MemScan:Application.Bundler.Outbrowse.E (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 12a64613a19c4fe9abd460a4bc0705a1
SHA1: 56e0a8bb033b3ac5cb2bf67b20a9b412587043af
SHA256: 2b809adcedccc6fa669b5ae2e78e02835f8550e252224598359f79b341e55191
SSDeep: 24576:lD9484CsoZWCM5PAj7vrhbpODEN6kVYQnon08SFv2:zL4hp rOoN6kVY o0rFO
Size: 943392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wmic.exe:192
The Trojan injects its code into the following process(es):
setup.exe:1004
f.exe:1832
6_Offer_15.exe:1400
%original file name%.exe:1096
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process setup.exe:1004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\components.ini (1218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\InstallOptions.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-header.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-wizard.bmp (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\ioSpecial.ini (9996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\summary.ini (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\options.ini (3918 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\shortcuts.ini (1782 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB5.tmp (0 bytes)
The process f.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (5392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\DynamicOfferScreen[1].htm (850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery.min[1].js (1005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui[1].css (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BuzzIT2Checker11-6[1].exe (7494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_15.exe (2582958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\bodyImg[1].png (8516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\Firefox Setup 26.0[1].exe (3284663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui.min[1].js (8781 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
The process wmic.exe:192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
The process 6_Offer_15.exe:1400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp (0 bytes)
The process %original file name%.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB2.tmp (0 bytes)
Registry activity
The process setup.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 03 07 88 05 50 78 10 31 B3 F7 8C 47 FE 1E 98"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process f.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CachePrefix" = ":2014062020140621:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E8 9D BA B8 FD 2A 00 5E 21 64 1A 09 31 90 A0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014062020140621\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062020140621]
"CacheOptions" = "11"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process wmic.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 4B C0 C8 10 BF 09 49 E9 04 84 98 3B ED B8 96"
The process 6_Offer_15.exe:1400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D EB 51 1C D8 21 55 B8 EB A2 D9 4B 8B 5F 30 38"
The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8F 92 DF 2B B0 32 3B C9 44 F3 36 F7 0E 49 8D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
c5c5de801c3d3ee767574893a7df656d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6_Offer_15.exe |
cf51b758916e5bf68ba8f0a6b3fb6bf1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll |
1c9b45e87528b8bb8cfa884ea0099a85 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll |
0cd085ca321c43cb4c1bcf99ab8ea080 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll |
666a76d8ed0a06c9404da0d546bf3627 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll |
e17ee29b33661a5dfa55c8788adca28f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe |
1eea6c1b35191dc177ea83672b9c3fc0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\firefox.exe |
8439cd841764fc1d7b1059a21021bdca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll |
1fd37aec631eef547ff6c93151c21a5b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll |
9440e99ff69d095896660a166bf74866 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll |
a24534258c89c992d3e03729e3c42ab3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll |
3b9398e0146855b1dc0e3d9769c80f01 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe |
b5b3e07dd04eaa1ffceb37ef9f7849fc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe |
454830b2ff549241e4b09cd291f4b59d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll |
ab7ebfd1d7fe626612d1e815fe4e6df4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll |
8a6087b231b529ef6186cd0179b16032 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll |
03e9314004f504a14a61c3d364b62f66 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll |
67ec459e42d3081dd8fd34356f7cafc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll |
2545f8fa1ba4417308df63b952d66fa1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nss3.dll |
cf618ddc43b1f48959275961d0142615 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll |
689a9eff35da52f70849fdb25034174f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll |
0dd74786d22edff0ce5b8e1b1e398618 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe |
51bb4983ba8b8f4c712ae7ebb5577cd8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe |
a6f5aa4bd602cda7b0a375a6a48d715d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll |
5b61c11223e59c1aca4adae6fdd2a775 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe |
63e98c05d504e9f30dae364dce50e0f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\updater.exe |
4f5cac0d371454e97d1bd918489792f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe |
abcc2fbcca63a5f6309485ca3ef18e7c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe |
de2345b8cbcc6366e20848ec22278cb6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\xul.dll |
01944475fa7b6c1f30f931013cf61d1e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\setup.exe |
c416bcf6a1bfc274c22c243da87c0f33 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f.exe |
67d8f4d5acdb722e9cb7a99570b3ded1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsfB6.tmp\InstallOptions.dll |
959ea64598b9a3e494c00e8fa793be7e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsfB6.tmp\System.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\System.dll |
b8b654dd30c249e00c79f1508a2736e5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BuzzIT2Checker11-6[1].exe |
c5c5de801c3d3ee767574893a7df656d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\Firefox Setup 26.0[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name:
Product Name: Firefox
Product Version: 3.0
Legal Copyright: Firefox
Legal Trademarks: Firefox
Original Filename:
Internal Name:
File Version:
File Description: Firefox
Comments: setup Installer
Language: English (Australia)
Company Name: Product Name: FirefoxProduct Version: 3.0Legal Copyright: FirefoxLegal Trademarks: FirefoxOriginal Filename: Internal Name: File Version: File Description: FirefoxComments: setup InstallerLanguage: English (Australia)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 94208 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 286720 | 3176 | 3584 | 2.75375 | 61886786c758d78857d0529764e4c7bd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 481
9075f446add5ec41257f58f8dc344511
ea27666125c2bb990dab607f47cf310f
3b5c82330cb8a4c16d41e5b26be76f3a
cd8c8443f373d4fa58a9d7aad6058667
a7abf1354079db1f1fb931a6917c583b
b6db55d4bed46aa90ce58aadc61f0341
4cdf363b3c476b9d413e1a373e4f04b3
c27caef5212c8d8e08a6220166ccfb41
f7e26b1c24e4c19ae3029062960031b9
eda611fe56c3a547f83bf1115db44f9c
6682148233fe4b96c56522254edaf00b
6ba3f80e35469236cad9c07a6f11c2c7
a4d28e59dfea0e3e6b6b5c7edc23b509
83aea5cc733a64256da306f24753c7fe
2a8a39c3d4f095499e6c8886afaf92e3
53ed4f24eac3da19d145ec097315b859
77e2a53a7f224993e6ecf2c726ce980f
caeb50584a473d5d396a257119a035f8
18fb56d3368841860c23187cb164d6de
19eaeb3d4fbaf70a4dc6a8f23db48a84
81fd71f835897ec687159c66c60bbf4f
cb17476bf9aad70500f9700c3b097748
09aa24e5705183b3a4d5a91d43cb5ffa
4b4d87ff4186ff61c2599b65ab616c07
9d16845458af46342e3b805425159325
d6b6d43786584ef4a7e6e9034491dce3
Network Activity
URLs
URL | IP |
---|---|
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0 | |
hxxp://e1005.g.akamaiedge.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe | |
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0& | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css | |
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js | |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css | |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topComp.png | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topLine.jpg | |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png | |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bgImg.jpg | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bottomLine.jpg | |
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=112047188&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=15&downloadduration=24656&installduration=94 | |
hxxp://smartinstaller.elasticbeanstalk.com/Installer/TrackFinish?reqid=112047188&x=y&clickid=-1 | |
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0& | |
