MD5: ae734f798b1eeeb6679f2eda22abebcc
SHA1: ee3e6f8d3553eb6e08b525a337eb6afd1e80634e
SHA256: 75cd61d01026d28f0052fcb47aeb4810f5279472a303e61da3b938de21511bb4
SSDeep: 12288:WNqGVHyumnXIjlGKdPb5HuEtZbeDpE6WMJlDk7JzZjM:aqGVSVXIjlpP5XStlJlDkp
Size: 450560 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: Company
Created at: 2016-06-13 03:06:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:468

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\MSINET.OCX (132 bytes)
%System%\COMCTL32.OCX (3681 bytes)
%System%\COMDLG32.OCX (350 bytes)

Registry activity

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE B2 6C 9B 66 12 7C 63 C6 99 18 0A 9E 62 EE DB"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Si4OPonke
Product Version: 0.00.0061
Legal Copyright:
Legal Trademarks:
Original Filename: pb.exe
Internal Name: pb
File Version: 0.00.0061
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://blogspot.l.googleusercontent.com/
hxxp://googlecode.l.googleusercontent.com/svn/trunk/html5.js
hxxp://googleadapis.l.google.com/css?family=Oswald
hxxp://gstaticadssl.l.google.com/s/oswald/v11/-WzdRTzRa5k6HlJK6-dK9Q.eot
hxxp://googleapis.l.google.com/ajax/libs/webfont/1/webfont.js
hxxp://googleadapis.l.google.com/css?kit=e9l7fV-3xzXBO6qidGAzZw
hxxp://scontent.xx.fbcdn.net/en_US/all.js
hxxp://pagead46.l.doubleclick.net/pagead/js/google_top_exp.js
hxxp://go.oclasrv.com/apu.php?zoneid=190939	78.140.191.84
hxxp://onclickads.net/apu.php?zoneid=190939	88.85.82.171
hxxp://scr.kliksaya.com/js-ad.php?zid=180648	216.185.100.67
hxxp://blogger.l.google.com/img/icon18_edit_allbkg.gif
hxxp://photos-ugc.l.googleusercontent.com/-RTSeOwxDBks/VC-S10IdSxI/AAAAAAAADy4/v9_P0-lks_A/s1600/csg-542f92beb36dc.png
hxxp://scr.kliksaya.com/ifr-ad.php?zid=180648	216.185.100.67
hxxp://scr.kliksaya.com/js-ad.php?zid=180646	216.185.100.67
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.4.1/jquery.min.js
hxxp://photos-ugc.l.googleusercontent.com/-S_6fbGX2eeo/Va5Vu2eFvaI/AAAAAAAAAN0/U3dVZUcQbZg/w72-h72-p-nu/pb+garena.jpg
hxxp://blogspot.l.googleusercontent.com/-iSyx2kVF964/VbhbgXJALaI/AAAAAAAAAOI/zFFIUg0mZdw/w72-h72-p-nu/cit+hshs+indo.jpg
hxxp://blogspot.l.googleusercontent.com/-s4Bi1FD660U/VLT0DZtvVMI/AAAAAAAAAJs/dlCr2i7ZE-0/w72-h72-p-nu/PointBlank_20150113_172843.jpg
hxxp://googleapis.l.google.com/ajax/libs/jquery/1/jquery.min.js
hxxp://scr.kliksaya.com/ifr-ba.php?zid=180646	216.185.100.67
hxxp://star-mini.c10r.facebook.com/plugins/likebox.php?href=http://www.facebook.com/wawcheater&width&height=62&colorscheme=light&show_faces=false&header=true&stream=false&show_border=false&appId=844584778898302
hxxp://www.google.com/images/icons/ui/gprofile_button-16.png	173.194.113.211
hxxp://platform.twitter.com/widgets.js
hxxp://scr.kliksaya.com/upload/ban/59/GBR059934.gif	216.185.100.67
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js	216.58.209.170
hxxp://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js	216.58.209.170
hxxp://connect.facebook.net/en_US/all.js	31.13.90.6
hxxp://pagead2.googlesyndication.com/pagead/js/google_top_exp.js	173.194.113.205
hxxp://1.bp.blogspot.com/-S_6fbGX2eeo/Va5Vu2eFvaI/AAAAAAAAAN0/U3dVZUcQbZg/w72-h72-p-nu/pb+garena.jpg	216.58.209.193
hxxp://fonts.googleapis.com/css?kit=e9l7fV-3xzXBO6qidGAzZw	64.233.164.95
hxxp://fonts.googleapis.com/css?family=Oswald	64.233.164.95
hxxp://www.facebook.com/plugins/likebox.php?href=http://www.facebook.com/wawcheater&width&height=62&colorscheme=light&show_faces=false&header=true&stream=false&show_border=false&appId=844584778898302	31.13.72.36
hxxp://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js	216.58.209.170
hxxp://4.bp.blogspot.com/-RTSeOwxDBks/VC-S10IdSxI/AAAAAAAADy4/v9_P0-lks_A/s1600/csg-542f92beb36dc.png	216.58.209.193
hxxp://waw-cheater.blogspot.com/	216.58.209.161
hxxp://img2.blogblog.com/img/icon18_edit_allbkg.gif	216.58.214.201
hxxp://2.bp.blogspot.com/-iSyx2kVF964/VbhbgXJALaI/AAAAAAAAAOI/zFFIUg0mZdw/w72-h72-p-nu/cit+hshs+indo.jpg	216.58.209.161
hxxp://2.bp.blogspot.com/-s4Bi1FD660U/VLT0DZtvVMI/AAAAAAAAAJs/dlCr2i7ZE-0/w72-h72-p-nu/PointBlank_20150113_172843.jpg	216.58.209.161
hxxp://fonts.gstatic.com/s/oswald/v11/-WzdRTzRa5k6HlJK6-dK9Q.eot	173.194.113.216
hxxp://html5shiv.googlecode.com/svn/trunk/html5.js	108.177.14.82
www.blogger.com	216.58.214.233
static.xx.fbcdn.net	31.13.90.6
apis.google.com	173.194.113.194
resources.blogblog.com	216.58.214.233
googledrive.com	216.58.209.161

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ifr-ad.php?zid=180648 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:54 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 1378

Connection: close

Content-Type: text/html
<html><head><style type="text/css">..ot{border:#FFFF
FF 1px solid;background-color:#FFFFFF;height:58;width:466;overflow:hid
den;}..at,.at A:link,.at A:visited{font-family:Arial, Helvetica, sans-
serif;font-size:10pt;overflow:hidden;margin:0 auto;font-weight:bold;co
lor:#66B5FF;text-decoration:underline;}..ab,.ab A:link,.ab A:visited{o
verflow:hidden;margin:0 auto;text-align:left;font-family:Arial, Helvet
ica, sans-serif;font-size:10pt;text-decoration:none;color:#dedede;}..a
b A:hover{text-decoration: underline;}.</style></head><
body bgcolor="#FFFFFF">.<div class="ot">.<table width="468
" cellspacing="0" cellpadding="2"  style="height:60;">.<tr>&l
t;td width="50%" valign="top" align="left" height="35"><div clas
s="at"><a href="hXXp://click.kliksaya.com/?aid=2866413&zid=18064
8" target="_blank">Bisnis sambil Menabung</a></div><
div class="ab"><a href="hXXp://click.kliksaya.com/?aid=2866413&z
id=180648" target="_blank">Bisnis Menabung dari SALIM Group aman te
rdaftar di OJK!!!</a></div></td><td width="50%" v
align="top" align="left" height="35"><div class="at"><a hr
ef="hXXp://click.kliksaya.com/?aid=2866406&zid=180648" target="_blank"
>Solusi Tepat MR. P GEDE</a></div><div class="ab">
;<a href="hXXp://click.kliksaya.com/?aid=2866406&zid=180648" target
="_blank">1-2 minggu tambah 4cm . TERBUKTI . tidak banyak janji .. 
BUKTIKAN !!!!</a></div></td></tr></tabl
<<< skipped >>>

GET /ajax/libs/webfont/1/webfont.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Sat, 18 Jun 2016 06:11:26 GMT

Expires: Sun, 18 Jun 2017 06:11:26 GMT

Last-Modified: Fri, 08 Jan 2016 19:27:41 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 5440

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000, stale-while-revalidate=2592000

Age: 514345
...........[iw.6..._A...% ......V.q..M.,v.......%F.)..e.......".J...Z 
..`.g.h....O.a:........{O..).c.9 ....$..>..M..$..6O..i..k.3..G.X.'.
.Q.h.vW3....t..n..6e7Z..4.<..#..0....}> .(..t:.#..\[D.X..f../j..
 ..2... ....5V(..E1.u:...f.X;.F.Xv.;oN..N..vA...1.y.k...G.6..hl..|....
-.4..(.h R"x.EE..,-O.b.2N..Q^d.7/..U..]7;.c,...3..L......Y........i...
...N.O........./N.O....X;8...>9}ai...:[email protected]......|..(.|
l-....k...g.v..x6.r:....Z.M....[lj..$).....=.8M..M.h.W{.S.............
......^..(...Iz.T..a:#.'>.i..eQc.`.g..m..y......tT7...(.,...S......
z..(4v.Y..t..eY......g.0;......W,... ...=.."-nf..I...F5..7.EQ.l.......
.k...(,..| ..`..v.Z.].N..?j.$%?..X.5V'>.Z.{;..."=..'#[email protected]
3.....y.$:Q.$.8n.D,../X..$],.w..N.B...S.....-Y...e.(L\o.T.W...... .u|.
..,@m..IJ......1?.X.(.4..HQ.br.W...&..3.X........c..]$....T....j.z^..\
w...lQ..<?......a...8(..0..jM..[-q.<...Q..k...S0.JVKI._y...A#^(.
..7.lt.....t..[....\.......a...s..b=..1..A..zP.X. zt*.........J|..iq;.
.*.....1-.v...SZ............5B.....1..t..>t...h...N.....*\..{6.....
.\E.\).X. .V....J W..Y....b...\...F..k.ig|.C..nG.z..Q....;..7..\J|...;
.....VT......D..Qr].....Ua.qnW.g..z......f.!.I......!:<.1...g......
......{.z.u|.W).:..\t....(......DU5.lD.j.V .".12..%.B'.6.T..d.[0*qO*a&
gt;....q...gMy.......L.7N.F..q.V [email protected]?...
B.($`....Ds.=...h..I..E..C...9.A<..x#...q ..U..h..8w...w...Y4..n...
y .\!=......p.....*xs...R.,.....Z:......m.h...n#,..N.&.....~L.8<...
...Xh....a..B..2....?.....r......{Oc.FNy..W.0.B..MLj.....G5T(.7...
<<< skipped >>>

GET /ajax/libs/jquery/1.4.1/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Tue, 21 Jun 2016 22:01:53 GMT

Expires: Wed, 21 Jun 2017 22:01:53 GMT

Last-Modified: Fri, 16 Oct 2015 18:27:31 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 24049

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000, stale-while-revalidate=2592000

Age: 198122
............i{.8.(.].B..q..-.I.}..f.f.NO..i..# }I..(K..%.#.......(...9
..b. v.jCU.....|...s....?D....2[..?f.2..O......g.^/.Ngz.Y..b..T...X./.
.d.|.=.z...I..9]ec..r....l...4in.$]6.......f.l....._..* ..c.o.>l.X.
;..l.M>.m.t...>......(....Ju....../.i.|]@..5t.........^...K....u
.G..4.h....0..".._.....{.?yBm5....v!_...6...r?{..V.5g. ...=.....i....z
y.]..b......,..x..*f3.....#..h=........l....;..s.,..f....%V...^..6r#/.
...Z.{.v4....f9.)..V....E.U...D.......4...........O......n....."_CG.5.
.t....?.v.#........"IOO.7.......d...E.....^.......S.lN..=K..z.....c...
.a...4...lG....y3....Jr/....'Q3...PCr.....Ivz::=..x.V..bey....i..Z"u#.
).F..=.`%.=...!..:[6"....f.b.?..f.0....\n...8.....5.....IkS~....z.1>
;.#.B.M..6.W......'....6l.h......,.G.[8....a.......\.......o.........O
......v..$[y...rD{.}J........z]......Vq............N..~1.BS*....n7mG..
..FK.?[..{.?z..xzv..,.R.....P}.:................0#......&...`...X.}.K.
L.u.6...,.bW`...h.g....;..Q{.Y"...o.. ....3....U0.....<...A.Z....a.
...To`...m..s..f.B.........}J.1../...b..2..b.)Z..L.l.\$<-[...{.....
...K...eI..AeN`"h|.-...r.x0R|ah.\^*`..'...C..............?98.m..F.....
..U ../f.0u;W...s....Njb..c.......$..N"...v.[;.?......e.7.[.......F..5
..e..D5.....@)..*......E....[...mkn....Q.Ho..`.X..7.8!H..p...^...GB.N.
.....'[email protected]...{c...EQ...c....1...JD...au.^f...q.V....=.,.2 .w.F
.sQ,..G\tOO.a{.Y,...=......"..9Y..E.................0]....&..........r
1P4...?.....KI...B..........T}z-.vE....J...b.(..N.A.a......o.G....T.(.
.~j@.?L..%.2H.a..9..r..J....Wn.I.g.]......^...lac.>r...|(......
<<< skipped >>>

