43.77 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1407549908&bdh=B-C0wF_vJGE4ovFan2_T-SXXLqk.&bdref=http://www.performersoft.com/speedtest/?cid=4751&bdtop=true&bdifs=1&id=3222726&referrer=[REFERRER_URL] | |
| hxxp://www.performersoft.com/component/config.xml | |
| hxxp://www.google-analytics.com/collect?v=1&_v=j24&a=1357867663&t=pageview&_s=1&dl=http://www.performersoft.com/speedtest/?cid=4751&ul=en-us&de=utf-8&dt=PerformerSoft Speed Test&sd=32-bit&sr=1276x846&vp=1276x697&je=0&fl=11.6 r602&_u=ME~&cid=476553240.1407549896&tid=UA-42277600-10&z=1548146158 | |
| hxxp://www.performersoft.com/component/js/swfobject.js | |
| hxxp://www.appregis.com/files/components/speedtest187Setup.exe | |
| hxxp://www.performersoft.com/speedtest/media/speed-analisys.png | |
| hxxp://www.googleadservices.com/pagead/conversion/993973503/?random=1407549900333&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751 | 173.194.43.77 |
| hxxp://www.performersoft.com/component/img/banner-pcp.png | |
| hxxp://www.performersoft.com/speedtest/media/style.css | |
| hxxp://www.google-analytics.com/ga.js | |
| hxxp://themes.googleusercontent.com/static/fonts/opensans/v9/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot | |
| hxxp://www.performersoft.com/speedtest/media/body-bg.jpg | |
| hxxp://www.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896 | |
| hxxp://www.appregis.com/files/products/PCPerformerSetup_genericv3.exe | |
| www.facebook.com | 31.13.74.144 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
<font color="red">GET /pagead/conversion.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.googleadservices.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>
Content-Type: text/javascript; charset=UTF-8<br>
ETag: 10951747834593842486<br>
Date: Fri, 08 Aug 2014 04:28:26 GMT<br>
Expires: Sat, 09 Aug 2014 04:28:26 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Disposition: attachment; filename="f.txt"<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 3638<br>
X-XSS-Protection: 1; mode=block<br>
Age: 77805<br>
Cache-Control: public, max-age=86400<br>
<<< skipped >>>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.googleadservices.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>
Date: Sat, 09 Aug 2014 02:05:11 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
<<< skipped >>>
<font color="red">GET /analytics.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 16:35:01 GMT<br>
Expires: Sat, 09 Aug 2014 04:35:01 GMT<br>
Last-Modified: Thu, 31 Jul 2014 23:23:53 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: text/javascript<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Server: Golfe2<br>
Content-Length: 11119<br>
Age: 34205<br>
Cache-Control: public, max-age=43200<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Pragma: no-cache<br>
Expires: Mon, 07 Aug 1995 23:30:00 GMT<br>
Access-Control-Allow-Origin: *<br>
Last-Modified: Sun, 17 May 1998 03:00:00 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: image/gif<br>
Date: Fri, 08 Aug 2014 04:49:02 GMT<br>
Server: Golfe2<br>
Content-Length: 35<br>
Age: 76565<br>
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>
Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..<br>Expires: Mon, 07 Aug 1995 23:30:00 GMT..Access-Control-Allow-Origin: *<br>..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options<br>: nosniff..Content-Type: image/gif..Date: Fri, 08 Aug 2014 04:49:02 GM<br>T..Server: Golfe2..Content-Length: 35..Age: 76565..Cache-Control: priv<br>ate, no-cache, no-cache=Set-Cookie, proxy-revalidate..Alternate-Protoc<br>ol: 80:quic..GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /ga.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 21:05:21 GMT<br>
Expires: Sat, 09 Aug 2014 09:05:21 GMT<br>
Last-Modified: Thu, 31 Jul 2014 23:23:53 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: text/javascript<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Server: Golfe2<br>
Content-Length: 15983<br>
Age: 17990<br>
Cache-Control: public, max-age=43200<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google-analytics.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Pragma: no-cache<br>
Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>
X-Content-Type-Options: nosniff<br>
Content-Type: image/gif<br>
Date: Thu, 31 Jul 2014 21:10:32 GMT<br>
Server: Golfe2<br>
Content-Length: 35<br>
Age: 708879<br>
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>
Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..<br>Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200<br>4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g<br>if..Date: Thu, 31 Jul 2014 21:10:32 GMT..Server: Golfe2..Content-Lengt<br>h: 35..Age: 708879..Cache-Control: private, no-cache, no-cache=Set-Coo<br>kie, proxy-revalidate..Alternate-Protocol: 80:quic..GIF89a............<br>.,...........D..;..</pre></font><br><br
<font color="red">GET /pagead/conversion/983437618/?random=1407549900333&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.googleadservices.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>
Date: Sat, 09 Aug 2014 02:05:11 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
<<< skipped >>>
<font color="red">GET /p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: Apache<br>
ETag: "03cacc7d05899aea99056522d1bc9eb6:1405419852"<br>
Last-Modified: Tue, 15 Jul 2014 10:24:07 GMT<br>
Accept-Ranges: bytes<br>
Content-Length: 50818<br>
Content-Type: application/x-shockwave-flash<br>
Date: Sat, 09 Aug 2014 02:05:09 GMT<br>
<<< skipped >>>
<font color="red">GET /speedtest/media/body-bg.jpg HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/jpeg<br>
Content-Length: 113687<br>
Last-Modified: Thu, 07 Mar 2013 07:57:00 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5138484c-1bc17"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Type: image/gif<br>
Content-Length: 5761<br>
Last-Modified: Thu, 07 Mar 2013 10:03:59 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5138660f-1681"<br>
Expires: Sat, 09 Aug 2014 03:05:08 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
<font color="red">GET /cse/intl/en/images/google_custom_search_watermark.gif HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.google.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: image/gif<br>
Last-Modified: Wed, 08 Feb 2012 18:07:38 GMT<br>
Date: Fri, 08 Aug 2014 04:46:13 GMT<br>
Expires: Sun, 10 Aug 2014 04:46:13 GMT<br>
X-Content-Type-Options: nosniff<br>
Server: pfe<br>
Content-Length: 2024<br>
X-XSS-Protection: 1; mode=block<br>
X-Frame-Options: SAMEORIGIN<br>
Age: 76739<br>
Cache-Control: public, max-age=172800<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Location: hXXp://VVV.google.com.ua/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y<br>
Cache-Control: private, max-age=43200<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Expires: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Server: adclick_server<br>
Content-Length: 701<br>
X-XSS-Protection: 1; mode=block<br>
<<< skipped >>>
<font color="red">GET /p/03/ca/cc/7d/03cacc7d05899aea99056522d1bc9eb6.swf?clickTAG=http://nym1.ib.adnxs.com/click?oOnlu991iz92hej14raIP6RwPQrXo9g_doXo9eK2iD-f6eW733WLP_6cUIxk4dRkD13e5zAod23UgeVTAAAAAMUsMQDPCAAAnwMAAAIAAAD_cAgBgR4HAAAAAQBVU0QAVVNEACwB-gAbxAAAPeQAAgUAAQIAAJIALC7cfwAAAAA./cnd=%21JgYwOgiTxpcCEP_hoQgYgb0cIAA./referrer=http%3A%2F%2FVVV.performersoft.com%2Fspeedtest%2F%3Fcid%3D4751/clickenc=http%3A%2F%2Ftrack.popmog.com%2Fc%2F2047049%2Fclick%3Fsubid%3D3222725%26sspdata%3Dnym1CI-6-b6Ohsq7bRACGP65wuLIrLjqZCIPMTkzLjEzOC4yNDQuMjMxKAEw1IOWnwU. HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: Apache<br>
ETag: "03cacc7d05899aea99056522d1bc9eb6:1405419852"<br>
Last-Modified: Tue, 15 Jul 2014 10:24:07 GMT<br>
Accept-Ranges: bytes<br>
Content-Length: 50818<br>
Content-Type: application/x-shockwave-flash<br>
Date: Sat, 09 Aug 2014 02:05:09 GMT<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: Apache<br>
ETag: "e3de0e76c13e81e3b0683dac240498eb:1377552334"<br>
Last-Modified: Mon, 26 Aug 2013 21:25:34 GMT<br>
Accept-Ranges: bytes<br>
Content-Type: application/x-javascript<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Content-Length: 509<br>
Date: Sat, 09 Aug 2014 02:05:10 GMT<br>
<<< skipped >>>
<font color="red">GET /js/130131868.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn.optimizely.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Encoding: gzip<br>
Accept-Ranges: bytes<br>
Cache-Control: max-age=120<br>
Content-Type: text/javascript<br>
Date: Sat, 09 Aug 2014 02:05:04 GMT<br>
Etag: "b49f06288845e4dd4b6f014e890160ac"<br>
Last-Modified: Tue, 05 Aug 2014 06:46:29 GMT<br>
Server: ECS (dca/FEAB)<br>
Timing-Allow-Origin: *<br>
Vary: Accept-Encoding<br>
x-amz-id-2: rxUZeSGOxkZrChX9 Zt8gC5ZzEmnMaRoNTONdeh8R6oO9rbgeL6YTNnxbmHlgu74<br>
x-amz-request-id: EE083D5DBBB51256<br>
X-Cache: HIT<br>
<<< skipped >>>
<font color="red">GET /ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Location: hXXp://VVV.google.com.ua/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y<br>