hxxp://www.postdownload.net/portal/redirect.php?id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44&d=ez-download.com&p=Firefox&pid=3 | 162.159.244.195 |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bodyImg.png | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button_over.png | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/nextCase.jpg | |
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button.png | |
hxxp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44 | 173.203.239.57 |
hxxp://thankyou.postdownload.net/css/thanks1.css | 173.203.239.57 |
hxxp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00 | 166.78.35.128 |
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.7.1/jquery.min.js | |
hxxp://ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44 | 141.101.112.6 |
hxxp://a1834.g1.akamai.net/js/widgets/clkL.min.js | |
hxxp://a1834.g1.akamai.net/styles/widget/static/theme2_template8.css | |
hxxp://a1834.g1.akamai.net/images/addons/icons/25932/Slimcleaner-CA-Ron-All-widget-lp1--25932.png | |
hxxp://a1834.g1.akamai.net/images/widget/2/addon.png | |
hxxp://dualstack.counter-817696455.us-east-1.elb.amazonaws.com/blank.gif?t=141669771145&h=a023e0f902a095d8b136fb5b66956e00&cids=pac | |
hxxp://a1834.g1.akamai.net/images/widget/2/widget.png | |
hxxp://a1834.g1.akamai.net/images/widget/2/header.png | |
hxxp://a1834.g1.akamai.net/images/widget/button.png | |
hxxp://cdn.delivery49.com/images/widget/2/addon.png | 208.185.54.241 |
hxxp://www.ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44 | 141.101.112.6 |
hxxp://cdn.delivery49.com/styles/widget/static/theme2_template8.css | 208.185.54.241 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png | 74.125.29.95 |
hxxp://cdn.delivery49.com/images/addons/icons/25932/Slimcleaner-CA-Ron-All-widget-lp1--25932.png | 208.185.54.241 |
hxxp://cdn.delivery49.com/images/widget/2/widget.png | 208.185.54.241 |
hxxp://static.revenyou.com/offers/images/Theme11/topComp.png | 198.232.124.224 |
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js | 74.125.29.95 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css | 74.125.29.95 |
hxxp://installer.apps-track.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0 | 54.225.131.135 |
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css | 198.232.124.224 |
hxxp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0& | 54.225.131.135 |
hxxp://static.revenyou.com/offers/images/Theme11/button.png | 198.232.124.224 |
hxxp://cdn.delivery49.com/js/widgets/clkL.min.js | 208.185.54.241 |
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js | 74.125.29.95 |
hxxp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0& | 54.225.131.135 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js | 74.125.29.95 |
hxxp://cdn.download4desktop.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme11/bodyImg.png | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme11/bgImg.jpg | 198.232.124.224 |
hxxp://installer.apps-track.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=112047188&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4754&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=15&downloadduration=24656&installduration=94 | 54.225.131.135 |
hxxp://static.revenyou.com/offers/images/Theme11/bottomLine.jpg | 198.232.124.224 |
hxxp://cdn.delivery49.com/images/widget/button.png | 208.185.54.241 |
hxxp://static.revenyou.com/offers/images/Theme11/nextCase.jpg | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme11/topLine.jpg | 198.232.124.224 |
hxxp://download-installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe | 23.44.196.61 |
hxxp://counter.d.delivery49.com/blank.gif?t=141669771145&h=a023e0f902a095d8b136fb5b66956e00&cids=pac | 54.225.69.34 |
hxxp://static.revenyou.com/offers/images/Theme11/button_over.png | 198.232.124.224 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png | 74.125.29.95 |
hxxp://installer.apps-track.com/Installer/TrackFinish?reqid=112047188&x=y&clickid=-1 | 54.225.131.135 |
apis.google.com | 173.194.43.32 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /js/widgets/clkL.min.js HTTP/1.1
Accept: */*
Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.delivery49.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.2.16 (Debian)
Last-Modified: Mon, 12 Aug 2013 15:00:20 GMT
ETag: "ecdb-252-4e3c1620c2900"
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Length: 348
Content-Type: application/javascript
Cache-Control: max-age=43200
Date: Fri, 20 Jun 2014 02:40:40 GMT
Connection: keep-alive
Vary: Accept-Encoding
.............N.0...<.f..H!..).B.#...!.&...%U.vL[..dEk..5...c.....)..1~.p8fl..0.T....{...". .....q$.....b.....<..HKf.Yz}...~...:..l..."!...4....`..n.1.m..j........Xd...ak...b(m.@....4.*.3a..Y...&......*.......V14..EA...j......P=...^...@..d..............,..h,-.b.Ig.G.=.....k.T=........>./...7.]....../..D.... ..F.q......Zo'....._..q.c!6..&...C..R.......
