Win32.Viking.AX_45db9e92ad

by malwarelabrobot on April 3rd, 2014 in Malware Descriptions.

Win32.Viking.AX (BitDefender), Exploit:Win32/ShellCode.gen!B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Win32.Qvod.ank (v) (VIPRE), Trojan.AVKill.11573 (DrWeb), Win32.Viking.AX (B) (Emsisoft), Artemis!45DB9E92ADF0 (McAfee), W32.Wapomi!gen1 (Symantec), Virus.Win32.Qvod (Ikarus), Win32.Viking.AX (FSecure), Worm/AutoRun.LY (AVG), Win32:Malware-gen (Avast), PE_JADTRE.A-O (TrendMicro), Win32.Viking.AX (AdAware)
Behaviour: Trojan, Worm, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 45db9e92adf00b8de9b733b52a306a40
SHA1: 40657201a984412125d32ac3a9d7dc33155e6942
SHA256: d3ed8896b7cfc812d61e0342705084247976725e0972f21ede4c8d3addc4e858
SSDeep: 6144:mwtKDxiswkBYK5Tz77uCYXilJbg5O5/9Wy:0TYK5/7 XST5lX
Size: 242688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2010-09-08 22:16:40
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

57124ba2.exe:2896
%original file name%.exe:320
reg.exe:1652
reg.exe:2044
reg.exe:844
reg.exe:520

The Trojan injects its code into the following process(es):

svchost.exe:1136

File activity

The process 57124ba2.exe:2896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\Infotmp.txt (456 bytes)

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\Infotmp.txt (456 bytes)
%System%\appmgmts.dll (242688 bytes)

The process reg.exe:1652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\r663215ff.txt (3806 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 9B B4 79 90 5D 20 51 64 56 78 93 40 E6 7C E8"

The process reg.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\5163053E]
"Type" = "1"

The process reg.exe:844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\5163053E]
"ImagePath" = "system32\5163053E.sys"

The process reg.exe:520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\5163053E]
"Start" = "3"

Dropped PE files

MD5 File path
8ccbd9aba7ff4f6190d151b6ccb38efc c:\WINDOWS\system32\dmutilio.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

KeInsertQueueApc

Using the driver "%System%\5163053E.sys" the Trojan substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:

MJ_CREATE
MJ_DIRECTORY_CONTROL

Using the driver "%System%\5163053E.sys" the Trojan substitutes IRP handlers to control devices of tcpip.sys driver:

MJ_INTERNAL_DEVICE_CONTROL

Propagation

VersionInfo

Company Name: Shenzhen QVOD Technology Co.,Ltd
Product Name: QvodInstall Module
Product Version: 3, 0, 0, 0
Legal Copyright: Copyright(C) 2006-2009 QVOD
Legal Trademarks:
Original Filename: QvodInstall.exe
Internal Name: QvodInstall.exe
File Version: 3, 0, 0, 0
File Description: QvodInstall Module
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 49152 21504 5.52493 f6eb240322cd78af0c93c914983b29da
.rdata 53248 12288 4608 5.43345 6663c344ae9ba3fe17ebe78212b5ff76
.data 65536 20480 11776 5.48192 b6507624347c807f729c29635c24cd28
.rsrc 86016 159744 148992 5.54253 6a78028585bf2331daa1896503d00ce3
.UPX0 245760 8192 3072 5.32369 aa12a6555e17c14067054b55c6c38038
.UPX1 253952 36864 33280 5.53866 444aa4cc3c7a0483c6cf2183239ff3df
.reloc 290816 4096 3072 5.14192 96b72e1cc79e921e22de659fb82c2b8e
.aspack 294912 16384 15360 4.04081 db344d172c9ef14bacec0dba4f892bb1
.adata 311296 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
287a5a75e19cdb58d00f9763e2a69218

URLs

URL IP
hxxp://52.nsvhn987.com/msdownload/update/v5/redir/wuredirt.rar 195.22.26.231
hxxp://w2.mvps.org/resources/tools/getpublicip.shtml
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://e6845.ce.akamaiedge.net/CSC3-2004.crl
csc3-2004-crl.verisign.com 23.42.21.163
csc3-2009-2-crl.verisign.com 23.42.21.163
www.baidu.com 180.76.3.151
crl.verisign.com 23.42.21.163
vbnet.mvps.org 216.155.126.44
www.download.windowsupdate.com 92.123.155.25
csc3-2009-crl.verisign.com 23.42.21.163
52.nsvjn987.com 192.155.89.148
52.ns2275ab.com
52.ns768.com
1.nsb927.com
wpad
52.nsb927.com
52.ns792.com
52.ns529.com
52.ns098.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
SURICATA ICMPv4 invalid checksum