GET /ajax/libs/jquery/1/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Sun, 19 Jun 2016 21:04:33 GMT

Expires: Mon, 19 Jun 2017 21:04:33 GMT

Last-Modified: Fri, 16 Oct 2015 18:27:31 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 33225

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000, stale-while-revalidate=2592000

Age: 374362
............{w.../...."2[..-...9;.!^{..;. .ql...."../..H..|.[...F.....
...u...4....U..8..9...].y<yw......O.48y.......G.....2.w.j.N.\.=.x}.
/..fz>/.|..O...Ggr.L...U.<y..:Ow^.....jr.Xew......^..^mv.a.5.{.*
.[...0..;. ,......)....fu....O>.lV.......w.&...'..2.<..nFo....6.
.n.<.V.C..}...O.e.y..])?..p7 ..:.w..$.Fc.Eio..R9=..e......w.......?
|;Q.....h.....6.r...e.o.._~.Y....Q. .<.d.<......c...dI..;.rP....
........__=|..w...g.S..lg....ZG.g..*..~....B..7.P.._S.^........-z..j..
.EO.-.\..lw..t.......9?z.....n...n..f.?. l..zi<...n..4.U....n>.D
......s.w.........jeX.7.8..T.ULh$.|3.9k.........n..[...."A.]. ..E%....
,l..E...%%....m..*m.}.b...p...f.e...J...a.e.k.g.x..?..m..O..`Rl..c...~
.....f9..<.m..; ....w},g...|...^F....2..x...8..Q.2;:J.`.}cm.F......
..i#....y....h..O....w.~v...h1i.3...mz;...x...=..h..d3...s1...%..<.
.%........R.LW.....a....Wl_.~M.....:...(*.......,.....*".*;.. -.......
.<...(..J...v.(E.NO..V....R..N.j.....F.. ......K.1>=-?..0.J.6...
....|d....I.J.w.";...p.J5.4-.....&&T..........n.. y..Ao...q...W..Kz^..
...8{.;}.....q.....W.......z.lr.$."....\.........[*...Q..9......8.3WN7
....}S.-E:[email protected]).g.~o....u..{.U
...W.~.9}*[.m.A?...?=.\......{...-P.u.....o'^....~B..'S..{.[./."4.4...
.!..I2.,.M....N..B..V..u.w=/l..L..p&u8....`\.sh......x...x^6J'Z..Jt..^
h......M.).;.V)#}.......H.E>.E.6..n....X....V.............w.Y.Ld.W.
{C.`b.)-.7.X.!!....e0.4...t.L.N.',.`r..rA.../.k<..y.D F...d..7.|N$5
.........d.Q0W..}.....E..,....`.... .....s..(>..&....u..o|{..CC
<<< skipped >>>

GET /en_US/all.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: connect.facebook.net

Connection: Keep-Alive

HTTP/1.1 200 OK

ETag: "a2f38fb62a52be657f286b116ac83f47"

Cache-Control: public, max-age=1200, stale-while-revalidate=3600

X-XSS-Protection: 0

content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data: chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline' data:;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* hXXps://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: 127.0.0.1:*;

timing-allow-origin: *

Content-Type: application/x-javascript; charset=utf-8

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=15552000; preload

Expires: Fri, 24 Jun 2016 05:13:06 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-MD5: yZlE/KB587QgKsG4hECzQA==

X-FB-Debug: y/pBZ jeaMtefNJQQJHYwH3mCvfM0dOE70azOjwmGIaVyjW8y7onlQRRCn5r97AyDTwMLdEfZadd1NU729wUnQ==

Date: Fri, 24 Jun 2016 05:03:51 GMT

Connection: keep-alive

Content-Length: 56788
............y..H.(...?...X..1..B.|\[O............l.B..x..g.b.Le..].5..
...e........./.GO.<}t.........*..8....4L.V.j.Qs..|......_.........U
...Mn..b0......$....W.,.....8...Y....t.T.&...d.W.g.f.Ee......t........
*YO....Kg{...~........_...2...~r]..j..T.g1....^...9..;.... . .V.d..V..
;Y.>I.i2...u.jW*..J...rL..i.<.`.av.^P[.J.Lgi...d....&\..t.j...Qd
6.UDz1...4s.Xz...y..Q.......tp|.......7....}z......3y~...6.....].XW...
v....Mn~... ..)tu.U.,.~..A2.r..... ...L.E.H.B...U*g..IZ.b_!4.h... ... 
... .V...S?).<.....sKx.y...=..~...9..>iE...:..m....y..N.gP1`#.O.
...v.F.i*...?..q/......,!.8..i.z....o.K.J..(r.YS..'.<..~..4.T..I...
Y........:5...<<.n.;;[CW.f<..6..A.6d#.%..p...........F..J.,..
.4....l..^z.. dV..#....h..g{.i.M..{..t..pg.:.OD*[email protected]..:......
..c1..g.GP.;=.=...C.6.&'.`.*....m...........7....z...:-...a.|.P..[....
C..V2a..,...`.L.S..R.r.z.s....jc%[email protected]"..1..
u..1....r..r...([email protected]]G'...}.5UO.2T...=.p.*(.C.....1...n...........
I...5......2,..W..%.l.c....U..8...*.K..z...0.K.n.....h...-.....A..V...
....Y&..........~.L_C...I..).2.i.....VA...i.....=..Y}e9.n.m./h".Q..<
;[email protected]!.......,L......fA.."...?}...{.P................~1p.Gp3I.i...e
.|L.wN....D..:..&0..m5p.....g..[..2X.....A..].\[email protected].
..........].9....I...q.z.3......O...aUF$.v."lGp{.3..z...$:s.=.[.V.5.].
....9]-.f.....\l..V.Z{...e.jC..-II..";.VC..i.4SlX..I....d...x...../.}.
V.3...',......t.:.O.(..g...o..w..h.%*......k...s9....{.....{..V.....KB
H.@;.....W.4...[.).<e......Q.....3O.B...z^...JX.g.....O....u$..
<<< skipped >>>

GET /-RTSeOwxDBks/VC-S10IdSxI/AAAAAAAADy4/v9_P0-lks_A/s1600/csg-542f92beb36dc.png HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 4.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Expose-Headers: Content-Length

ETag: "vf2f"

Expires: Fri, 24 Jun 2016 23:40:29 GMT

Content-Disposition: inline;filename="csg-542f92beb36dc.png"

Content-Type: image/png

Access-Control-Allow-Origin: *

X-Content-Type-Options: nosniff

Date: Fri, 24 Jun 2016 05:03:53 GMT

Server: fife

Content-Length: 813

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 0
.PNG........IHDR.......N......|.H....bKGD....1.....pHYs...H...H.F.k>
;....IDATH.... |a..?3..D..L.-.R....b...B..Z$VB.r-....K6..b(%...B."wc.1
~....s...._?.z...<..<.s.....T....V8?..... /......=..p..Y.BZ.xV..
...F5.`....\x...74...8;S.ml.........22t........."0z.=*....fSg.....!,..
0".rsagGm......AB.P^....ry'|.ge.....=c........h...0.!...N....C........
.....X.....S...R.vR.tt.........N..E..M.i.....w...  .........5....PV&$_
-z}.....$)....=44@p............|..{..V ..Jj."&...`~.jk!1..brr..T6..._.
[email protected]*==R........R_kkPQ.v;..-..........Nhi.., ...`z...rAS.......\..
.........GG...W.''..../.j5.. ;......Q...SR.G........23..YNen...f....&l
t;<@a!..h..4.`.._X..U....D1>>`w.....K.mx..,.....lnj.v.C..`b..
....aR...@}.(...4.....l..u...K....~...ayY..b....8...>.[.......?.gM|
''....%...UZ.o.....H...!.;4?y..PR"......S......!L...x.3....IEND.B`.HTT
P/1.1 200 OK..Access-Control-Expose-Headers: Content-Length..ETag: "vf
2f"..Expires: Fri, 24 Jun 2016 23:40:29 GMT..Content-Disposition: inli
ne;filename="csg-542f92beb36dc.png"..Content-Type: image/png..Access-C
ontrol-Allow-Origin: *..X-Content-Type-Options: nosniff..Date: Fri, 24
 Jun 2016 05:03:53 GMT..Server: fife..Content-Length: 813..X-XSS-Prote
ction: 1; mode=block..Cache-Control: public, max-age=86400, no-transfo
rm..Age: 0...PNG........IHDR.......N......|.H....bKGD....1.....pHYs...
H...H.F.k>....IDATH.... |a..?3..D..L.-.R....b...B..Z$VB.r-....K6..b
(%...B."wc.1~....s...._?.z...<..<.s.....T....V8?..... /......=..
p..Y.BZ.xV.....F5.`....\x...74...8;S.ml.........22t........."0z.=*
<<< skipped >>>

GET /ifr-ad.php?zid=180648 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:54 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 1378

Connection: close

Content-Type: text/html
<html><head><style type="text/css">..ot{border:#FFFF
FF 1px solid;background-color:#FFFFFF;height:58;width:466;overflow:hid
den;}..at,.at A:link,.at A:visited{font-family:Arial, Helvetica, sans-
serif;font-size:10pt;overflow:hidden;margin:0 auto;font-weight:bold;co
lor:#66B5FF;text-decoration:underline;}..ab,.ab A:link,.ab A:visited{o
verflow:hidden;margin:0 auto;text-align:left;font-family:Arial, Helvet
ica, sans-serif;font-size:10pt;text-decoration:none;color:#dedede;}..a
b A:hover{text-decoration: underline;}.</style></head><
body bgcolor="#FFFFFF">.<div class="ot">.<table width="468
" cellspacing="0" cellpadding="2"  style="height:60;">.<tr>&l
t;td width="50%" valign="top" align="left" height="35"><div clas
s="at"><a href="hXXp://click.kliksaya.com/?aid=2866413&zid=18064
8" target="_blank">Bisnis sambil Menabung</a></div><
div class="ab"><a href="hXXp://click.kliksaya.com/?aid=2866413&z
id=180648" target="_blank">Bisnis Menabung dari SALIM Group aman te
rdaftar di OJK!!!</a></div></td><td width="50%" v
align="top" align="left" height="35"><div class="at"><a hr
ef="hXXp://click.kliksaya.com/?aid=2866406&zid=180648" target="_blank"
>Solusi Tepat MR. P GEDE</a></div><div class="ab">
;<a href="hXXp://click.kliksaya.com/?aid=2866406&zid=180648" target
="_blank">1-2 minggu tambah 4cm . TERBUKTI . tidak banyak janji .. 
BUKTIKAN !!!!</a></div></td></tr></tabl
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: waw-cheater.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Expires: Fri, 24 Jun 2016 05:03:49 GMT

Date: Fri, 24 Jun 2016 05:03:49 GMT

Cache-Control: private, max-age=0

Last-Modified: Thu, 23 Jun 2016 20:42:13 GMT

ETag: "444befb4-4c9b-4055-972f-40bd3c5a20b1"

Content-Encoding: gzip

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Length: 19065

Server: GSE
...........}y[......SL...n$[...c..-....H.....2..d..d.p...93#i$.`....Mi
...g.~f..';G.'...%.h.n...?.v.A...2...^8(O.h...///k......z..._aiQ.gf..}
.....O..Mk..S.n.Em#2.-.....j..[...q......U.......]...I^.V.."....$.....
.s!Z.|...^x.(.{..H.SX.....xz..z.3......F..|/.^4(_:v4.......^..s".p..2\
:..)$L.........3.tP.p.....r}...^E...51..F...=u.Lp`*.c.\.....zr=..m....
=..5..).V...z:T.......-...@... C....k..qa...fe4.....J.....&~$V...D.'.E
...>.r..AR.P,...\......c.......U<zIv..Vkc..8SZ...>....l...wF.
^g00.Qp}s.x...|..>p]...#c:........F..2"kR...[..J).. *)..u.(...}....
#?...E.=....d.....>......z.}-....A(...c.q..B^kp...z............s`.&
lt;........B..v.....3.9.. ..ka...jVo.F.A..v.i..h9..B..G3.J.sX.YIYK..43
2C...B..-R..0..Db...Y..f......Mj#....B.J.63....{..A.......[T..zW..c...
f.Ze\0...l.....h.....R2..RP..T..Z ."......N.E....... R...44.....v*..g.
[email protected]..?._N..V.A...50..mms`%x.....1.J.[&D.....(.1j..
.....>...9A..[...(S.x..a............K.A...%e.<[email protected]..
.axL,N^...?.. ..c.....iX....$...f......h].. ...s#...h..)....2...v.;S..
.......h.2<.s....1.d..."Z.....\(....H....C...E,.7....s.P.l...J.P...
).;PJ..>..(..td...D..R.. @........ [email protected].._.].p../IPuZ...jo...
..N..h..:.F=..!.4...^X..k.%m...cF......^..........,...!.~.B...M..7.]..
lv.....F.?r"[email protected]....{......O^...N.....vB......i.s.z.C]D.";
I......9&.g....9..b.`S..#$8...B<...At=(...<.b,a9v.7I.sc....d@@..
f..;:.K.#tl.wn;....H......Tl..qC.D.....y@....`....g........2.....\pg..
......p......2......../.....*e.\....H..u.T...^p.k.....R.?.!..5...3
<<< skipped >>>

GET /pagead/js/google_top_exp.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pagead2.googlesyndication.com

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 13036835877489095579

Date: Fri, 24 Jun 2016 03:23:10 GMT

Expires: Fri, 24 Jun 2016 05:23:10 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 67

X-XSS-Protection: 1; mode=block

Age: 6041

Cache-Control: public, max-age=7200
.......... ..K./.VO..O.I.O.-(../N..,(...K.)MIMQ.U.U()*M....G.^./...HTT
P/1.1 200 OK..P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p
3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"..Content-Typ
e: text/javascript; charset=UTF-8..ETag: 13036835877489095579..Date: F
ri, 24 Jun 2016 03:23:10 GMT..Expires: Fri, 24 Jun 2016 05:23:10 GMT..
X-Content-Type-Options: nosniff..Content-Disposition: attachment; file
name="f.txt"..Content-Encoding: gzip..Server: cafe..Content-Length: 67
..X-XSS-Protection: 1; mode=block..Age: 6041..Cache-Control: public, m
ax-age=7200............ ..K./.VO..O.I.O.-(../N..,(...K.)MIMQ.U.U()*M..
..G.^./.....