GET /styles/widget/static/theme2_template8.css HTTP/1.1
Accept: */*
Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.delivery49.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.2.16 (Debian)
Last-Modified: Wed, 11 Aug 2010 13:36:53 GMT
ETag: "204c7-1777-48d8c57b10740"
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Length: 1181
Content-Type: text/css
Cache-Control: max-age=43200
Date: Fri, 20 Jun 2014 02:40:40 GMT
Connection: keep-alive
Vary: Accept-Encoding
...........X.n.:.}. ...vW%%.4.<.O.....k.........m .......j..=..93s......d......... ......`.......?H3.../.@..P..h...>Wi..=..QBX....%.v.{\!........7DN." .V...].S7Co.7M...U.Z^....`~..Ca.$!4... G&6..tj..p.)b...}T.....%l....7H.JA....8J@...F..... .j...A...QX......U.._B.u...........*..hk........q.....wA..g..V......yjG=......?\..`.QXC..=..{. ....k....;.n6W....iqNH...]..;....]..u..Wr..`.)....7........jq..tY...k>#......3^...}..2..:......H..9f....CWI....k.?.0....H5..G...8'T..^.g..F7.( =Rj....?...tsE3......"V...j.....,.|...@...8/.W.aYw%.....9-".....x.3.Y.I.)5..T.yi.....0..........d...=......n....;.!.w..8%...C.......|..$.....mr....Y..rH\...........P .DIE...4'.#..H.S..{...0..DA.....GF......s.....d0%.H 1../...^`o.6T....!..\O.`.........0.......7..../.d...p.b....q...F.._U........6... ....^....CT..G-y.Y..y.Gk...O.........9...w...t...`.Z..2..VW(%...B..7..Z...P...-.........wg..(...5;.....Q..l........t...cH.i........9...C.S3.MX.......I0`...".Q..a..<.....<.,.....N.D.p...W.b....x...[........k.......I.... ~{..&..*..!..^.G.....f..A....@`..0....r..".T......9q...p_.zA...F..-/0F.xn/...p.>cJ....k.u...Q{.K./.V. ....<T.&........os.....H...r._.J.............g..f...=..j.%..."0'8,.kJL.....D..w.......
<<
<<< skipped >>>
GET /images/widget/2/addon.png HTTP/1.1
Accept: */*
Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.delivery49.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.2.16 (Debian)
Last-Modified: Thu, 27 May 2010 09:24:52 GMT
ETag: "201a2-22a-4878ff6786100"
Accept-Ranges: bytes
Content-Length: 554
Content-Type: image/png
Cache-Control: max-age=43200
Date: Fri, 20 Jun 2014 02:40:40 GMT
Connection: keep-alive
.PNG........IHDR..............5.?....tEXtSoftware.Adobe ImageReadyq.e<....PLTE....................................................................""H`.)7.:N#Jd.[x...(Ur.....="Ha....."%Oj........%.......*8.2A.%1.%2......J_.l...3IDATx....Q...E.'(....3. .K....?..C8uj.8..9/....D....D.....................................................................<B$k...-D.6.k.A$k....D.6.k.!R.!..I]{......M..o................"Y....... ..I]{...."Y...........H.&u...dmR...H...`m.6X......`m.6X....&u...$:...$...a%.iV.k5......._M.....Q........C.M._..0.@.....`.....IEND.B`.....
GET /images/widget/2/widget.png HTTP/1.1
Accept: */*
Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.delivery49.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.2.16 (Debian)
Last-Modified: Thu, 27 May 2010 09:24:52 GMT
ETag: "201a5-21f-4878ff6786100"
Accept-Ranges: bytes
Content-Length: 543
Content-Type: image/png
Cache-Control: max-age=43200
Date: Fri, 20 Jun 2014 02:40:40 GMT
Connection: keep-alive
.PNG........IHDR.......d.............tEXtSoftware.Adobe ImageReadyq.e<...oPLTE)Wu(Vt&Tr.Vp$Rp Nl.A_.=[.;Y.Ig"Pn0Xr.?].Db.B`#Qo.Ge/Wq.@^.Ca.>\.<Z.Hf.Jh%Sq!Om.Ec.Fd'Us.Lj.Mk.Ki-Uo.:X.9W,Tn...&......%tRNS.....................................?.BO....IDATx....m.P....33.....w.S..L..g.o.Yk....9. c.........Ms.[..S..k..}.26...!hn h. h.!h^ h.!h.!h. h. h> h. h.!h. ..4.~..9....... c.....f...Ms.W..-.26.........gK..[/g..z36...c....`l06..c....`l06..c....`l06..c....`l....c....`l....c....`l....c....`l....c....c.@.f.O.Y..A..9........0......V......IEND.B`.t>....