Cache-Control: private, max-age=43200<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Expires: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Server: adclick_server<br>
Content-Length: 700<br>
X-XSS-Protection: 1; mode=block<br>
<<< skipped >>>
<font color="red">GET /css?family=Open Sans:400,600,700,800 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: fonts.googleapis.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: text/css<br>
Timing-Allow-Origin: *<br>
Expires: Sat, 09 Aug 2014 02:05:05 GMT<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Cache-Control: private, max-age=86400<br>
Content-Encoding: gzip<br>
Content-Length: 262<br>
X-Content-Type-Options: nosniff<br>
X-Frame-Options: SAMEORIGIN<br>
X-XSS-Protection: 1; mode=block<br>
Server: GSE<br>
Alternate-Protocol: 80:quic<br><pre>.............N.@...}..A.aHi..........Bv.p.I...K)1..Cbk_@....s....h.J..<br>|N..QJ.!!...M6L[..t.8HH.6.b... ...2....-OH.J.Fl.J...6...$t.Z..@c......<br>N..K.k....n)_. Xw.........]..o..,V...\>W...=.D.....Y....A?...N.....<br>.j.{...(...4...;..M...*.A....gy...ao...gT...k..j#......HTTP/1.1 200 OK<br>..Content-Type: text/css..Timing-Allow-Origin: *..Expires: Sat, 09 Aug<br> 2014 02:05:05 GMT..Date: Sat, 09 Aug 2014 02:05:05 GMT..Cache-Control<br>: private, max-age=86400..Content-Encoding: gzip..Content-Length: 262.<br>.X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-P<br>rotection: 1; mode=block..Server: GSE..Alternate-Protocol: 80:quic....<br>...........N.@...}..A.aHi..........Bv.p.I...K)1..Cbk_@....s....h.J..|N<br>..QJ.!!...M6L[..t.8HH.6.b... ...2....-OH.J.Fl.J...6...$t.Z..@c......N.<br>.K.k....n)_. Xw.........]..o..,V...\>W...=.D.....Y....A?...N......j<br>.{...(...4...;..M...*.A....gy...ao...gT...k..j#........</pre></font><br><br
<font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: d360c61977da6f671ee04b0f0db5d6753737a7ee<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 180<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:50","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"697294400","component_id":"696","cid":"4751","action":"install","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:01 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..HTTP/1.1 200 OK..Serve<br>r: nginx..Date: Sat, 09 Aug 2014 02:05:01 GMT..Content-Type: applicati<br>on/json..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Aliv<br>e: timeout=2..Vary: Accept-Encoding..X-Powered-By: PHP/5.4.13..Access-<br>Control-Allow-Origin: *..27..{"flash":{},"error":false,"status":200}..<br>0..</font>....</pre></font><br><br><font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: 46496a7ea9094c0db7f1e6beb71b3a45e4bdedcf<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 176<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:51","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"931079049","component_id":"","cid":"4751","action":"finish","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:02 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..</pre></font><br><br
<font color="red">GET /pagead/viewthroughconversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: googleads.g.doubleclick.net<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://VVV.google.com/ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br>
<<< skipped >>>
<font color="red">GET /speedtest/?cid=4751 HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:03 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.17<br>
Set-Cookie: cid=4751; expires=Mon, 08-Sep-2014 02:05:03 GMT; path=/; domain=.performersoft.com<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Content-Type: text/css<br>
Last-Modified: Tue, 11 Mar 2014 08:22:46 GMT<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
Expires: Sat, 09 Aug 2014 03:05:05 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Content-Type: image/jpeg<br>
Content-Length: 8136<br>
Last-Modified: Thu, 07 Mar 2013 07:56:50 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "51384842-1fc8"<br>
Expires: Sat, 09 Aug 2014 03:05:05 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/png<br>
Content-Length: 23992<br>
Last-Modified: Wed, 09 Oct 2013 06:56:42 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5254fe2a-5db8"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: application/x-javascript<br>
Last-Modified: Sun, 30 Mar 2014 11:59:34 GMT<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/png<br>
Content-Length: 67806<br>
Last-Modified: Sun, 30 Mar 2014 11:59:36 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380728-108de"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 404 Not Found<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: text/html<br>