GET /s/oswald/v11/-WzdRTzRa5k6HlJK6-dK9Q.eot HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.gstatic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Type: font/eot

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Thu, 16 Jun 2016 02:55:15 GMT

Expires: Fri, 16 Jun 2017 02:55:15 GMT

Last-Modified: Thu, 19 May 2016 23:55:21 GMT

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: sffe

X-XSS-Protection: 1; mode=block

Content-Length: 17911

Age: 698916

Cache-Control: public, max-age=31536000
..........dvUT........................=@p'...K.....9...w.V.....d..hL..
`\........ ......H...*........8..$....//[email protected]........
./.....q........ .'....O9.B."..j.....]...X..<........../....`.W....
....e...'............?..?.....|..vc.........?K.oJ.....?.............7.
...........`M..N...N.*....Qj..3.er..l.^.....u....S......5....X..8.1.."
`.........G......y,|.<`r .=e..........).n.uo...H..K[<...@......,
...b.o..N6...([email protected].^l....z. 5.6...l....p...................
...q(...f..5........y.x..T.......]=M..H}..(..-.....B...An..t....SU....
}...o...yf...?b%..3f. ..'{....J.a....W.U..J..U..LB.n.........b.......}
[email protected]..._../z;...J.S}....yz..?=.....S...#.#.Tr..*....$.uc..}...K
..RuG...~.n..H..,g.y[.Z...Tay...$N.:..#..h..N.%..v.{r..0..$.6.%.......
70.P....L|'...Yw..>....i=(..6}G.Mb.A.P..|8.._.8....X...~.........#o
c.7D....oU3.3.s....F ..UH.`_<.*^.....l=.L.'I/.p.EY;0.J/.....kd.m.&l
t;k.^...*.D....,....gz...H..l.l......B.....W`..r......".i.h....w.....V
..}6...%....d.....<.~u.2....a.a(....,/U<.;.)9.pq....G.t{..f.....
S.U...)./.V...Yv=.m/.q.f<'..V...#Y.Z.XB.au.:..mUfR.3.8..I.)....*q.{
.....t".;....y..`."....8..8...1.....o..........y.7...e.P..............
..W=>&.t,.'....).#-_~Zyd%.K.W.[sf.HEJu{..J............s....eS..vG..
..z...Jme.R.fEX'k.~.W..v......;n.L..:y...$.<Q....c....f.CG..rg..po.
.?>X......b.........S...l........3.f.2..i........AE..V.6.\~.C..V.0.
E.....;.....9.....N..%..1....._Z.....-.gx.7X.>..",....=....qmb..$5.
........1.0.v.k.a....M.....Z.>...]lMQ....k..i5>x7..F[.f.h...
<<< skipped >>>

GET /css?family=Oswald HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css; charset=utf-8

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Content-Encoding: identity

Content-Length: 160

Expires: Fri, 24 Jun 2016 05:03:51 GMT

Date: Fri, 24 Jun 2016 05:03:51 GMT

Cache-Control: private, max-age=86400

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE
@font-face {.  font-family: 'Oswald';.  font-style: normal;.  font-wei
ght: 400;.  src: url(hXXp://fonts.gstatic.com/s/oswald/v11/-WzdRTzRa5k
6HlJK6-dK9Q.eot);.}.HTTP/1.1 200 OK..Content-Type: text/css; charset=u
tf-8..Access-Control-Allow-Origin: *..Timing-Allow-Origin: *..Content-
Encoding: identity..Content-Length: 160..Expires: Fri, 24 Jun 2016 05:
03:51 GMT..Date: Fri, 24 Jun 2016 05:03:51 GMT..Cache-Control: private
, max-age=86400..X-Content-Type-Options: nosniff..X-Frame-Options: SAM
EORIGIN..X-XSS-Protection: 1; mode=block..Server: GSE..@font-face {.  
font-family: 'Oswald';.  font-style: normal;.  font-weight: 400;.  src
: url(hXXp://fonts.gstatic.com/s/oswald/v11/-WzdRTzRa5k6HlJK6-dK9Q.eot
);.}.....


GET /css?kit=e9l7fV-3xzXBO6qidGAzZw HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css; charset=utf-8

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Content-Encoding: identity

Content-Length: 160

Expires: Fri, 24 Jun 2016 05:03:51 GMT

Date: Fri, 24 Jun 2016 05:03:51 GMT

Cache-Control: private, max-age=86400

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE
@font-face {.  font-family: 'Oswald';.  font-style: normal;.  font-wei
ght: 400;.  src: url(hXXp://fonts.gstatic.com/s/oswald/v11/-WzdRTzRa5k
6HlJK6-dK9Q.eot);.}...

GET /apu.php?zoneid=190939 HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: go.oclasrv.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 24 Jun 2016 05:03:51 GMT

Content-Type: text/html

Content-Length: 154

Connection: keep-alive

Location: hXXp://onclickads.net/apu.php?zoneid=190939
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>..HTTP/1.1 302 Moved Temporarily..Serv
er: nginx..Date: Fri, 24 Jun 2016 05:03:51 GMT..Content-Type: text/htm
l..Content-Length: 154..Connection: keep-alive..Location: hXXp://oncli
ckads.net/apu.php?zoneid=190939..<html>..<head><title&g
t;302 Found</title></head>..<body bgcolor="white">..
<center><h1>302 Found</h1></center>..<hr>
;<center>nginx</center>..</body>..</html>....

GET /img/icon18_edit_allbkg.gif HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img2.blogblog.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Date: Fri, 17 Jun 2016 20:50:43 GMT

Expires: Fri, 24 Jun 2016 20:50:43 GMT

Last-Modified: Fri, 17 Jun 2016 19:20:35 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 162

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=604800

Age: 547990
GIF89a...........j4TSP..%...........)I5......S(..3&...1..#...!.......,
..........O..I...`.......(..1......"N.([email protected]........ ....ra
..R....../..yL `M.J..;HTTP/1.1 200 OK..Content-Type: image/gif..Date: 
Fri, 17 Jun 2016 20:50:43 GMT..Expires: Fri, 24 Jun 2016 20:50:43 GMT.
.Last-Modified: Fri, 17 Jun 2016 19:20:35 GMT..X-Content-Type-Options:
 nosniff..Server: sffe..Content-Length: 162..X-XSS-Protection: 1; mode
=block..Cache-Control: public, max-age=604800..Age: 547990..GIF89a....
.......j4TSP..%...........)I5......S(..3&...1..#...!.......,..........
O..I...`.......(..1......"N.([email protected]........ ....ra..R....../
..yL `M.J..;..

GET /apu.php?zoneid=190939 HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: onclickads.net

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 24 Jun 2016 05:03:52 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Pragma: no-cache

Cache-Control: private, max-age=0, no-cache

Expires: Mon, 26 Jul 1997 05:00:00 GMT

P3P: CP="CUR ADM OUR NOR STA NID"

Set-Cookie: OAGEOa2766=4|UA|63|KHARKIV|BROADBAND|PITLINE LTD||15610|25314|?|0; expires=Sat, 25-Jun-2016 05:03:52 GMT; path=/

Set-Cookie: OAID=fc3b03fc6bb0ca0b2d33bd443b9a61d5; expires=Sat, 24-Jun-2017 05:03:52 GMT; path=/

Set-Cookie: pbk2=33920969058c036f0a33b071f02306176299620227887214422; expires=Fri, 24-Jun-2016 05:13:52 GMT

Content-Encoding: gzip
2e0.............[i{.J..>.B...b.H..6.3.q....,..E.l...bc...[...$g..}.
.{N..........Krg..F.......U..................t.@.4.i.Ykk.W........z...
....R8.>..ukKy.j....@/\jVCK.z......H>...../.= .N&/.....Q.-.R....
.y.........W.#..;^w. (/......jJ.Z._S.....".N?t~}}K.:..m.....}.QT].2.4.
PK..f8..aL..x?j.....?..M.`ah...9OMC`*n.E...bU..F.|7 .5u..?-..}.$......
...lY......V...lJ.U..N:.|.s.j*...T....&<O.T=e. i<G.NEWk.G.MeWOe.
..G.L......:F3*.]Y.....qu-..c"EI&....,...N.d...l*cV..AK..&A/....*.B.c.
l.....=..T.$.S..L...Qv....h....S4Am.H.4.F}s..?.....h>3C....7..j..i.
rX0....Y..6...R>Z...D,..:.......F..?-....<....T.4}.m..6i...GY...
.l...L.N......i\....M...2.4...l.K...1Ri...6#..;..4.S..7".Hi..S.1.>.
<G:..........!.......K.R.B-.....X.j..F.i....4...u..t.P.g...g..K/...
...20ed...x./D.!.f.f.vVeX....T...tiO..... m.L.I...5..d........Z*...e..
.......I..,..y.jb..%..1H. .4........R:.5i.1....<5.H...j..)....L*..E
T..`......Y.?tG..E(k*$.....{....h..l[&....r6.2y..P.t.zBR...D...7y.Z4^.
T.....P..H%..t.Ha1...B$D4w.^/...t=. ..{)#i.{I.........T.V....PI5u-M.J.
g2.P`].).#}.D..M.rdJ.0ClI............B.Q....}.9.%...BUu...,....y...\..
m!|$x..g....Zmm..6....u.QmM...Dc.o..h......'.....fmm^X...:V...(.D..jk.
........i..:...Q...L.............N#t..Pg7<.Z}......f.i.z.<...:..
....c....m'...h.....9A8rGn../i.)5N.wD#...,..|9jpK....c8.{......h...{IM
.KU..W..^.......|..E...n......G..(p....i.p.wi.C.J.;i..S....F.h>..=?
.y...sy/.g........i..o.A...DNH..0.[..x..0...._.[..s....s.er/..ct*z..A.
vp/...^.?.I..t3u....^....[.p..7xiG....b....d...fL7-..t........O...
<<< skipped >>>

GET /-S_6fbGX2eeo/Va5Vu2eFvaI/AAAAAAAAAN0/U3dVZUcQbZg/w72-h72-p-nu/pb+garena.jpg HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 1.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Expose-Headers: Content-Length

ETag: "vde"

Expires: Sat, 25 Jun 2016 05:03:55 GMT

Cache-Control: public, max-age=86400, no-transform

Content-Disposition: inline;filename="pb garena.jpg"