GET /images/widget/button.png HTTP/1.1
Accept: */*
Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.delivery49.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.2.16 (Debian)
Last-Modified: Thu, 11 Mar 2010 15:16:22 GMT
ETag: "c981-3fd-48187e5c05d80"
Accept-Ranges: bytes
Content-Length: 1021
Content-Type: image/png
Cache-Control: max-age=43200
Date: Fri, 20 Jun 2014 02:40:40 GMT
Connection: keep-alive
.PNG........IHDR...,...,.......u.....tEXtSoftware.Adobe ImageReadyq.e<....PLTE.....MV..k.*.....k~.:...D..K|.S.)a..9r.9.......WS.....6........{.A..@9...q....b..:.#l.D|.6E....F3..j.$"d._..S..P../..p.-[."..IB....`r.3g.Em.6m..K..0....I...`.$...U..g..{.[^.1l.XW....~N..Y..I..p.I"].g.&...7..h.&...e. Z..Q..X..(z.U.?...W.A?r.5..e....ls.;@..c. T......<n....XtRNS........................................................................................x......'IDATx...[S.@.........6 ..........4m=.....h..7qs.:.m.....Ln.............bVCI Q..p.;.7..~....c..D...L...T....N\...s.B).-D,....L7"..>..N.B.........i.........=.r,b...S‰..)..
GET /portal/redirect.php?id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44&d=ez-download.com&p=Firefox&pid=3 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.postdownload.net
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: cloudflare-nginx
Date: Fri, 20 Jun 2014 02:40:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=de31ac9442f6e3dbef24cd96afed1578d1403232038616; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.postdownload.net; HttpOnly
X-Powered-By: PHP/5.4.9-4ubuntu2
Set-Cookie: PHPSESSID=9b5gqb8ik08b1b7rlvbvd02ke0; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: hXXp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44
Vary: Accept-Encoding
CF-RAY: 13d49a5154dc0779-EWR
0..HTTP/1.1 302 Found..Server: cloudflare-nginx..Date: Fri, 20 Jun 2014 02:40:38 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=de31ac9442f6e3dbef24cd96afed1578d1403232038616; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.postdownload.net; HttpOnly..X-Powered-By: PHP/5.4.9-4ubuntu2..Set-Cookie: PHPSESSID=9b5gqb8ik08b1b7rlvbvd02ke0; path=/..Expires: Sat, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..location: http://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44..Vary: Accept-Encoding..CF-RAY: 13d49a5154dc0779-EWR..0..
<<
<<< skipped >>>
GET /pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download-installer.cdn.mozilla.net
Connection: Keep-Alive
GET /pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download-installer.cdn.mozilla.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Thu, 05 Dec 2013 20:15:56 GMT
ETag: "4ae3bf9-16ece88-4eccf3278b700"
Server: Apache
X-Backend-Server: ftp4.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Length: 24039048
X-Cache-Info: cached
Cache-Control: max-age=314046
Expires: Mon, 23 Jun 2014 17:54:13 GMT
Date: Fri, 20 Jun 2014 02:40:07 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w....g...g...g...l...g.y.i...g...m...g...c...g...f.l.g.9.:...g..5V...g.=.a...g.Rich..g.................PE..L....I.Q.....................p...p........... ....@.........................................................................\...p.... ..\l............n.p ..........................................................................................UPX0.....p..............................UPX1................................@....rsrc....p... ...n..................@......................................................................................................................................................................................................................................................................................................................................................................................................2.03.UPX!......rb................&.......V...N.....13..Fx.Nt.H.........@......BA..Fh.....^......41V3..F`.".FT.X...-\.P.,&.Vj...S...lZN.P.J j...,..$^..k.. ..e....,0.4.p8.P(m[.mL.@.DH.<T..o..s.${..l....xS....~.W.M.....E..C.E.3.P.u.....~....@..u.#..E..'..w....Etu..@0;.....j.....v....Yt..`..t....H.. n....t...V.P.Z..M...E...e......@\..o...<......G..R...f;V.d.E....e._...Z....\.P.Q..w.n..[.H..7V=.Sn..`...P..Q.c1...........E...;....:../...u......~.."\y}...D.2............Pl...;.......C.P.u.........E.]......D.Kx..-.st~..fx.'.&..{h>Ah.M..u.;Y..^
<<
<<< skipped >>>
GET /offers/images/Theme11/topComp.png HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Fri, 20 Jun 2014 02:40:38 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<
<<< skipped >>>
GET /offers/images/Theme11/bgImg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Fri, 20 Jun 2014 02:40:38 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<
<<< skipped >>>
GET /offers/images/Theme11/button_over.png HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 20 Jun 2014 02:40:38 GMT
Content-Type: image/png
Content-Length: 921
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT
ETag: "f072da2a092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Fri, 27 Jun 2014 02:40:38 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...;IDATx..Z;o.1..Y.D...W."%=D..*=BPR@..5..........DHi...M.i...e.r............;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.sh..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[........sL..?@.o....y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K........YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N........*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..tsvP!.U0.q.......9z.e ..0.ALt..@l..2iR.2............. .>=...{WVim....f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o6......@..........n.^......IEND.B`.....