Content-Length: 564<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br><pre><html>..<head><title>404 Not Found</title><<br>/head>..<body bgcolor="white">..<center><h1>404 N<br>ot Found</h1></center>..<hr><center>nginx</<br>center>..</body>..</html>..<!-- a padding to disable<br> MSIE and Chrome friendly error page -->..<!-- a padding to disa<br>ble MSIE and Chrome friendly error page -->..<!-- a padding to d<br>isable MSIE and Chrome friendly error page -->..<!-- a padding t<br>o disable MSIE and Chrome friendly error page -->..<!-- a paddin<br>g to disable MSIE and Chrome friendly error page -->..<!-- a pad<br>ding to disable MSIE and Chrome friendly error page -->..</font>...<br>.</pre></font><br><br><font color="red">GET /component/img/whitebg.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
Content-Type: image/png<br>
Content-Length: 979<br>
Last-Modified: Sun, 30 Mar 2014 11:59:36 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380728-3d3"<br>
Expires: Sat, 09 Aug 2014 03:05:07 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre>.PNG........IHDR.......;.............tEXtSoftware.Adobe ImageReadyq.e&<br>lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe<br>hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=<br>"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> &<br>lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><br> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1<br>.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/<br>/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo<br>shop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:ED4F5246AB4B11E39767E2<br>93BFCA1B3B" xmpMM:DocumentID="xmp.did:ED4F5247AB4B11E39767E293BFCA1B3B<br>"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ED4F5244AB4B11E3<br>9767E293BFCA1B3B" stRef:documentID="xmp.did:ED4F5245AB4B11E39767E293BF<br>CA1B3B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&<br>gt; <?xpacket end="r"?>.......EIDATx.b.............".P..X....b..<br>.A..,ut.....n.....&1.dT..PB..L..@...L.S.e.......IEND.B`.</font>....</pre></font><br><br><font color="red">GET /speedtest/media/footer.jpg HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
Content-Type: image/jpeg<br>
Content-Length: 3691<br>
Last-Modified: Thu, 07 Mar 2013 07:57:04 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "51384850-e6b"<br>
Expires: Sat, 09 Aug 2014 03:05:08 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
<font color="red">GET /component/logics.swf?nocache=9082 HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
x-flash-version: 11,6,602,168<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: application/x-shockwave-flash<br>
Content-Length: 37670<br>
Last-Modified: Tue, 10 Jun 2014 06:34:05 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "5396a6dd-9326"<br>
Expires: Sat, 09 Aug 2014 03:05:12 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/component/logics.swf?nocache=9082<br>
x-flash-version: 11,6,602,168<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/xml<br>
Content-Length: 223<br>
Last-Modified: Sun, 30 Mar 2014 12:24:17 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380cf1-df"<br>
Set-Cookie: norjs=1; path=/<br>
Accept-Ranges: bytes<br><pre><?xml version="1.0" encoding="UTF-8"?>.<main> . <lic<br>ense> . <customer>ibario</customer> . <<br>;domain>VVV.performersoft.com</domain> . <key>91<br>4b0bde6ff65c7fc05486bdcca65506</key> . </license> .<<br>/main></font>....</pre></font><br><br><font color="red">POST /component/gateway.php HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/component/logics.swf?nocache=9082<br>
x-flash-version: 11,6,602,168<br>
Content-Type: application/x-www-form-urlencoded<br>
Content-Length: 44<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
domain=www.performersoft.com&action=init</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.17<br>
Set-Cookie: norjs=1; path=/<br>
Content-Encoding: gzip<br><pre>b8..............A..0.Eo.].c,..Y..N....iP3!.T..7........._|&..0!..._.X.<br>.{.F.K.8..q.y=:.H.....#."....b 8........=4...W7..nv1 ...^.........4..A<br>.........../..d....e...yV\../...J.H.R...T>..t.....0..</font>....</pre></font><br><br><font color="red">GET /component/graphics.swf?nocache=413332.6606824994 HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-US<br>
Referer: hXXp://VVV.performersoft.com/component/logics.swf?nocache=9082<br>
x-flash-version: 11,6,602,168<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.performersoft.com<br>