Content-Type: image/jpeg

Access-Control-Allow-Origin: *

X-Content-Type-Options: nosniff

Date: Fri, 24 Jun 2016 05:03:55 GMT

Server: fife

Content-Length: 3897

X-XSS-Protection: 1; mode=block
......JFIF.............*Exif..II*.......1...............Google........
......................................................................
................................................................H.H...
........................................7.........................!."1
..A2..BQ..Raq....#.CS...................................5.............
.........!.1A."Qaq.......2.....Bb3R...............?...mc..(....%......
M...3j..L;..6.........-...... ......9>..:[email protected]
.wX.\H..........fQZ...%.A.I.....vd.F....n..Uj.;....i..$.Z..Z[P.3..Y.B-
....I;.....f..w...G...........9V./..O.=X...!,Fp.....dB..3....;.o.P.iIH
...!<.>AX ...?...w..M.....=.A......q.hDg.2k...C_x.e.......h..MQ.
T~..\4s.?t..F.2....]?F..$TFq9....T.r.H`.Kn.>J.).B...7......h..GTC.S
.=5..L.Dk.:.m?..#.u..../..PY..."[email protected]#.b..^.
9f.n{O.e...i....:..l.$rH....O...y8..C.. h..:5<[.$.U[.V..\../6..t...
.#L....?......"..,.N.c.Y..=; ........(.{H...(p...O.M`..'...`.V.h.$..%A
...S;%q......)T.d.<..=........RI......\...C.3.=......p,%h._...<r
9...<.c.*.....U.hm...9X....m.JH.".U|......X.!-.LL7..Y$l..fm7..`.(..
....I.**..$..\....-..V4{G.O.O'\y..'6.....L...1.m/ .../)...n.$..R....H.
...N...#......j.....q..C.4\.!0..[......nI......-W..!......k..d..A.2..u
.i(..fZ.5&.5.........*...r....;..e....[R.1yQ ......u.Z\-Z..e.XJ4I.....
.Y.l.... h.3..........m^,.=k..X..]..}...G.....Y.n.9..Hz...R`j..97.c.R~
.&....t..........D #C....N.,..."..r~..?>.>|.....~..e...n......i.
...v.V....&..En.x.D.ks.0...QV..$.....:...q.N..u...&.......H.Jz..t.
<<< skipped >>>

GET /plugins/likebox.php?href=http://VVV.facebook.com/wawcheater&width&height=62&colorscheme=light&show_faces=false&header=true&stream=false&show_border=false&appId=844584778898302 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.facebook.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://VVV.facebook.com/plugins/likebox.php?href=http://VVV.facebook.com/wawcheater&width&height=62&colorscheme=light&show_faces=false&header=true&stream=false&show_border=false&appId=844584778898302

Content-Type: text/html

X-FB-Debug: yCEFCYrZaE8Gmq5WtjZWRZVL7XZ78qTXNmlbU0kbD10WouNvGM7kpqCnohAPlIzX1YWkFIdykKaP7ISzFi9dlw==

Date: Fri, 24 Jun 2016 05:03:56 GMT

Connection: keep-alive

Content-Length: 0
HTTP/1.1 302 Found..Location: hXXps://VVV.facebook.com/plugins/likebox
.php?href=http://VVV.facebook.com/wawcheater&width&height=62&c
olorscheme=light&show_faces=false&header=true&stream=false&show_border
=false&appId=844584778898302..Content-Type: text/html..X-FB-Debug: yCE
FCYrZaE8Gmq5WtjZWRZVL7XZ78qTXNmlbU0kbD10WouNvGM7kpqCnohAPlIzX1YWkFIdyk
KaP7ISzFi9dlw==..Date: Fri, 24 Jun 2016 05:03:56 GMT..Connection: keep
-alive..Content-Length: 0..

GET /svn/trunk/html5.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: html5shiv.googlecode.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8

Content-Length: 1579

Date: Fri, 24 Jun 2016 05:03:50 GMT
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha
<<< skipped >>>

GET /-iSyx2kVF964/VbhbgXJALaI/AAAAAAAAAOI/zFFIUg0mZdw/w72-h72-p-nu/cit+hshs+indo.jpg HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 2.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Expose-Headers: Content-Length

ETag: "ve3"

Expires: Sat, 25 Jun 2016 05:03:55 GMT

Cache-Control: public, max-age=86400, no-transform

Content-Disposition: inline;filename="cit hshs indo.jpg"

Content-Type: image/jpeg

Access-Control-Allow-Origin: *

X-Content-Type-Options: nosniff

Date: Fri, 24 Jun 2016 05:03:55 GMT

Server: fife

Content-Length: 2281

X-XSS-Protection: 1; mode=block
......JFIF.............*Exif..II*.......1...............Google........
......................................................................
................................................................H.H...
.......................................6........................!."1A.
.2a#Qq.....$r..3BRSb................................4.................
.....!.1."AQa..q......BR....2Cr..............?...g:4...R0[.r.$l/5..$s.
j...D............_).....4.,.X$,?.Q..[T..........f...B.E.'....)...WYxcy
...U].s.V..%..|:u..C....$..$..xj........V...K...:e1..1.QO"..-...h..m@.
.oo.........n.....8.....* ...(l.%J/4.0.*.fO...&:.j...Ko.O.5..z=.O..).f
-`...k...$.P.b.^..~V1u.0.^B..NzaE..b.,.HE .....3`.%g........T.1......O
Kl.../.5._;..&<....0.J..*...tb...j.h....\.Q....6..V...X............
9......T..u....`...^Il.\.*.....F..;.][email protected]@.<..H..y$p........I:
.n.S..P.n~e.e.6}...s3...6.....V$...i.. P&...ii...jm..EG...];..8..L...s
.UU.E....,...L.........`~....._V&.....*b......<..a.6....J<..Q..&
lt;...T..fF.).|6..t.. ..p...H.x..x<.KI.....n....b.....Y.u.T..(.3...
.h.3.....-.i....e...*..2r....U.2>^.S.Y>&.....J..vZw.]..6....&>
;.....TG...E..Vw(l.u...O.3....V.$..N...bs....k.S...!PVat...N......9'..
..>\..q1;...>....P......7=...`..gT.c.Q.u.r~..~.T...s'.>6\.z..
.D>.a.'XT.^..o.;........R{.dr...n..Y....9...n...4:QM.@7>...I.$..
[email protected];D%4.t..)T.#8-..?^.9[...L..J.n3,v#b7...I?vST)}.lw.T.
] :......~.ge... ...FF.G4|.q.i.1..k}.....ju0.zq...v..g.s..DF...!9CFY..
../.A6l.....\.....7..Q.JN..*O.x...Zr..s\..5.4.k.Ork.Qh.)j....q...Z
<<< skipped >>>

GET /ifr-ad.php?zid=180648 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:54 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 1390

Connection: close

Content-Type: text/html
<html><head><style type="text/css">..ot{border:#FFFF
FF 1px solid;background-color:#FFFFFF;height:58;width:466;overflow:hid
den;}..at,.at A:link,.at A:visited{font-family:Arial, Helvetica, sans-
serif;font-size:10pt;overflow:hidden;margin:0 auto;font-weight:bold;co
lor:#66B5FF;text-decoration:underline;}..ab,.ab A:link,.ab A:visited{o
verflow:hidden;margin:0 auto;text-align:left;font-family:Arial, Helvet
ica, sans-serif;font-size:10pt;text-decoration:none;color:#dedede;}..a
b A:hover{text-decoration: underline;}.</style></head><
body bgcolor="#FFFFFF">.<div class="ot">.<table width="468
" cellspacing="0" cellpadding="2"  style="height:60;">.<tr>&l
t;td width="50%" valign="top" align="left" height="35"><div clas
s="at"><a href="hXXp://click.kliksaya.com/?aid=2864728&zid=18064
8" target="_blank">Modal 100rb jadi 1,5jt</a></div><
div class="ab"><a href="hXXp://click.kliksaya.com/?aid=2864728&z
id=180648" target="_blank">Hasilkan Rp 1,5Jt /Hari Dengan Modal 100
 ribu, Garansi 200% Sukses</a></div></td><td widt
h="50%" valign="top" align="left" height="35"><div class="at">
;<a href="hXXp://click.kliksaya.com/?aid=2862438&zid=180648" target
="_blank">TURUN BERAT BADAN Cepat!</a></div><div cla
ss="ab"><a href="hXXp://click.kliksaya.com/?aid=2862438&zid=1806
48" target="_blank">PELANGSING SAVANNAH SEKARANG DISKON 40%, 2Kotak
 340rb! HERBAL & AMAN</a></div></td></tr&
<<< skipped >>>

GET /ifr-ad.php?zid=180648 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:55 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 1395

Connection: close

Content-Type: text/html
<html><head><style type="text/css">..ot{border:#FFFF
FF 1px solid;background-color:#FFFFFF;height:58;width:466;overflow:hid
den;}..at,.at A:link,.at A:visited{font-family:Arial, Helvetica, sans-
serif;font-size:10pt;overflow:hidden;margin:0 auto;font-weight:bold;co
lor:#66B5FF;text-decoration:underline;}..ab,.ab A:link,.ab A:visited{o
verflow:hidden;margin:0 auto;text-align:left;font-family:Arial, Helvet
ica, sans-serif;font-size:10pt;text-decoration:none;color:#dedede;}..a
b A:hover{text-decoration: underline;}.</style></head><
body bgcolor="#FFFFFF">.<div class="ot">.<table width="468
" cellspacing="0" cellpadding="2"  style="height:60;">.<tr>&l
t;td width="50%" valign="top" align="left" height="35"><div clas
s="at"><a href="hXXp://click.kliksaya.com/?aid=2865983&zid=18064
8" target="_blank">Herbal PELANGSING BADAN!!</a></div>&
lt;div class="ab"><a href="hXXp://click.kliksaya.com/?aid=286598
3&zid=180648" target="_blank">PELANGSING BADAN Simpelet! 100% Alami
, terdaftar di DepKes! DISKON 33%</a></div></td><
td width="50%" valign="top" align="left" height="35"><div class=
"at"><a href="hXXp://click.kliksaya.com/?aid=2865670&zid=180648"
 target="_blank">Ingin MENGECILKAN PERUT?</a></div><
div class="ab"><a href="hXXp://click.kliksaya.com/?aid=2865670&z
id=180648" target="_blank">PELANGSING SAVANNAH SOLUSINYA. SEKARANG 
DISKON 40%! 2Kotak HANYA 340rb</a></div></td><
<<< skipped >>>

GET /-s4Bi1FD660U/VLT0DZtvVMI/AAAAAAAAAJs/dlCr2i7ZE-0/w72-h72-p-nu/PointBlank_20150113_172843.jpg HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 2.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Expose-Headers: Content-Length

ETag: "v9b"

Expires: Sat, 25 Jun 2016 05:03:55 GMT

Cache-Control: public, max-age=86400, no-transform

Content-Disposition: inline;filename="PointBlank_20150113_172843.jpg"

Content-Type: image/jpeg

Access-Control-Allow-Origin: *

X-Content-Type-Options: nosniff

Date: Fri, 24 Jun 2016 05:03:55 GMT

Server: fife

Content-Length: 3051

X-XSS-Protection: 1; mode=block
......JFIF.............*Exif..II*.......1...............Google........
......................................................................
................................................................H.H...
.........................................?..........................!.
.1."AQ..2aq..#R.....Bb...$5ETru.................................1.....
.................!..1AQ."aq.....2....BCR..............?.L..z..*..tC2n,
.Z...`E....K.... 89.z.L...IL...h....!.A...h0.....B..8....Hrd_...I.!...
nShv.b.@..}9.?e....Y.t.F.....o.b..G.4j.q.e\.G.....yn...A....k....A-...
u1E.Z<.V.,.i.y.......o1KQ..'f2...6....K ...!KC..7z.......cQ.....T..
N.H..0A....yb~B%...L......N...`....h.H$..[u.U.u0.G1.yh...:.[wE.....k.[
Q........\..0.: ..hr.).Z.^.j.4.......cf....9..5.=/......C.....5.EW./Ie
..E.=....(.77PM..X.._`...Hbk5G..K.D.I..;- .F......c....,0 ......2.80..
.a'...m....xe..]..&.f.#.Q...c4.iD:.)..........>.;...i...3;.R.<..
9.8F...A..1..Q.[S......wa.uk....D..<|.... 4.....~(D.V.W....U/k.)..\
[..Z....lrav$J5.$)..J$i.}kR..ho.!.....U.HKo...U...N.*.RNB/.w..[f......
........}.......w......p..2...*uZI-...([email protected])N~.%B,f.K.%.]XDQ`...@
..v[.C1h'N..*....Ei.....ZZM.#..T...q}.t... s.\..[i...LI&IY.$.s......6.
......R/...n.4A.(L....^..j....E....=5...xbIx......_...."..=......-...U
nr..<....(.....[K*..b(M...m.....6T.f...E......M...f=....3.......P..
..`.......J...zl..Q.\.9U.*...)4...t....e .%....b..4t..T....]3.9....*..
%.7...bCorl,....U....S.|..DYX0.....)n...e.Pv..~.W7.`i!T8.U.5S.Bm......
..........&......'.,.4....x.rm...~8.P....K..U....b...VcL& ..).Qm..
<<< skipped >>>

GET /ifr-ba.php?zid=180646 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:56 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 463

Connection: close

Content-Type: text/html
<html><head><style type="text/css">..ot {border: #00
0000 1px solid;font-size:10pt;font-family:Arial;position:relative; wid
th:298px; height:248px; overflow:hidden;}.</style></head>&
lt;body bgcolor="#FFFFFF">.<div class="ot"><a href="http:/
/click.kliksaya.com/?aid=2861904&zid=180646" target="_blank"><im
g style="position:absolute; top:-1px; left:-1px;" alt="TURUN BERAT BAD
AN Cepat" src="hXXp://scr.kliksaya.com/upload/ban/59/GBR059934.gif">
;</a></div></body>.</html>...