GET /offers/images/Theme11/nextCase.jpg HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=4&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Fri, 20 Jun 2014 02:40:38 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>....
<<
<<< skipped >>>
GET /widget/render/hash/a023e0f902a095d8b136fb5b66956e00 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1403232394&id=kq1biact55oo8759t14mgd64vgoiv2cv5k79kf0r60e1mpdgm7p1-143dcb4bfb2be335472f37f458a4db44
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.delivery49.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Date: Fri, 20 Jun 2014 02:39:52 GMT
Connection: Keep-Alive
X-Powered-By: PHP/5.4.28-1~dotdeb.1
Content-Length: 1205
...........V.r.6.}.L...L....dY.K.$..K..u.Q...H,). ...%.......tA....N..r4.\.vv...>;.u2.....]).....o'$.)..'..M...7...I..dj............s......2Z.#m.:=. o ...a..4#.x0....W.Tv......7..,0>.#....!9.@..wI.9.0.......B......Sx.2...bN....i.@.Q..xt\.$s.f.B..0i.....Vw.r..vH.93..h...w..b%...S.......R/....J..V...AZ...R.....7h%.N...0}.ReXQ...a..9<............\X...fRpL..-_.n..[.9k..~.vx..&..........q...v.u[..oh3#*G..ni...**..$.J.(.e.F.H-......I....$*...m0........g\E...F..~m......8K3y....{.....PW.!e6L.,V......%.9....@.T...&..!.3..PB..AYy.....&.;Q4 ..!mN..0.|Mj..@....8...A....B..ju../..5.|.....z..f...i!...a..E/......mv.....f...w.C[1u#'JV@0~.R[.b.qk[......`^JP|0....:7.).|.....~Kd...@8........_.Q......cA.J_..n.......B!..0e.Ua..Q ...H.......C. s.?.........T2uu.e.>.6...O..W..H.^..|g.YU2yV.. s^.>..O.n.dz.....]~>y..o?......eq...F..CV..R..V.z.K[.~.E?JQfx...p.2<.*|)e....*..Z0.T..&..?.C..Sj...b7..3A.3$.Z/...E........M...x...;.........9............7.._...d:."......../Krf.X.w......[...) .6...e..P..8.I.'...8p........!.;...0r:.....BZm.2.I...8.[.G..... ......b'.';[..{.K.........=.. .....k....D......s......o`....!...(......a...S.7=.Y...Z&v}Lz...j.D...r.d?98.w.I..y>.....8..-..;..&..|..(.9.8~..nG...W.../... .sv...*.........