Connection: Keep-Alive<br>
Cookie: cid=4751; optimizelySegments={"174149309":"ie","173002992":"false","174179738":"direct","335502688":"true"}; optimizelyEndUserId=oeu1407549893958r0.050962674514707096; optimizelyBuckets={}; optimizelyPendingLogEvents=[]; _ga=GA1.2.476553240.1407549896; __utma=125033355.476553240.1407549896.1407549901.1407549901.1; __utmb=125033355.1.10.1407549901; __utmc=125033355; __utmz=125033355.1407549901.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); norjs=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:13 GMT<br>
Content-Type: application/x-shockwave-flash<br>
Content-Length: 46752<br>
Last-Modified: Sun, 30 Mar 2014 11:59:36 GMT<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
ETag: "53380728-b6a0"<br>
Expires: Sat, 09 Aug 2014 03:05:13 GMT<br>
Cache-Control: max-age=3600<br>
Set-Cookie: norjs=1; path=/<br>
<<< skipped >>>
<font color="red">GET /utils/dns HTTP/1.1<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:04:36 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br><pre>17..hXXp://VVV.appregis.com..0..HTTP/1.1 200 OK..Server: nginx..Date: <br>Sat, 09 Aug 2014 02:04:36 GMT..Content-Type: text/html..Transfer-Encod<br>ing: chunked..Connection: keep-alive..Keep-Alive: timeout=2..Vary: Acc<br>ept-Encoding..X-Powered-By: PHP/5.4.13..17..hXXp://VVV.appregis.com..0<br>..</font>....</pre></font><br><br><font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: abdee05783fe5b23e095935a51a00b6bd959f7d7<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 176<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:25","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"1599991063","component_id":"","cid":"4751","action":"start","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:04:37 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..HTTP/1.1 200 OK..Serve<br>r: nginx..Date: Sat, 09 Aug 2014 02:04:37 GMT..Content-Type: applicati<br>on/json..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Aliv<br>e: timeout=2..Vary: Accept-Encoding..X-Powered-By: PHP/5.4.13..Access-<br>Control-Allow-Origin: *..27..{"flash":{},"error":false,"status":200}..<br>0..</pre></font><br><br
<font color="red">GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ajax.googleapis.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Content-Type: text/javascript; charset=UTF-8<br>
Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT<br>
Date: Fri, 08 Aug 2014 05:34:26 GMT<br>
Expires: Sat, 08 Aug 2015 05:34:26 GMT<br>
Access-Control-Allow-Origin: *<br>
Timing-Allow-Origin: *<br>
X-Content-Type-Options: nosniff<br>
Server: sffe<br>
Content-Length: 32819<br>
X-XSS-Protection: 1; mode=block<br>
Cache-Control: public, max-age=31536000<br>
Age: 73840<br>
<<< skipped >>>
<font color="red">GET /ads/conversion/983437618/?random=1279482836&cv=7&fst=1407549900333&num=2&fmt=2&value=0&label=UvAcCIb-uAIQsqL41AM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=1841122896&ipr=y HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com.ua<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, no-store, must-revalidate<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: adclick_server<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 200 OK..Date: Sat, 09 Aug 2014 02:05:12 GMT..Pragma: no<br>-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cach<br>e, no-store, must-revalidate..Content-Type: text/html; charset=UTF-8..<br>X-Content-Type-Options: nosniff..Content-Encoding: gzip..Server: adcli<br>ck_server..Content-Length: 76..X-XSS-Protection: 1; mode=block..Altern<br>ate-Protocol: 80:quic..............(....I.O.T(...I.UJJL.N/./.K.M.../.*<br>)J. .H,J. Q......R`....h.?.....</pre></font><br><br
<font color="red">GET /ttj?id=3222726&referrer=[REFERRER_URL] HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=0; path=/; expires=Fri, 07-Nov-2014 02:05:07 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:07 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:07 GMT; domain=.adnxs.com; HttpOnly<br>
Location: hXXp://ib.adnxs.com/bounce?/ttj?id=3222726&referrer=[REFERRER_URL]<br>
Content-Type: text/html; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:07 GMT<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: text/html; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: icu=ChII_-wYEAoYASABKAEw1IOWnwUQ1IOWnwUYAA..; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: application/javascript; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYASABKAEw1IOWnwUQ1IOWnwUYAA..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: text/html; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