GET /images/icons/ui/gprofile_button-16.png HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Date: Thu, 16 Jun 2016 01:42:48 GMT

Expires: Fri, 16 Jun 2017 01:42:48 GMT

Last-Modified: Fri, 02 Oct 2015 16:03:19 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 737

X-XSS-Protection: 1; mode=block

Age: 703268

Cache-Control: public, max-age=31536000
.PNG........IHDR................a....IDATx.u....9.G_'...l..m..m..-.m..
m....K.Vg....1...[o..w..E._*.0....?.A..r......9...._..a..}.l.....!....
.....ZQ.c..nk...)..u...XX...5....x.j .2...?t....(k..............a.6|..
.f.{..'.....Q.e...^...U......09r..ET.-.r..S.0Ryr.=.x.(.....g.....Z.j.4
.....0.zy...e.......y..}.~..f.{.^HP.fF."......`.5...._&..)].>..|..C
t....1...#.!......{........[yg...;....\ ...|.`...G..8.........^.h....V
..`5.....E........h.%..?..xq..y...P..u.{ '!^..y.Q10........ZW^D...Y..a
|[email protected].......%.Q|[email protected].
D....|...J...R.>K...o.... [email protected]`.`#G
.&.....z^<../[email protected].....|[email protected]:..*.=.T..........A.
1.[..g..B.?N......y.....#.j.p..../....IEND.B`.HTTP/1.1 200 OK..Content
-Type: image/png..Date: Thu, 16 Jun 2016 01:42:48 GMT..Expires: Fri, 1
6 Jun 2017 01:42:48 GMT..Last-Modified: Fri, 02 Oct 2015 16:03:19 GMT.
.X-Content-Type-Options: nosniff..Server: sffe..Content-Length: 737..X
-XSS-Protection: 1; mode=block..Age: 703268..Cache-Control: public, ma
x-age=31536000...PNG........IHDR................a....IDATx.u....9.G_'.
..l..m..m..-.m..m....K.Vg....1...[o..w..E._*.0....?.A..r......9...._..
a..}.l.....!.........ZQ.c..nk...)..u...XX...5....x.j .2...?t....(k....
..........a.6|...f.{..'.....Q.e...^...U......09r..ET.-.r..S.0Ryr.=.x.(
.....g.....Z.j.4.....0.zy...e.......y..}.~..f.{.^HP.fF."......`.5...._
&..)].>..|..Ct....1...#.!......{........[yg...;....\ ...|.`...G..8.
........^.h....V..`5.....E........h.%..?..xq..y...P..u.{ '!^..y.Q1
<<< skipped >>>

GET /js-ad.php?zid=180646 HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:55 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 231

Connection: close

Content-Type: text/html
document.write('<ifr' 'ame src=' '"hXXp://scr.kliksaya.com/ifr-ba.p
hp?zid=180646"' ' marginwidth="0" marginheight="0" width=' '"300"' ' h
eight=' '"250"' ' border="0" frameborder="0" style="border:none;" scro
lling="no"></iframe>');...

GET /widgets.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: platform.twitter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: public, max-age=1800

Last-Modified: Thu, 23 Jun 2016 23:04:45 GMT

ETag: "88ed8b3ded4d9d26cfa60cce15158f21"

Content-Type: application/javascript; charset=utf-8

Content-Length: 104800

Accept-Ranges: bytes

Date: Fri, 24 Jun 2016 05:03:56 GMT

Via: 1.1 varnish

Age: 1414

Connection: keep-alive

X-Served-By: cache-tw-fra1-cr1-14-TWFRA1

X-Cache: HIT

X-Timer: S1466744636.180496,VS0,VE0

Vary: Accept-Encoding,Host

P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
!function(){Function&&Function.prototype&&Function.prototype.bind&&(/M
SIE [678]/.test(navigator.userAgent)||(window.__twttr&&window.__twttr.
widgets&&window.__twttr.widgets.loaded&&window.twttr.widgets.load&&win
dow.twttr.widgets.load(),window.__twttr&&window.__twttr.widgets&&windo
w.__twttr.widgets.init||!function(t){function e(n){if(r[n])return r[n]
.exports;var i=r[n]={exports:{},id:n,loaded:!1};return t[n].call(i.exp
orts,i,i.exports,e),i.loaded=!0,i.exports}var n=window.__twttrll;windo
w.__twttrll=function(r,o){for(var a,s,u=0,c=[];u<r.length;u  )s=r[u
],i[s]&&c.push.apply(c,i[s]),i[s]=0;for(a in o)t[a]=o[a];for(n&&n(r,o)
;c.length;)c.shift().call(null,null,e)};var r={},i={0:0};return e.e=fu
nction(t,e){},e.e=function(t,n){if(0===i[t])return n.call(null,null,e)
;if(void 0!==i[t])i[t].push(n);else{i[t]=[n];var r=document.getElement
sByTagName("head")[0],o=document.createElement("script");o.type="text/
javascript",o.charset="utf-8",o.async=!0,o.onerror=function(){var e=i[
t];for(o.onerror=null,delete i[t];e.length;)e.shift().call(null,new Er
ror("failed to load chunk"))},o.src=e.p "js/" ({1:"button",2:"grid",3:
"moment",4:"periscope_on_air",5:"timeline",6:"tweet"}[t]||t) "." {1:"b
94028505c65ea8b8997e3cdec786451",2:"060f4893a4b8cd3899e47f52d1e2b184",
3:"ec4afe098df7b8bafead7e93c3f8c994",4:"2163e37a195777ca8f8a58fedc1bd3
03",5:"f80add415609dfac297fd37eb66584ee",6:"771a273e838f3bc54b5b11c9d9
524dd7"}[t] ".js",r.appendChild(o)}},e.m=t,e.c=r,e.p="hXXps://platform
.twitter.com/",e(0)}([function(t,e,n){var r,i=n(1),o=n(9),a=n(12),
<<< skipped >>>

GET /ifr-ad.php?zid=180648 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:54 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 1378

Connection: close

Content-Type: text/html
<html><head><style type="text/css">..ot{border:#FFFF
FF 1px solid;background-color:#FFFFFF;height:58;width:466;overflow:hid
den;}..at,.at A:link,.at A:visited{font-family:Arial, Helvetica, sans-
serif;font-size:10pt;overflow:hidden;margin:0 auto;font-weight:bold;co
lor:#66B5FF;text-decoration:underline;}..ab,.ab A:link,.ab A:visited{o
verflow:hidden;margin:0 auto;text-align:left;font-family:Arial, Helvet
ica, sans-serif;font-size:10pt;text-decoration:none;color:#dedede;}..a
b A:hover{text-decoration: underline;}.</style></head><
body bgcolor="#FFFFFF">.<div class="ot">.<table width="468
" cellspacing="0" cellpadding="2"  style="height:60;">.<tr>&l
t;td width="50%" valign="top" align="left" height="35"><div clas
s="at"><a href="hXXp://click.kliksaya.com/?aid=2866413&zid=18064
8" target="_blank">Bisnis sambil Menabung</a></div><
div class="ab"><a href="hXXp://click.kliksaya.com/?aid=2866413&z
id=180648" target="_blank">Bisnis Menabung dari SALIM Group aman te
rdaftar di OJK!!!</a></div></td><td width="50%" v
align="top" align="left" height="35"><div class="at"><a hr
ef="hXXp://click.kliksaya.com/?aid=2866406&zid=180648" target="_blank"
>Solusi Tepat MR. P GEDE</a></div><div class="ab">
;<a href="hXXp://click.kliksaya.com/?aid=2866406&zid=180648" target
="_blank">1-2 minggu tambah 4cm . TERBUKTI . tidak banyak janji .. 
BUKTIKAN !!!!</a></div></td></tr></tabl
<<< skipped >>>

GET /upload/ban/59/GBR059934.gif HTTP/1.1

Accept: */*

Referer: hXXp://scr.kliksaya.com/ifr-ba.php?zid=180646

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:56 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

Last-Modified: Mon, 02 Jun 2014 18:00:11 GMT

ETag: "22a38f4-1156c-4fade2a9600c0"

Accept-Ranges: bytes

Content-Length: 71020

Connection: close

Content-Type: image/gif
GIF89a,..........)n.........{.....N..u..1....{........................
cJ...........................`..................... $......q...e.Y....
.......r.o.............xNI.......`.%),V.Lf?9n.g~cW..............k..pY.
O...........g..Y..W.j].yA.wk..2[^[......?CE..}..i1:3...MKG.......zpiID
..W....v#..65, ..l..L.GN...N/-...........H..kh._.GL..K..sQp.Z11.....T.
...ng..g.kg..G..JIKS.D?..t........(...v.o..W.....1.....Y~.{brYn.T.S`..
B...........pUG\..=..H..z..kV=4..f..M..e.."..e..h=>4..6}g$.ZR....."
rx{hht.\_..h.....l...........s...frGJ.B.....l.....|.....U.l\.....?V.M.
.&..n.n.WiD...H/O....[P.LK...Md.j]...^.....Z...(=y..p........~........
...f..Rk.....o.[.....c....oA.X!...3M...$..*...:.1....E.....,5..R.."&m.
cx..........zdG..ZEO..u......h..|sCz........hDbC.[H.............|...Y.
.=uL..........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="...
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:m
eta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 
       "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-s
yntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns
:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorToo
l="Adobe Photoshop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:7696BCF5
C3E811E3B356C4DE2D49D218" xmpMM:DocumentID="xmp.did:7696BCF6C3E811E3B3
56C4DE2D49D218"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30
BFB03CC3E311E3B356C4DE2D49D218" stRef:documentID="xmp.did:7696BCF4
<<< skipped >>>

GET /js-ad.php?zid=180648 HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: scr.kliksaya.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 24 Jun 2016 05:03:53 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.30

X-Powered-By: PHP/5.4.30

Content-Length: 230

Connection: close

Content-Type: text/html
document.write('<ifr' 'ame src=' '"hXXp://scr.kliksaya.com/ifr-ad.p
hp?zid=180648"' ' marginwidth="0" marginheight="0" width=' '"468"' ' h
eight=' '"60"' ' border="0" frameborder="0" style="border:none;" scrol
ling="no"></iframe>');...

GET /en_US/all.js HTTP/1.1

Accept: */*

Referer: hXXp://waw-cheater.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: connect.facebook.net

Connection: Keep-Alive

HTTP/1.1 200 OK

ETag: "a2f38fb62a52be657f286b116ac83f47"

Cache-Control: public, max-age=1200, stale-while-revalidate=3600

X-XSS-Protection: 0

content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data: chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline' data:;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* hXXps://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: 127.0.0.1:*;

timing-allow-origin: *

Content-Type: application/x-javascript; charset=utf-8

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=15552000; preload

Expires: Fri, 24 Jun 2016 05:13:06 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-MD5: yZlE/KB587QgKsG4hECzQA==

X-FB-Debug: y/pBZ jeaMtefNJQQJHYwH3mCvfM0dOE70azOjwmGIaVyjW8y7onlQRRCn5r97AyDTwMLdEfZadd1NU729wUnQ==

Date: Fri, 24 Jun 2016 05:03:51 GMT

Connection: keep-alive

Content-Length: 56788
............y..H.(...?...X..1..B.|\[O............l.B..x..g.b.Le..].5..
...e........./.GO.<}t.........*..8....4L.V.j.Qs..|......_.........U
...Mn..b0......$....W.,.....8...Y....t.T.&...d.W.g.f.Ee......t........
*YO....Kg{...~........_...2...~r]..j..T.g1....^...9..;.... . .V.d..V..
;Y.>I.i2...u.jW*..J...rL..i.<.`.av.^P[.J.Lgi...d....&\..t.j...Qd
6.UDz1...4s.Xz...y..Q.......tp|.......7....}z......3y~...6.....].XW...
v....Mn~... ..)tu.U.,.~..A2.r..... ...L.E.H.B...U*g..IZ.b_!4.h... ... 
... .V...S?).<.....sKx.y...=..~...9..>iE...:..m....y..N.gP1`#.O.
...v.F.i*...?..q/......,!.8..i.z....o.K.J..(r.YS..'.<..~..4.T..I...
Y........:5...<<.n.;;[CW.f<..6..A.6d#.%..p...........F..J.,..
.4....l..^z.. dV..#....h..g{.i.M..{..t..pg.:.OD*[email protected]..:......
..c1..g.GP.;=.=...C.6.&'.`.*....m...........7....z...:-...a.|.P..[....
C..V2a..,...`.L.S..R.r.z.s....jc%[email protected]"..1..
u..1....r..r...([email protected]]G'...}.5UO.2T...=.p.*(.C.....1...n...........
I...5......2,..W..%.l.c....U..8...*.K..z...0.K.n.....h...-.....A..V...
....Y&..........~.L_C...I..).2.i.....VA...i.....=..Y}e9.n.m./h".Q..<
;[email protected]!.......,L......fA.."...?}...{.P................~1p.Gp3I.i...e
.|L.wN....D..:..&0..m5p.....g..[..2X.....A..].\[email protected].
..........].9....I...q.z.3......O...aUF$.v."lGp{.3..z...$:s.=.[.V.5.].
....9]-.f.....\l..V.Z{...e.jC..-II..";.VC..i.4SlX..I....d...x...../.}.
V.3...',......t.:.O.(..g...o..w..h.%*......k...s9....{.....{..V.....KB
H.@;.....W.4...[.).<e......Q.....3O.B...z^...JX.g.....O....u$..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