<<
<<< skipped >>>
GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/css; charset=UTF-8
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Fri, 20 Jun 2014 02:29:14 GMT
Expires: Fri, 20 Jun 2014 03:29:14 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 6091
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 650
Alternate-Protocol: 80:quic
...........=k.....3...E...yl.=.=.....7@..6..~...e.#K.$.#A..=.!%J|iz...;@Z.:...y..}..........X.H~{G...O~......-.M^M....@o..c.....Og.s............!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.WO8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ........... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}...t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>......|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}g@G..m^...S2.gn.h......;V.yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or..%X...78.I.>..Y.99@.........U......4....5.......2.......UY.<.W EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M... ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<._.. J.YK.:9.H}3....U.B..$..W..f$l]^m....@..c..........0.h...l.q.,(."......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v..~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4...1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t...M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C
<<
<<< skipped >>>
GET /ajax/libs/jqueryui/1.8/jquery-ui.min.js HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Fri, 20 Jun 2014 02:09:36 GMT
Expires: Fri, 20 Jun 2014 03:09:36 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 51558
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 1829
Alternate-Protocol: 80:quic
............iw...0....d...-.@......."...x{,y.<....n.M....ZB...w...AP...9.L,.k_n..n.{.......V..G..<........}......n.........l..Y....z3..................E1.-.uz..........ZXI..rZm....../X...4.......@..Z......yUlB..U#..L...1p.>...2...].....M(...J.....e..I......5...9...e.....&.........W..y...f./..j..}^....r...n.._7.j.o..v.i./a.7uq......r.%.,......j9..Y.s......@..$...... \...H...=....?....y...}W..b].G..|-....wG.N.O<.H.Q...'w......H.....*.....?..Uo..n..Z=..U...I...*..,....J.@.b.....l.[@E1.....jq<..V.d.=.n......,..o... .gY.G....N%$f..u..."J.....xvrR..$.q..i....l..m7....p...]./!.......JF0..^.. ...Q.....H..q...._wr"9..S].I/_.....~M...Z..U5..^q.z..U...k..........Q.........v...[.v..`:UJvIo^-...........n.;..{o....p.CliS-J..w27...F.....v .{...t..........g._._...~z......wz.......gP.K.....W....w/.ym......B.cH....?~..~/.~..../...._.........4..s........x..z|...^|.../.._..?.z..............?.......?=......N......_<...3.n..I/..../ e.Rd../U...|...O.....Pi.~.....=.5..%~z...oh..?.._~J.?.?.....0....g.. ....0....W...x....W.k|)....h....n...7Y....c..l.Y..._...3.D.f.,n..G?.'h...*.l...ZN...R...q..F.;.*/f6T.q-3........Z.n..y\&.].......*.C..p..I.U.Z/....`..W..k<.Pn]....OtJR...P...j.n...z]W''..z.o.b.....m...K...u.)..%.v{.8p9..T....4U......X..U.o'...T.....D...G.tc.3o....8./.a.NK^...........q?I.0.....)-..m.\..m...@.0......\..{.>........D..n..Gp..)R:...>.D ....d.nV.......C....pWe.?Xl.B.....6} .Q.4...j....^.6q..3..>5w\.....'.@....&6...?ok..$.;....[...!Vo........vx}{s.L.dA...6......8.r......bt.>"a........0...I~;....
<<
<<< skipped >>>
GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Fri, 20 Jun 2014 02:11:48 GMT
Expires: Fri, 20 Jun 2014 03:11:48 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 3457
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 1697
Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B....6...._.d.c.......*...V......|U.......w-...p..>Z..........`............`............`............`............`............`............`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."...-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C.....y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._<....p.p....`............`..b.......:............:.............Xj)...w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7.....;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O.....m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD..M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x.....].?/..9r......h...]^}M....<....;..........p.p....`........}.....n..~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M......j..4.%..x......!ij....bXcT..^ file.
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\components.ini (1218 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\InstallOptions.dll (15 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\System.dll (11 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-header.bmp (25 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\modern-wizard.bmp (2784 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\ioSpecial.ini (9996 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\summary.ini (86 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\options.ini (3918 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsfB6.tmp\shortcuts.ini (1782 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\DynamicOfferScreen[1].htm (948 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (5392 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\DynamicOfferScreen[1].htm (850 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery.min[1].js (1005 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui[1].css (33 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\BuzzIT2Checker11-6[1].exe (7494 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_15.exe (2582958 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\bodyImg[1].png (8516 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\button_over[1].png (921 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\button[1].png (458 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\Firefox Setup 26.0[1].exe (3284663 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui-1.8.19.custom[1].css (5521 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery-ui.min[1].js (8781 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)