<<< skipped >>>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ib.adnxs.com<br>
Connection: Keep-Alive<br>
Cookie: uuid2=7887817462876364047; sess=1; icu=ChII_-wYEAoYASABKAEw1IOWnwUQ1IOWnwUYAA..; anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Cache-Control: no-store, no-cache, private<br>
Pragma: no-cache<br>
Expires: Sat, 15 Nov 2008 16:00:00 GMT<br>
P3P: policyref="hXXp://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"<br>
X-XSS-Protection: 0<br>
Set-Cookie: uuid2=7887817462876364047; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: sess=1; path=/; expires=Sun, 10-Aug-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: icu=ChII_-wYEAoYAiACKAIw1IOWnwUQ1IOWnwUYAQ..; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Set-Cookie: anj=dTM7k!M4.NCxrEQDgEREg0D`mgx!ea#uqzhcb7D(5Cs1%; path=/; expires=Fri, 07-Nov-2014 02:05:08 GMT; domain=.adnxs.com; HttpOnly<br>
Content-Type: application/javascript; charset=utf-8<br>
Date: Sat, 09 Aug 2014 02:05:08 GMT<br>
<<< skipped >>>
<font color="red">GET /cookie.php?cid=4751 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: VVV.zulagames.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.17<br>
Set-Cookie: cid=4751; expires=Mon, 08-Sep-2014 02:05:12 GMT; path=/; domain=.zulagames.com<br>
Set-Cookie: norjs=1; path=/<br>
Content-Encoding: gzip<br><pre>ad............-....0.Ew..[..@ ...:1....E..6.0.....INnr....m"zP&.-....3<br>....o..YO6 .-... .......x.8.1...-.I..FV....;eG.}.A=..9...5..f.....D.Kz<br>......&...$.....^2....b.....?...y......0..HTTP/1.1 200 OK..Server: ngi<br>nx..Date: Sat, 09 Aug 2014 02:05:12 GMT..Content-Type: text/html..Tran<br>sfer-Encoding: chunked..Connection: keep-alive..Keep-Alive: timeout=2.<br>.Vary: Accept-Encoding..X-Powered-By: PHP/5.4.17..Set-Cookie: cid=4751<br>; expires=Mon, 08-Sep-2014 02:05:12 GMT; path=/; domain=.zulagames.com<br>..Set-Cookie: norjs=1; path=/..Content-Encoding: gzip..ad............-<br>....0.Ew..[..@ ...:1....E..6.0.....INnr....m"zP&.-....3....o..YO6 .-..<br>. .......x.8.1...-.I..FV....;eG.}.A=..9...5..f.....D.Kz......&...$....<br>.^2....b.....?...y......0..</pre></font><br><br
<font color="red">GET /pagead/viewthroughconversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: googleads.g.doubleclick.net<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, must-revalidate<br>
Location: hXXp://VVV.google.com/ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: cafe<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br>
<<< skipped >>>
<font color="red">GET /js/geo2.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cdn3.optimizely.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: AmazonS3<br>
Content-Length: 291<br>
Content-Type: application/x-javascript<br>
x-amz-id-2: JfVu8nNGDGi l3p7HQACJzYVUDKQxkRKEngemu8HabWpc0Ftzt9DgqNrfAQfpTb5<br>
Vary: Accept-Encoding<br>
ETag: "adadfc5d7afd13e353d9d52cec1c7827"<br>
x-amz-request-id: 347C1B22ADFA7FF5<br>
Cache-Control: max-age=14454<br>
Date: Sat, 09 Aug 2014 02:05:05 GMT<br>
Connection: keep-alive<br><pre>(function(){. window['optimizely'] = window['optimizely'] || [];. wi<br>ndow['optimizely'].push(['activateGeoDelayedExperiments', {. 'locat<br>ion':{. 'city': "KHARKIV",. 'continent': "EU",. 'countr<br>y': "UA",. 'region': "". },. 'ip':"193.138.244.231". }]);.<br>}).//.()..;..</pre></font><br><br
<font color="red">POST /events HTTP/1.1<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Token: 1ac1acb5747d4b6db021a1ac3947003b<br>
X-Hash: 8dfbdf8fe6e33a49e092cc761253a524a3b138c7<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: api.ibario.com<br>
Content-Length: 180<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
{"country":"","timestamp":"2014-08-09 5:04:36","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":"200654816","component_id":"705","cid":"4751","action":"install","error_type":""}</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Sat, 09 Aug 2014 02:04:48 GMT<br>
Content-Type: application/json<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Keep-Alive: timeout=2<br>
Vary: Accept-Encoding<br>
X-Powered-By: PHP/5.4.13<br>
Access-Control-Allow-Origin: *<br><pre>27..{"flash":{},"error":false,"status":200}..0..HTTP/1.1 200 OK..Serve<br>r: nginx..Date: Sat, 09 Aug 2014 02:04:48 GMT..Content-Type: applicati<br>on/json..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Aliv<br>e: timeout=2..Vary: Accept-Encoding..X-Powered-By: PHP/5.4.13..Access-<br>Control-Allow-Origin: *..27..{"flash":{},"error":false,"status":200}..<br>0..</pre></font><br><br