.aspack

.adata

MSINET.OCX

InetCtlsObjects.Inet

COMDLG32.OCX

MSComDlg.CommonDialog

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

r%System%\MSINET.oca

user32.dll

GetAsyncKeyState

PSAPI.DLL

shell32.dll

ShellExecuteA

VBA6.DLL

%System%\stdole2.tlb

gdi32.dll

olepro32.dll

MSIMG32.dll

KeyDown

KeyUp

KeyPress

,.qEK

y6%u:O

13:131;13

J  .Ti

J  .yF

.yEn]

VVV.pekalongan-kommunity.com

strURL

uMsg

KeyCode

KeyAcsii

t.Hu`

MSVBVM60.DLL

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

# 127.0.0.1 localhost

127.0.0.0 hXXp://VVV.vista-tigabelas.blogspot.co.id/

127.0.0.0 hXXps://VVV.vista-tigabelas.blogspot.co.id/

127.0.0.0 hXXps://VVV.vista-tigabelas.blogspot.com/

127.0.0.0 vista-tigabelas.blogspot.com

127.0.0.0 VVV.vista-tigabelas.blogspot.co.id

127.0.0.0 VVV.vista-tigabelas.blogspot.com

.data

.reloc

CmDialogWndClass

cmdlg98.chm

Windows

%s,%s,%s

%s.drv

WINSPOOL.DRV

Ports

MbP?hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

z!{lX-X-X-XX-XXXXXX}

SSSh`:{!

KERNEL32.dll

USER32.dll

ole32.dll

ADVAPI32.dll

OLEAUT32.dll

comdlg32.dll

GDI32.dll

GetProcessHeap

GetWindowsDirectoryA

GetKeyState

CreateDialogIndirectParamA

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

GetViewportExtEx

SetViewportExtEx

SetViewportOrgEx

%s%s.DLL

%u\%s.dll

{lX-X-X-XX-XXXXXX}

CLSID\%s

%s Object

%s.%s.%ld

%s.%s

%s.%s\CurVer

%s\InprocServer

VERSION.DLL

%ld - %s

stdole2.tlbWWW

cdlGetNotSupportedWW

0{ cdlSetNotSupportedWW

0B.cdlMemAllocFailureWW

.cdlNoFontsWW

cdlHelpKeyWW

cdlHelpPartialKeyWWWX

cdlPortraitWX

HelpKeyW

pbstrHelpKey

ComDlg32.OcxWW

cmdlg98.chmWWW

Sets or returns state of Collate check box.WWW%

Prevents a warning message when there is no default printer.WW5

Sets or returns the state of the Pages option button.WE

Returns a device context for the printer selection.WWW

Dialog box displays the Help button.WW!

Sets support for multiple copies.W,

Sets initial color value for the dialog box.WWK

Entire dialog box is displayed, including the Define Custom Colors section.WWW<

Disables the Define Custom Colors section of the dialog box.WW"

Generates a message box if the selected file already exists.WW

Allows invalid characters in the returned file name.WW:

Extension of returned file name is different from the one set by DefaultExt.WW%

User can enter only names of existing files.WWF

The returned file will not have the Read Only attribute set.WW

Windows 95 Open A File dialog box template.WWW

Long filenames.WWW;

Dialog box lists only screen fonts supported by the system.WWW5

Dialog box lists only fonts supported by the printer.W4

Dialog box lists available screen and printer fonts.WW7

Dialog enables strikeout, underline, and color effects.WWW$

Dialog box enables the Apply button.WW@

Dialog box allows only fonts that use the Windows character set.WW3

Dialog box should not allow vector-font selections.WWWL

Dialog box should not allow graphic device interface (GDI) font simulations.WWH

Selects font sizes within the range specified by Min and Max properties.WW0

Dialog box should select only fixed-pitch fonts.WWL

Allows only the selection of fonts available to both the screen and printer.WWG

Displays an error if a user selects a font or style that doesn't exist.WWW>

No font style selected.WWW

Couldn't allocate memory for FileName or Filter.WW

Cancel was selected.WW!

Call to Windows Help failed.WW*

The function failed to load a specified string.WWW1

The function failed to lock a specified resource.WH

The function was unable to allocate memory for internal data structures.WWD

The function was unable to lock the memory associated with a handle.WW

No fonts exist.WWW=

File name is invalid.WC

An attempt to subclass a listbox failed due to insufficient memory.WWWB

DevMode and DevNames data structures describe two different printers.WH

The printer-device driver failed to initialize a DEVMODE data structure.WW3

The PrintDlg function failed during initialization.WWWK

The PrintDlg function failed to load the specified printer's device driver.WWW!

No printer device-drivers were found.WB

The Common Dialog function failed to parse the strings in WIN.INI.H

The printer device driver failed to initialize a DevMode data structure.WWK

The [devices] section of WIN.INI does not contain an entry for the printer.WWW:

No template provided by the application.WW/

Application did not provide an instance handle.WWW#

Displays Help for a particular topic.WO

Notifies the Help application that the specified Help file is no longer in use.WWW.

Display Help for using the Help application itself.WWW 

Set the current Index for multi-index Help.WWW2

Displays a topic identified by a context number.WW8

Creates a Help file that displays text in only one font.WW'

Displays Help for a particular keyword.WWW'

Displays Help for a particular command.WWW'

Call the search engine in Windows Help.WWW"

Portrait printer paper orientation#

Sets the string displayed in the title bar of the dialog box.WQ

Returns/sets the default filename extension for the dialog box.WWW(

Returns/sets the initial file directory.WW

Returns/sets the selected color.WW"

Specifies the name of the font that appears in each row for the given level.WW

Returns/sets italic font styles.WW'

Returns/sets strikethrough font styles.WWW#

Returns/sets underline font styles.WWW8

Returns/sets the value for the first page to be printed.WWR

Returns/sets the maximum font size (Font dialog) or print range (Print dialog).WWWH

Returns/sets a value that determines the number of copies to be printed.WWP

Indicates whether an error is generated when the user chooses the Cancel button.WWC

Returns/sets the name of the Help file associated with the project.WWW/

Returns/sets the type of online Help requested.WWWB

Returns/sets the keyword that identifies the requested Help topic.f

Returns/sets a default filter for an Open or Save As dialog box.WW8

Returns/sets the context ID of the requested Help topic.WWX

Specifies the size (in points) of the font that appears in each row for the given level.WW4

Returns/sets the type of dialog box to be displayed.WWT

Returns/sets the maximum size of the filename opened using the CommonDialog control.WWI

Returns a handle (from Microsoft Windows) to the object's device context.WQ

Displays the CommonDialog control's Open dialog box.WW7

Displays the CommonDialog control's Save As dialog box.WWW5

Displays the CommonDialog control's Printer dialog box.WWW8

Runs Winhelp.EXE and displays the Help file you specify.WW&

5 5*545>5

6&6-646;6

ocx\ComDlg32.dbg

Internet Control URL Property Page

INET98.CHM

FTp/L#

rL#.OL#

hhctrl.ocx

hXXp://

PTF://

hXXps://

Microsoft URL Control - 6.01.9782

SSShp&M#

WININET.dll

InternetCreateUrlA

InternetCrackUrlA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

HttpQueryInfoA

FtpFindFirstFileA

FtpRemoveDirectoryA

FtpGetCurrentDirectoryA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

FtpRenameFileA

FtpPutFileA

FtpGetFileA

FtpDeleteFileA

MsgWaitForMultipleObjects

OL#%s%s.DLL

0?NicFTPWWW

icHTTPWW

icHTTPSW,

icUrlOpenFailedW

icBadUrl

0NSicNoExecuteW

`icFtpCommandFailedWW

qicUnsupportedTypeWWW

icUnsupportedCommand

0-gicInvalidOperationWW

icExecutingW

0jHicInvalidForFtpW

hicInvalidURL

icIncorrectPasswordW

icLoginFailureWW

icInetInvalidOperationWW

[icOperationCancelled

00XicSecCertDateInvalid

0.(icSecCertCnInvalidWW

0WwicHttpToHttpsOnRedir

icHttpsToHttpOnRedir

.icPostIsNonSecureWWW

BicClientAuthCertNeededWW

icHttpsHttpSubmitRedirWW

icFtpTransferInProgressW

icFtpDropped

icFtpNoPassiveModeWW

ficHttpHeaderNotFound

icHttpDownlevelServerWWW

icHttpInvalidServerResponseW

icHttpInvalidHeaderW

icHttpInvalidQueryRequestWWW

icHttpHeaderAlreadyExistsWWW

0`>icHttpRedirectFailed

0~ icHttpCookieNeedsConfirmationWWW

7icHttpCookieDeclined

0DSicHttpRedirectNeedsConfirmationW

icSecInvalidCert

icSecCertRevoked

}|RemotePortWW

StillExecutingWW

URLW

Password

OpenURLW

yOperationWWW

~_URLX

MSINet.Ocx

FTPWWW

HTTPWW

Secure HTTPWWW

Unable to open URL

URL is malformedWW&

Protocol not supported for this method

You must execute an operation before retrieving dataWW

FTP command failed

Not a valid or supported commandWW

Invalid operation argument

Still executing last requestWW,

This call is not valid for an FTP connectionWW

Invalid URLWWW

Incorrect password

Login failureW

Invalid operationW

Operation cancelledWWW

Security certificate date invalidW#

Security certificate number invalidWWW

HTTP to HTTPS on redirectW

HTTPS to HTTP on redirectW

Client authorization certificate neededWWW

HTTPS HTTP submit redirWWW

FTP - Transfer in progress

FTP - Connection droppedWW

FTP - no passive modeW

HTTP - Header not foundWWW

HTTP - Downlevel serverWWW

HTTP - Invalid server response

HTTP - Invalid HeaderW

HTTP - Invalid query requestWW

HTTP - Header already existsWW

HTTP - Redirect failed

HTTP - cookie needs confirmationWW

HTTP - cookie declined"

HTTP - redirect needs confirmation

Invalid certWW

Cert revokedWW

Protocol to use for this URLWW

Returns/Sets the internet port to be used on the remote computerWW5

Returns/Sets the URL used by this controlW*

Password to use for authentication;

Open a URL&

Method used to cancel the request currently being executed

2 2>2`2~2

ocx\msinet.dbg

Thawte Certification1

hXXp://ocsp.verisign.com0

0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0

"hXXp://crl.verisign.com/tss-ca.crl0

9hXXp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

hXXp://msdn.microsoft.com/vbasic0

Iz!.Iz!

Ez!&Nz!:Nz!.Pz!BPz!

FTP3z!

SSSh0:{!

2 2(2,2024282

6%7S7Y7s7

]/ ?- '?-

#]/ *]/ 1]/

$  ;$  |$ 

. ?- '?-

9. "9. ,9. 69.

Button%d

ListImage%d

ColumnHeader(%d)

@- !@- .@-

?- ?- '?-

COMCTL32.DLL

!/ :!/ {!/ %!/

%/ ?- '?-

Panel%d

Tab%d

$. )$. 3$. ?- '?-

- ?- '?-

&, /$, ,

- /%, 9%,

- ,8, 68,

  SSh

9FL|$SSh

P8SShG

}2SSh

t&SSh

comctl1.hlp

&- %'- 5

/ SHELL32.DLL

COMCTL32.ocx

VERSION.dll

COMCTL32.dll

VkKeyScanA

MapVirtualKeyA

SetWindowsHookExA

UnhookWindowsHookEx

.IImagesW

8T.IImage10

x}pbFormatSupportedWWW

ccSetNotSupportedAtRuntimeWW

0NmccSetNotSupportedWWW

0UÌGetNotSupportedWWW

CccNonUniqueKeyWW

OccInvalidKey

.aKeyDownW

KeyCodeW

#KeyAscii

MKeyUpWWW

pvKeyWWW

KeyW

dzpbstrKey4

PSubkeyWW

0 %sbrInset

.lvwManualWWW

0yUlvwReportWWW

SortKeyW

psKeyWWW

.ophImageListW

Microsoft Windows Common Controls 5.0 (SP2)WWW

COMCTL32.OCXWW

comctl1.hlpWWW

Constants for the OLEDragMode property (but not the DragMode or OLEDropMode properties).WWX

Constants for the OLEDropMode property (but not the DragMode or OLEDragMode properties).WWC

State transition constants for the DragOver and OLEDragOver events.WWW

Clipboard format constants.WWW3

Drop effect constants for OLE drag and drop events.WWW

TabWidthStyle constants.WW

TabStyle constants.WWW

Returns a reference to a collection of Tab objects in the TabStrip control.WWWK

An individual object, analogous to a page, contained in a TabStrip control.WWW

Toolbar Button Style constants.WWW

Toolbar Value constants.WW

Displays a hierarchical list of Node objects, each of which consists of a label and an optional bitmap.WWW

Displays a collection of ListItems such as files or folders.WW%

An item in a ListView control that contains the index of icons associated with it, text, and an array of strings representing subitems that are displayed in Report view.W!