Traffic

GET /CSC3-2004.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: CSC3-2004-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "5068635391784c74dc0a5a7140856f08:1395911413"
Last-Modified: Thu, 27 Mar 2014 09:10:13 GMT
Accept-Ranges: bytes
Content-Length: 96264
Date: Thu, 27 Mar 2014 20:44:47 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0..x.0..v.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0.
..U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.ve
risign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA..
140327090000Z..140406090000Z0..v.0!.....'...._.=.t.{...060411095352Z0!
........]...n.d.^...041210180734Z0!....B.38..I....Z.Z..060522202503Z0!
.....V..=.&..p.K_...041223173514Z0!...$fd{........ZKI..050727182105Z0!
...'..P..Tk....i ...081114114704Z0!...*m.......$.e.iw..050113162826Z0!
...4..&.....(.V.bD..060717184318Z0!...>.h`a.nZM.VIP....061027222850
Z0!...?..!.....Z..%....080514074106Z0!...A.*T-.NB>Ro.S.~..070627153
307Z0!...Wf....0?.1.<G4...080827011731Z0!...[.}7.8.t.........070607
081209Z0!...^.@.....1..v..`..061207041025Z0!...ol4....{.........080520
210256Z0!.....oP...._. .a....061205224400Z0!.....}...../5.=.....041018
225848Z0!.....B.w5$.h..,."...060707142917Z0!....]....d..........041217
144015Z0!.........1.9.fwI.a..050926191715Z0!............*.>W....041
221185802Z0!...."....J..l.......050712133504Z0!....X.r..'7hK._.....080
804054612Z0!....Q)..6.....4.[...051018015040Z0!.........Y.=.U=y....060
308034429Z0!....:..I.. ......Y..060912161745Z0!......t..Au...e `...060
406020106Z0!........&.zR.....J..080220163354Z0!...%.&.f./....>.H...
070216105424Z0!...8....n..#b.dM....090505134237Z0!...E..1..>.......
...070621145128Z0!...L.k'.W..!.;w0....060711202546Z0!...U.......Te.c..
...080829025216Z0!...qo..b..>...C.....081214140650Z0!.......?....Wa
r.y...061019142712Z0!.......^i7.6_m..W...070122210641Z0!....&.G.E.
<<< skipped >>>


GET /pca3-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"
Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Thu, 27 Mar 2014 20:44:17 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
.7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(
.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.
PWP......onZ.t ....GIuTV.XY....
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"
Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Thu, 27 Mar 2014 20:44:17 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
.7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(
.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.
PWP......onZ.t ....GIuTV.XY....
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"
Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Thu, 27 Mar 2014 20:44:18 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
.7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(
.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.
PWP......onZ.t ....GIuTV.XY....
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"
Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Thu, 27 Mar 2014 20:44:19 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
.7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(
.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.
PWP......onZ.t ....GIuTV.XY....
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"
Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Thu, 27 Mar 2014 20:44:20 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
.7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(
.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.
PWP......onZ.t ....GIuTV.XY....
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"
Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Thu, 27 Mar 2014 20:44:21 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
.7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(
.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.
PWP......onZ.t ....GIuTV.XY....
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"
Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Thu, 27 Mar 2014 20:44:27 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140129000000Z..140
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.
<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG
.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: A
pache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modif
ied: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Leng
th: 933..Date: Thu, 27 Mar 2014 20:44:27 GMT..Connection: keep-alive..
Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U..
..US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certifi
cation Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2.
.....020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<
...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"
Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Thu, 27 Mar 2014 20:44:28 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140129000000Z..140
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.
<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG
.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: A
pache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modif
ied: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Leng
th: 933..Date: Thu, 27 Mar 2014 20:44:28 GMT..Connection: keep-alive..
Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U..
..US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certifi
cation Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2.
.....020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<
...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"
Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Thu, 27 Mar 2014 20:44:29 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140129000000Z..140
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.
<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG
.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: A
pache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modif
ied: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Leng
th: 933..Date: Thu, 27 Mar 2014 20:44:29 GMT..Connection: keep-alive..
Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U..
..US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certifi
cation Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2.
.....020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<
...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"
Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Thu, 27 Mar 2014 20:44:30 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140129000000Z..140
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.
<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG
.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: A
pache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modif
ied: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Leng
th: 933..Date: Thu, 27 Mar 2014 20:44:30 GMT..Connection: keep-alive..
Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U..
..US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certifi
cation Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2.
.....020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<
...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"
Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Thu, 27 Mar 2014 20:44:31 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140129000000Z..140
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.
<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG
.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: A
pache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modif
ied: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Leng
th: 933..Date: Thu, 27 Mar 2014 20:44:31 GMT..Connection: keep-alive..
Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U..
..US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certifi
cation Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2.
.....020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<
...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...
<<< skipped >>>


GET /msdownload/update/v5/redir/wuredirt.rar HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 195.22.26.231
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Thu, 27 Mar 2014 20:44:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=15c5f01238e31651dcad6fae2af483a3|193.138.244.231|1395953054|1395953054|0|1|0
Set-Cookie: snkz=193.138.244.231
Content-Encoding: gzip
14........................0..



GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5041
Date: Thu, 27 Mar 2014 20:44:38 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5041..Date: Thu, 27 Mar 2014 20:
44:38 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5041
Date: Thu, 27 Mar 2014 20:44:38 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5041..Date: Thu, 27 Mar 2014 20:
44:38 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5040
Date: Thu, 27 Mar 2014 20:44:39 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5040..Date: Thu, 27 Mar 2014 20:
44:39 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5039
Date: Thu, 27 Mar 2014 20:44:40 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5039..Date: Thu, 27 Mar 2014 20:
44:40 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5038
Date: Thu, 27 Mar 2014 20:44:41 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5038..Date: Thu, 27 Mar 2014 20:
44:41 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5037
Date: Thu, 27 Mar 2014 20:44:42 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5037..Date: Thu, 27 Mar 2014 20:
44:42 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5036
Date: Thu, 27 Mar 2014 20:44:43 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5036..Date: Thu, 27 Mar 2014 20:
44:43 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5035
Date: Thu, 27 Mar 2014 20:44:44 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5035..Date: Thu, 27 Mar 2014 20:
44:44 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5034
Date: Thu, 27 Mar 2014 20:44:45 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5034..Date: Thu, 27 Mar 2014 20:
44:45 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5032
Date: Thu, 27 Mar 2014 20:44:47 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5032..Date: Thu, 27 Mar 2014 20:
44:47 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892....


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=5031
Date: Thu, 27 Mar 2014 20:44:48 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=5031..Date: Thu, 27 Mar 2014 20:
44:48 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B60
9892..



GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Thu, 27 Mar 2014 20:44:22 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Thu, 27 Mar 2014 20:44:23 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Thu, 27 Mar 2014 20:44:24 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Thu, 27 Mar 2014 20:44:25 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Thu, 27 Mar 2014 20:44:26 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


GET /resources/tools/getpublicip.shtml HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: vbnet.mvps.org
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
MS-Author-Via: MS-FP/4.0
Date: Thu, 27 Mar 2014 20:44:13 GMT
Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>....
<<< skipped >>>


GET /msdownload/update/v5/redir/wuredirt.rar HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 195.22.26.231
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Thu, 27 Mar 2014 20:44:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=2e6f8266357cd74177ef7252541d58f6|193.138.244.231|1395953075|1395953075|0|1|0
Set-Cookie: snkz=193.138.244.231
Content-Encoding: gzip
14........................0..



GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Thu, 27 Mar 2014 20:44:32 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Thu, 27 Mar 2014 20:44:33 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Thu, 27 Mar 2014 20:44:34 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Thu, 27 Mar 2014 20:44:35 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"
Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Thu, 27 Mar 2014 20:44:36 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>
svchost.exe_1136_rwx_0505C000_0000B000:

D$<%d

svchost.exe_1136_rwx_05068000_00002000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvcrt.dll
shlwapi.dll
ws2_32.dll
iphlpapi.dll
wintrust.dll
mpr.dll
advapi32.dll
shell32.dll
3, 0, 0, 0
QvodInstall.exe

svchost.exe_1136_rwx_10001000_00057000:

t.SVW
.tgPV
FTPjK
FtPj;
C.PjRVj
u.VV3
imagehlp.dll
drivers\tcpip.sys
\drivers\tcpip.sys
65.6.163.4
89.123.188.11
90.52.108.231
85.11.66.73
72.192.20.73
219.77.13.11
90.201.190.208
58.63.39.204
77.66.224.30
62.65.208.112
router.bitcomet.net
router.bitcomet.com
router.utorrent.com
router.bittorrent.com
UDP Port
TCP Port
key not found:
unsupported message type:
unsupported request:
port
dht.log
log.log
name.utf-8
controlURL
http://
URLBase
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
AddPortMapping
NewPortMappingDescription
NewInternalPort
NewExternalPort
DeletePortMapping
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
External NAT port in use
External NAT port in use: Too many retries
Port mapping not owned by this class
Error getting StaticPortMappingCollection
port=
mscoree.dll
kernel32.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
GetProcessWindowStation
user32.dll
portuguese-brazilian
d:\Work\Order\Dlft2\trunk\Dlft\Release\DLFT.pdb
USER32.dll
.?AV?$bind_t@XV?$mf1@XUdht_tracker@dht@@ABUmsg@2@@_mfi@boost@@V?$list2@V?$value@PAUdht_tracker@dht@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@
.?AV?$bind_t@XV?$mf1@XVnode_impl@dht@@ABUmsg@2@@_mfi@boost@@V?$list2@V?$value@PAVnode_impl@dht@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@
zcÁ
|%System%\svchost.exe
GetCPInfo
HttpQueryInfoA
InternetOpenUrlA
\=.LO
.text
`.rdata
@.data
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    57124ba2.exe:2896
    %original file name%.exe:320
    reg.exe:1652
    reg.exe:2044
    reg.exe:844
    reg.exe:520

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\Infotmp.txt (456 bytes)
    %System%\appmgmts.dll (242688 bytes)
    %WinDir%\Temp\r663215ff.txt (3806 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now