<font color="red">GET /service/country.php HTTP/1.1<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: VVV.appregis.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Sat, 09 Aug 2014 02:04:36 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
X-Powered-By: PHP/5.3.16<br><pre>2..UA..0..HTTP/1.1 200 OK..Server: nginx/1.2.4..Date: Sat, 09 Aug 2014<br> 02:04:36 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co<br>nnection: keep-alive..X-Powered-By: PHP/5.3.16..2..UA..0..</font>....</pre></font><br><br><font color="red">GET /files/components/speedtest187Setup.exe HTTP/1.1<br>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: VVV.appregis.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Sat, 09 Aug 2014 02:04:37 GMT<br>
Content-Type: application/octet-stream<br>
Content-Length: 1952545<br>
Last-Modified: Wed, 11 Jun 2014 12:05:16 GMT<br>
Connection: keep-alive<br>
<<< skipped >>>
User-Agent: NSIS_Inetc (Mozilla)<br>
Host: VVV.appregis.com<br>
Connection: Keep-Alive<br>
Cache-Control: no-cache<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Sat, 09 Aug 2014 02:04:47 GMT<br>
Content-Type: application/octet-stream<br>
Content-Length: 3343896<br>
Last-Modified: Tue, 13 May 2014 09:37:34 GMT<br>
Connection: keep-alive<br>
<<< skipped >>>
<font color="red">GET /ads/conversion/993973503/?random=147077969&cv=7&fst=1407549900333&num=1&fmt=2&value=0&label=TcubCPnD8gIQ_6n72QM&bg=ffffff&hl=ar&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.performersoft.com/speedtest/?cid=4751&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=2164007956&ipr=y HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: VVV.google.com.ua<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Pragma: no-cache<br>
Expires: Fri, 01 Jan 1990 00:00:00 GMT<br>
Cache-Control: no-cache, no-store, must-revalidate<br>
Content-Type: text/html; charset=UTF-8<br>
X-Content-Type-Options: nosniff<br>
Content-Encoding: gzip<br>
Server: adclick_server<br>
Content-Length: 76<br>
X-XSS-Protection: 1; mode=block<br>
Alternate-Protocol: 80:quic<br><pre>............(....I.O.T(...I.UJJL.N/./.K.M.../.*)J. .H,J. Q......R`....<br>h.?...HTTP/1.1 200 OK..Date: Sat, 09 Aug 2014 02:05:12 GMT..Pragma: no<br>-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cach<br>e, no-store, must-revalidate..Content-Type: text/html; charset=UTF-8..<br>X-Content-Type-Options: nosniff..Content-Encoding: gzip..Server: adcli<br>ck_server..Content-Length: 76..X-XSS-Protection: 1; mode=block..Altern<br>ate-Protocol: 80:quic..............(....I.O.T(...I.UJJL.N/./.K.M.../.*<br>)J. .H,J. Q......R`....h.?.....</pre></font><br><br
<font color="red">GET /jquery-1.9.1.min.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: code.jquery.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Sat, 09 Aug 2014 02:05:06 GMT<br>
Content-Type: application/x-javascript; charset=utf-8<br>
Content-Length: 92629<br>
Connection: keep-alive<br>
Last-Modified: Wed, 26 Mar 2014 00:56:22 GMT<br>
Vary: Accept-Encoding<br>
ETag: "533225b6-169d5"<br>
Expires: Thu, 31 Dec 2037 23:55:55 GMT<br>
Cache-Control: max-age=315360000<br>
Cache-Control: public<br>
Server: NetDNA-cache/2.2<br>
X-Cache: HIT<br>
<<< skipped >>>
<font color="red">GET /en_US/fbds.js HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: connect.facebook.net<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
ETag: "6aaf747cfda935915d39c54eabad63e0"<br>
Content-Type: application/x-javascript; charset=utf-8<br>
Timing-Allow-Origin: *<br>
Content-Encoding: gzip<br>
Content-MD5: gdTcR9t8u/1pp4CYgQDqRA==<br>
X-FB-Debug: PxXCzIgpHqdTL7T0IVsCfn vgDpO3D3TJLbQzx42ssQnVhIufa1778RCr7pUvGiR9x/U1gPYgDjlWtBFR0FK9A==<br>
Content-Length: 1546<br>
Cache-Control: public, max-age=1200<br>
Expires: Sat, 09 Aug 2014 02:25:12 GMT<br>
Date: Sat, 09 Aug 2014 02:05:12 GMT<br>
Connection: keep-alive<br>
<<< skipped >>>
<font color="red">GET /static/fonts/opensans/v9/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://VVV.performersoft.com/speedtest/?cid=4751<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: themes.googleusercontent.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Vary: Accept-Encoding<br>
Content-Encoding: gzip<br>
Content-Type: font/eot<br>
Last-Modified: Thu, 31 Jul 2014 00:49:13 GMT<br>
Date: Tue, 05 Aug 2014 13:54:52 GMT<br>
Expires: Wed, 05 Aug 2015 13:54:52 GMT<br>
Access-Control-Allow-Origin: *<br>
Timing-Allow-Origin: *<br>
X-Content-Type-Options: nosniff<br>
Server: sffe<br>
Content-Length: 18265<br>
X-XSS-Protection: 1; mode=block<br>