Contains a collection of ListImage objects, each of which can be referred to by its index or keyWW&

A bitmap or icon of any size that can be used in other controls.WW

A calibrated control with a slider for setting or selecting values.WWW"

Clears all data and formats in a DataObject object.WWW>

Determines if a specified clipboard format is supported by the DataObject object.WE

Adds a supported format and possibly its data to a DataObject object.W7

A collection of filenames used by the vbCFFiles format.WWWn

Returns the number of filenames in the Files collection of a DataObject object (vbCFFiles format only).WWWW

Adds a filename to the Files collection of a DataObject object (vbCFFiles format only).WWWc

Clears all filenames stored in the Files collection of a DataObject object (vbCFFiles format only).WWW\

Removes a filename from the Files collection of a DataObject object (vbCFFiles format only).WW

Accepts no OLE drag/drop operations.WW9

Source control dragged into target.WWW%

Text (.txt file).W

Bitmap (.bmp file).WWW

Metafile (.wmf file).W

Enhanced metafile (.emf file).*

Filename list (Microsoft Windows Explorer)

Rich Text Format (.rtf file).W<

No OLE drag/drop operation has taken place/would take place.WW@

A mask to indicate that a copy has taken place/would take place.WW@

A mask to indicate that a move has taken place/would take place.WWI

Expected at least one argument.WWW1

Non-intrinsic OLE drag and drop formats used with SetData require Byte array data. GetData may return more bytes than were given to SetData.WN

Key is not unique in collectionWWW

Invalid keyWWW$

Returns/sets a value that determines whether a form or control can respond to user-generated events.WW

Sets a custom mouse icon.WZ

Returns/sets the style appearance (tab or button) of a TabStrip control.WWd

Returns/sets a fixed height of a TabStrip control, but only if the TabWidthStyle is set to tabFixed.WWK

Returns/sets the width and justification of all tabs in a TabStrip control.WWW?

Returns the top coordinate of the internal area of the control.WWW@

Returns the left coordinate of the internal area of the control.WW7

Returns the height of the internal area of the control.WWW6

Returns/Sets whether this control can act as an OLE drop target.WW/

Forces a complete repaint of a form or control.WWWC

Starts an OLE drag/drop event with the given control as the source.WWWM

Occurs when the user presses and then releases a mouse button over an object.WA

Occurs when the user presses a key while an object has the focus.W6

Occurs when the user presses and releases an ANSI key.B

Occurs when the user releases a key while an object has the focus.L

Occurs when the user presses the mouse button while an object has the focus.WW%

Occurs when the user moves the mouse.WM

Generated when a Tab object is clicked, or the tab's Value setting has been changed. Used to check parameters before actually generating a Click event.WWW

Returns a specific member of a Collection object either by position or by key.,

Removes a specific member from a collection.WW$

Removes all objects in a collection.WW'

Adds a Tab object to a Tabs collection.WWWS

Returns/sets the text displayed in an object's title bar or below an object's icon.WWW.

Returns/sets the index of an object in a collection. Read-only at run time.WWW<

Returns/sets the unique string of an object in a collection.WWF

Returns/sets the width of an object.WW%

Returns/sets the height of an object.Wg

Returns/sets the distance between the internal top edge of an object and the top edge of its container.WWWi

Returns/sets the distance between the internal left edge of an object and the left edge of its container.WO

Returns/sets a value which determines if a ListItem or Node object is selected.WWW?

Returns/sets the index or key of a ListImage object to be used.WWW

Returns/sets whether or not controls, Forms or an MDIForm are painted at run time with 3-D effects.WWWI

Returns/sets a value which determines if users can customize the Toolbar.WH

Returns a reference to a Toolbar control's collection of Button objects.WW

Help context of topic to be displayed when inquiring help from Toolbar Customize dialog.WWG

Help file to be used when inquiring help from Toolbar Customize dialog.WWWZ

Saves a Toolbar configuration in an initialization (.ini) file.WWWa

Restores a toolbar, created with a Toolbar control, to its original state after being customized.WD

Occurs when the user clicks on a Button object in a Toolbar control.WWn

Occurs when you press and release a mouse button and then press and release it again over an object.WW[

Adds a Button object to a Buttons collection and returns a reference to the created object.WWWL

Returns/sets a value that determines whether an object is visible or hidden.WW$

Returns/sets the value of an object.WW

Returns/sets the description displayed when the user clicks a Button object during a customization operation.W

Returns/sets the text displayed when a StatusBar control's Style property is set to Simple.WWW<

Similar to the standard Click event, but the PanelClick event occurs when a user presses and then releases a mouse button over any of the StatusBar control's Panel objects.WW

Similar to the standard DblClick Event, the PanelDblClick occurs when a user presses and then releases a mouse button twice over a StatusBar control's Panel object.WWX

Adds a Panel object to a Panels collection and returns a reference to the created Panel.WW

Returns/sets a control's maximum value.WWW'

Returns/sets a control's minimum value.WWW3

Returns or sets a control's current Value property.WWW,

Returns/sets the border style for an object.WW

Returns a reference to a Node or ListItem object and highlights the object with the system highlight color.WWW[

Returns/sets a value that determines if a user can edit the label of a ListItem or Node object.WWW?

Returns/sets the style of lines displayed between Node objects.WWW4

Returns a reference to a collection of Node objects.WWV

Indicates whether the elements of a control are automatically sorted alphabetically.WW

Returns a reference to the ListItem object or Node object located at the coordinates of x and y. Used with drag and drop operations.WWW

Returns the number of Node objects that fit in the internal area of a TreeView control.WWW>

Begins a label editing operation on a ListItem or Node object.`

Occurs when a user attempts to edit the label of the currently selected ListItem or Node object.WWV

Occurs when a Node object is clicked.WW

Adds a Node object to a Nodes collection and returns a reference to the created object.WWWL

Returns a specific item of a Collection object either by position or by key.WW8

Returns a reference to the first child of a Node object.WW4

Returns the number of child nodes a Node object has.WWB

Returns/sets the Index or Key of an image in an ImageList control used when the Node is expanded.WB

Returns a reference to the last Node object in a hierarchy level.WA

Returns/sets a reference to the parent of a Node object.WWE

Returns a reference to the previous Node object in a hierarchy level.WB

Returns/sets the Index or Key of an image in an ImageList control which is displayed when a Node object is selected.WW3

Returns/sets the text to be displayed in a control.WWWY

Creates a composite image from an icon and a caption for use in drag and drop operations.W^

Report

Returns/sets how the icons in a ListView control's Icon or SmallIcon view are arranged.WWW<

Returns a reference to a collection of ColumnHeader objects.WWZ

Returns/sets whether or not a ListView control's column headers are hidden in Report view.[

Returns or sets a value that determines if labels are wrapped when the ListView is in Icon view.WW

Returns/sets a value indicating whether a user can make multiple selections in the ListView control and how the multiple selections can be made.WWF

Returns/sets the current sort key.Z

Finds an item in the list and returns a reference to that item.WWWC

Retrieves a reference of the first item visible in the client area.WWWC

Occurs when a ColumnHeader object in a ListView control is clicked.WWW4

Returns/sets the state of a ListView control Object item.WE

Returns/sets the index of an icon in an associated ImageList control.WK

Returns/sets the index of an small icon in an associated ImageList control.WWWC

Returns/sets an array of strings representing the ListIitem's data.WWWZ

Returns/sets a value that determines where an object is displayed on a form.WW]

Returns/sets the width of ListImage objects in an ImageList control.WWd

Returns/sets a value which determines the color to be transparent in ImageList graphical operations.WW_

Returns/sets a value which determines if the ImageList control will use the MaskColor property.WWWQ

Returns a handle to an ImageList control.Wg

Creates a composite third image out of two ListImage objects and returns a reference to the new object.WWWa

Returns/sets the increment value when the PageDown or PageUp key is pressed.WWM

Returns/sets the increment value when the left or right arrow key is pressed.W,

Returns/sets the maximum value of a control.WW,

Returns/sets the minimum value of a control.WWI

Returns/sets the orientation of a Slider control, horizontal or vertical.WE

Returns/sets the value where a selection starts.WW'

Returns/sets the length of a selection.WWW4

Returns/sets where ticks appear on a Slider control.WWN

Sets the SelLength to 0.WW8

Returns the number of visible ticks on a Slider control.WW

Returns a specific member of a Collection object either by position or by keyW

4 5$5(5,5054585<5

7 7$7(7,7074787<7@7

3 3$3)434

0U0

5 5$5(5,5054585

comctl32.dbg

=VVV.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)981.0,

'hXXps://VVV.verisign.com/repository/RPA0

=VVV.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)981>0<

'hXXps://VVV.verisign.com/repository/CPS

This certificate incorporates by reference, and its use is strictly

subject to, the VeriSign Certification Practice Statement (CPS)

hXXps://VVV.verisign.com; by E-mail at [email protected]; or

USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN

WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE

VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY

DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES

BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE

4hXXps://VVV.verisign.com/repository/verisignlogo.gif0

This certificate incorporates by reference, and its use is strictly subject to, the VeriSign Certification Practice Statement (CPS), available at: hXXps://VVV.verisign.com/CPS; by E-mail at [email protected]; or by mail at VeriSign, Inc., 2593 Coast Ave., Mountain View, CA 94043 USA Tel.  1 (415) 961-8830 Copyright (c) 1996 VeriSign, Inc. All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED and LIABILITY LIMITED.

(hXXps://VVV.verisign.com/repository/CPS 0

kernel32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvbvm60.dll

J*\AI:\WWWAWWWA\`aaReal Inject\Project1.vbp

78E1BDD1-9941-11cf-9756-00AA00C00908

28C4C820-401A-101B-A3C9-08002B2F49FB

C:\UpdateLog.txt

PointBlank.exe

hXXp://pastebin.com/raw/qxDnppiG

hXXps://sites.google.com/site/wawcheater/VVIP151617.dll?attredirects=0&d=1

\UpdateLog.txt

hXXp://waw-cheater.blogspot.com/

\PerX.ini

Dll Injected...Creating Thread.....

Can't find LoadLibrary API from kernel32.dll

c:\Windows\system32\

c:\Windows\system32\COMCTL32.OCX

c:\Windows\system32\COMDLG32.OCX

c:\Windows\system32\MSINET.OCX

c:\Windows\system32\Comdlg32.ocx

C:\windows..txt

A*\AI:\WWWAWWWA\`aaReal Inject\Project1.vbp

DB4C0D00-400B-101B-A3C9-08002B2F49FB

4D553650-6ABE-11cf-8ADB-00AA00C00905

HelpKey

CmDlg

Help&Key:

CMDialog ActiveX Control DLL

6.00.8877

CMDIALOG

is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation

Printer Dialog Box Constants1Sets or returns state of All Pages option button. Sets or returns state of Collate check box.%Disables the Print to File check box.-The Print to File check box is not displayed.4Sets or returns the state of the Pages option button%Disables the Selection option button.<Prevents a warning message when there is no default printer.5Sets or returns the state of the Pages option button.EDisplays the Print Setup dialog box rather than the Print dialog box.9Sets or returns the state of the Print to File check box.3Returns a device context for the printer selection.

)Couldn't determine procedure address(es).!Failed to show the common dialog.HThe printer device driver failed to initialize a DevMode data structure.

Printer Orientation Constants$Dialog box displays the Help button.!Sets support for multiple copies.

Color Dialog Box Constants,Sets initial color value for the dialog box.KEntire dialog box is displayed, including the Define Custom Colors section.<Disables the Define Custom Colors section of the dialog box."Dialog box displays a Help button.#File Open/Save Dialog Box Constants=Checks Read Only check box for Open and Save As dialog boxes.<Generates a message box if the selected file already exists.

Hides the Read Only check box.JSets the current directory to what it was when the dialog box was invoked.1Causes the dialog box to display the Help button.4Allows invalid characters in the returned file name.:Allows the File Name list box to have multiple selections.LExtension of returned file name is different from the one set by DefaultExt.