Cache-Control: public, max-age=31536000<br>
Age: 303014<br>
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
iexplore.exe_1840:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
BackgroundHost.exe_1300:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
FRegDeleteKeyExW
FRegDeleteKeyExW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegOpenKeyTransactedW
RegOpenKeyTransactedW
Kernel32.dll
Kernel32.dll
Unicows.dll
Unicows.dll
RegCreateKeyTransactedW
RegCreateKeyTransactedW
IEIsProtectedModeURL
IEIsProtectedModeURL
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
D:\work\projects\AddonsFrameworkForInstaller\Internet Explorer\Release\BackgroundHost.pdb
D:\work\projects\AddonsFrameworkForInstaller\Internet Explorer\Release\BackgroundHost.pdb
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestW
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
CreateDialogIndirectParamW
CreateDialogIndirectParamW
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
UrlCreateFromPathW
UrlCreateFromPathW
SHLWAPI.dll
SHLWAPI.dll
GDI32.dll
GDI32.dll
urlmon.dll
urlmon.dll
GetCPInfo
GetCPInfo
.?AV?$CAtlExeModuleT@VCBackgroundHostModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCBackgroundHostModule@@@ATL@@
.?AV?$IDispEventImpl@$00VCBrowserFrame@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventImpl@$00VCBrowserFrame@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCBrowserFrame@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCBrowserFrame@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventImpl@$00VCPage5@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventImpl@$00VCPage5@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCPage5@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCPage5@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AVCWebCtrlInterFace@@
.?AVCWebCtrlInterFace@@
zcÃ
zcÃ
'BackgroundHost.EXE'
'BackgroundHost.EXE'
'ÂDONNAME%.BackgroundHostObject.1' = s 'BackgroundHostObject Class'
'ÂDONNAME%.BackgroundHostObject.1' = s 'BackgroundHostObject Class'
CLSID = s '%CLSIDclsIdBackgroundHostObject%'
CLSID = s '%CLSIDclsIdBackgroundHostObject%'
'ÂDONNAME%.BackgroundHostObject' = s 'BackgroundHostObject Class'
'ÂDONNAME%.BackgroundHostObject' = s 'BackgroundHostObject Class'
CurVer = s 'ÂDONNAME%.BackgroundHostObject.1'
CurVer = s 'ÂDONNAME%.BackgroundHostObject.1'
ForceRemove %CLSIDclsIdBackgroundHostObject% = s 'BackgroundHostObject Class'
ForceRemove %CLSIDclsIdBackgroundHostObject% = s 'BackgroundHostObject Class'
ProgID = s 'ÂDONNAME%.BackgroundHostObject.1'
ProgID = s 'ÂDONNAME%.BackgroundHostObject.1'
VersionIndependentProgID = s 'ÂDONNAME%.BackgroundHostObject'
VersionIndependentProgID = s 'ÂDONNAME%.BackgroundHostObject'
stdole2.tlbWWW
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Thu Oct 24 17:52:37 2013
Created by MIDL version 7.00.0555 at Thu Oct 24 17:52:37 2013
6%6$7*7=7
6%6$7*7=7
0$1(1,101
0$1(1,101
5%5$6*6=6
5%5$6*6=6
3%3U3
3%3U3
0%0U0
0%0U0
5 5$5(5,5054585
5 5$5(5,5054585
8$8,888`8
8$8,888`8
= =@=\=`=
= =@=\=`=
7(7,7074787
7(7,7074787
4 4$4(4,4044484
4 4$4(4,4044484
{16CE3BD9-5580-452e-9254-D8F5C02A8B9D}
{16CE3BD9-5580-452e-9254-D8F5C02A8B9D}
config.xml
config.xml
SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\
SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\
{1F733841-2B64-466b-BE22-53A779CB3B29}
{1F733841-2B64-466b-BE22-53A779CB3B29}
{lX-X-x-XX-XXXXXX}
{lX-X-x-XX-XXXXXX}
GMscoree.dll
GMscoree.dll
WAdvapi32.dll
WAdvapi32.dll
OLEAUT32.DLL
OLEAUT32.DLL
Comctl32.dll
Comctl32.dll
GKernel32.dll
GKernel32.dll
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
W{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
W{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
Econfig.xml
Econfig.xml
hXXp://besttoolbars.net/af_analytics
hXXp://besttoolbars.net/af_analytics
background.html
background.html
.Width
.Width
.Height
.Height
64.exe
64.exe
ScriptHost.dll
ScriptHost.dll
BackgroundHost.exe
BackgroundHost.exe
Bconfig.xml
Bconfig.xml
hXXp://
hXXp://
BWebBrowserHtmlPage
BWebBrowserHtmlPage
Cconfig.xml
Cconfig.xml
Powered by besttoolbars.net
Powered by besttoolbars.net
//addon/key
//addon/key
uxtheme.dll
uxtheme.dll
ieframe.dll
ieframe.dll
%s0x%.2x%.2x%.2x%.2x%.2x%.2x-
%s0x%.2x%.2x%.2x%.2x%.2x%.2x-
https
https
statUrl
statUrl
MSXML2.XMLHTTP
MSXML2.XMLHTTP
ekernel32.dll
ekernel32.dll
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
ADVAPI32.DLL
ADVAPI32.DLL
WUSER32.DLL
WUSER32.DLL
%Program Files%\Speed Test 187\BackgroundHost.exe
%Program Files%\Speed Test 187\BackgroundHost.exe
0.9.10.21
0.9.10.21