%User can enter only valid path names.,User can enter only names of existing files.FAsks if the user wants to create a file that does not currently exist.)Sharing violation errors will be ignored.<The returned file will not have the Read Only attribute set. Windows 95 Open A File dialog box template.

Fonts Dialog Box Constants;Dialog box lists only screen fonts supported by the system.5Dialog box lists only fonts supported by the printer.4Dialog box lists available screen and printer fonts."Dialog box displays a Help button.7Dialog enables strikeout, underline, and color effects.$Dialog box enables the Apply button.@Dialog box allows only fonts that use the Windows character set.QReturns/sets the name (without the path) of the file to open or save at run time.4Displays the CommonDialog control's Open dialog box.7Displays the CommonDialog control's Save As dialog box.5Displays the CommonDialog control's Color dialog box.3Displays the CommonDialog control's Font dialog box7Displays the CommonDialog control's Printer dialog box.8Runs Winhelp.EXE and displays the Help file you specify.

3Dialog box should not allow vector-font selections.LDialog box should not allow graphic device interface (GDI) font simulations.HSelects font sizes within the range specified by Min and Max properties.0Dialog box should select only fixed-pitch fonts.LAllows only the selection of fonts available to both the screen and printer.GDisplays an error if a user selects a font or style that doesn't exist.>Dialog box should allow only the selection of scaleable fonts.>Dialog box should allow only the selection of True Type fonts.

"Portrait printer paper orientation#Landscape printer paper orientation

BThe Common Dialog function failed to parse the strings in WIN.INI.

KThe [devices] section of WIN.INI does not contain an entry for the printer.:The PDReturnDefault flag was set, but a field was nonzero./Application did not provide an instance handle.

Help Constants%Displays Help for a particular topic.ONotifies the Help application that the specified Help file is no longer in use..Displays the index of the specified Help file.5Displays the contents topic in the current Help file.3Display Help for using the Help application itself. Set the current Index for multi-index Help.2Designates a specific topic as the contents topic.0Displays a topic identified by a context number.

8Creates a Help file that displays text in only one font.'Displays Help for a particular keyword.'Displays Help for a particular command.'Call the search engine in Windows Help.6Returns/sets the path and filename of a selected file.=Sets the string displayed in the title bar of the dialog box.QReturns/sets the filters that are displayed in the Type list box of a dialog box.?Returns/sets the default filename extension for the dialog box.(Returns/sets the initial file directory. Returns/sets the selected color."Sets the options for a dialog box.LSpecifies the name of the font that appears in each row for the given level.

Returns/sets bold font styles. Returns/sets italic font styles.'Returns/sets strikethrough font styles.#Returns/sets underline font styles.8Returns/sets the value for the first page to be printed.8Returns/sets the value for the first page to be printed.RSets the smallest allowable font size (Font dialog) or print range (Print dialog).OReturns/sets the maximum font size (Font dialog) or print range (Print dialog).HReturns/sets a value that determines the number of copies to be printed.PIndicates whether an error is generated when the user chooses the Cancel button.CReturns/sets the name of the Help file associated with the project./Returns/sets the type of online Help requested.BReturns/sets the keyword that identifies the requested Help topic.fDetermines if user selections in the Print dialog box are used to change the default printer settings.@Returns/sets a default filter for an Open or Save As dialog box.8Returns/sets the context ID of the requested Help topic.XSpecifies the size (in points) of the font that appears in each row for the given level.4Returns/sets the type of dialog box to be displayed.TReturns/sets the maximum size of the filename opened using the CommonDialog control.IReturns a handle (from Microsoft Windows) to the object's device context.

The ENABLEHOOK flag was set in the Flags member of a common-dialog data structure but the application failed to provide a pointer to a corresponding hook function.RThe common dialog function was unable to lock the memory associated with a handle.VThe common dialog function was unable to allocate memory for internal data structures.?The common dialog function failed to lock a specified resource.?The common dialog function failed to load a specified resource.?The common dialog function failed to find a specified resource.=The common dialog function failed to load a specified string.

The ENABLETEMPLATE flag was set in the Flags member of a common-dialog data structure but the application failed to provide a corresponding template.wThe common dialog function failed during initialization. This error often occurs when insufficient memory is available.TThe lStructSize member of the corresponding common-dialog data structure is invalid.

Call to Windows Help failed.*The function failed during initialization.1The function failed to load a specified resource./The function failed to load a specified string.1The function failed to lock a specified resource.HThe function was unable to allocate memory for internal data structures.DThe function was unable to lock the memory associated with a handle.

BThe PrintDlg function failed when creating an information context.EDevMode and DevNames data structures describe two different printers.HThe printer-device driver failed to initialize a DEVMODE data structure.

]The [devices] section of the file WIN.INI did not contain an entry for the requested printer.PThe PrintDlg function failed when it attempted to create an information context.VThe data in the DEVMODE and DEVNAMES data structures describes two different printers.!A default printer does not exist.%No printer device-drivers were found.3The PrintDlg function failed during initialization.

The printer device-driver failed to initialize a DEVMODE data structure. (This error constant only applies to printer drivers written for Windows 3.0 or later versions.)KThe PrintDlg function failed to load the specified printer's device driver.

The PD_RETURNDEFAULT flag was set in the Flags member of the PRINTDLG data structure but either the hDevMode or hDevNames field were nonzero.dThe common dialog function failed to parse the strings in the [devices] section of the file WIN.INI.

RemotePort

Pass&word

6.01.9782

is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.

Returns/Sets the remote computer@Returns/Sets the internet port to be used on the remote computer

5Returns information received from the remote computer9Returns a response code received from the remote computer6Returns the low-level internet handle for this control.Returns whether this control is currently busy)Returns/Sets the URL used by this control5Returns/Sets the Document to be retrieved from server

>Returns/Sets the proxy behavior for this control's connections7Event interface for Microsoft Internet Transfer Control#Microsoft Internet Transfer Control&Issue a request to the remote computer:Method used to cancel the request currently being executed

Secure HTTP

Protocol to use for this URL#User name to use for authentication"Password to use for authentication

Open a URL

URL is malformed&Protocol not supported for this method Unable to connect to remote host

Unable to complete request4You must execute an operation before retrieving data

Request timed out Not a valid or supported command

Still executing last request,This call is not valid for an FTP connection

Invalid URL

Login failure

Invalid operation

Operation cancelled

Handle exists!Security certificate date invalid#Security certificate number invalid

HTTP to HTTPS on redirect

HTTPS to HTTP on redirect

Post is non-secure'Client authorization certificate needed

FTP - Connection dropped

HTTP - Header not found

HTTP - Downlevel server

HTTP - Invalid Header

HTTP - Invalid query request

HTTP - Header already exists

HTTP - Redirect failed

HTTPS HTTP submit redir

FTP - no passive mode HTTP - cookie needs confirmation

HTTP - cookie declined"HTTP - redirect needs confirmation

Invalid cert

Cert revoked

URL'URL properties for the internet control

57CBF9E0-6AA7-11cf-8ADB-00AA00C00905

SortKey

ImageKey

Windows Common Controls ActiveX Control DLL

6.00.8105

COMCTL32.OCX

&Key:

Sort&Key:

 Microsoft Windows Common Controls 5.0 (SP2)

3DQA collection whose elements represent each contained control in a parent control.-Returns the number of members in a collectionMReturns a specific member of a Collection object either by position or by key`Contains a collection of ListImage objects, each of which can be referred to by its index or key

FReturns/sets the string displayed when a cursor hovers over an object.XConstants for the OLEDragMode property (but not the DragMode or OLEDropMode properties).BOLE drag/drop will be initialized only under programmatic control.jOLE drag/drop will be initialized when the user drags 'out' of the control, or under programmatic control.XConstants for the OLEDropMode property (but not the DragMode or OLEDragMode properties).$Accepts no OLE drag/drop operations.9Accepts an OLE drag/drop under programmatic control only.CState transition constants for the DragOver and OLEDragOver events.#Source control dragged into target.%Source control dragged out of target.>Source control dragged from one position in target to another.

Text (.txt file).

Bitmap (.bmp file).

Metafile (.wmf file).

Enhanced metafile (.emf file).*Filename list (Microsoft Windows Explorer)

Rich Text Format (.rtf file).3Drop effect constants for OLE drag and drop events.<No OLE drag/drop operation has taken place/would take place.@A mask to indicate that a copy has taken place/would take place.@A mask to indicate that a move has taken place/would take place.

Returns/Sets whether this control can act as an OLE drag/drop source, and whether this process is started automatically or under programmatic control.@Returns/Sets whether this control can act as an OLE drop target.3Clears all data and formats in a DataObject object.>Retrieves data of a specified format from a DataObject object.QDetermines if a specified clipboard format is supported by the DataObject object.EAdds a supported format and possibly its data to a DataObject object.7A collection of filenames used by the vbCFFiles format.nReturns a specific filename by index from the Files collection of a DataObject object (vbCFFiles format only).gReturns the number of filenames in the Files collection of a DataObject object (vbCFFiles format only).WAdds a filename to the Files collection of a DataObject object (vbCFFiles format only).cClears all filenames stored in the Files collection of a DataObject object (vbCFFiles format only).\Removes a filename from the Files collection of a DataObject object (vbCFFiles format only).

.Object variable or With block variable not set

.Object doesn't support this property or method

Non-intrinsic OLE drag and drop formats used with SetData require Byte array data. GetData may return more bytes than were given to SetData.NRequested data was not supplied to the DataObject during the OLESetData event.

Key is not unique in collection

Invalid key;The first column in a ListView control must be left aligned$This item's control has been deleted&Control's collection has been modified

Focus.Returns/sets the height of a ListImage object.DReturns/sets the width of ListImage objects in an ImageList control.dReturns/sets a value which determines the color to be transparent in ImageList graphical operations.QReturns a reference to a collection of ListImage objects in an ImageList control.)Returns a handle to an ImageList control.QReturns/sets the background color used to display text and graphics in an object.gCreates a composite third image out of two ListImage objects and returns a reference to the new object.@A bitmap or icon of any size that can be used in other controls..Returns the number of objects in a collection.aAdds a ListImage object to a ListImages collection and returns a reference to the created object.$Removes all objects in a collection.NReturns a specific member of a Collection object either by position or by key.,Removes a specific member from a collection.@A bitmap or icon of any size that can be used in other controls.KReturns/sets the index of an object in a collection. Read-only at run time.

<Returns/sets the unique string of an object in a collection..Stores any extra data needed for your program.

Microsoft ProgressBar Control'Returns/sets a control's maximum value.'Returns/sets a control's minimum value.MReturns/sets the type of mouse pointer displayed when over part of an object.

Sets a custom mouse icon.3Returns or sets a control's current Value property.cReturns/sets whether or not controls, Forms or an MDIForm are painted at run time with 3-D effects.,Returns/sets the border style for an object.dReturns/sets a value that determines whether a form or control can respond to user-generated events.&Returns a handle to a form or control.

ButtonsKReturns a reference to a collection of Tab objects in the TabStrip control.dReturns/sets a value that determines whether a form or control can respond to user-generated events.

Sets a custom mouse icon.ZReturns/sets a value indicating whether the control can display more than one row of tabs.HReturns/sets the style appearance (tab or button) of a TabStrip control.dReturns/sets a fixed height of a TabStrip control, but only if the TabWidthStyle is set to tabFixed.KReturns/sets the width and justification of all tabs in a TabStrip control.?Returns the top coordinate of the internal area of the control.@Returns the left coordinate of the internal area of the control.7Returns the height of the internal area of the control.6Returns the width of the internal area of the control.MReturns/sets the type of mouse pointer displayed when over part of an object..Returns/sets the ImageList control to be used.dReturns/sets a fixed height of a TabStrip control, but only if the TabWidthStyle is set to tabFixed.!Enables/disables the Tooltip text

Returns/sets the selected Tab/Forces a complete repaint of a form or control.MOccurs when the user presses and then releases a mouse button over an object.AOccurs when the user presses a key while an object has the focus.

6Occurs when the user presses and releases an ANSI key.BOccurs when the user releases a key while an object has the focus.LOccurs when the user presses the mouse button while an object has the focus.%Occurs when the user moves the mouse.MOccurs when the user releases the mouse button while an object has the focus.

StatusBar Tabs collection.Returns the number of objects in a collection.NReturns a specific member of a Collection object either by position or by key.,Removes a specific member from a collection.$Removes all objects in a collection.'Adds a Tab object to a Tabs collection.KAn individual object, analogous to a page, contained in a TabStrip control.SReturns/sets the text displayed in an object's title bar or below an object's icon..Stores any extra data needed for your program.KReturns/sets the index of an object in a collection. Read-only at run time.<Returns/sets the unique string of an object in a collection.FReturns/sets the string displayed when a cursor hovers over an object.$Returns/sets the width of an object.%Returns/sets the height of an object.gReturns/sets the distance between the internal top edge of an object and the top edge of its container.iReturns/sets the distance between the internal left edge of an object and the left edge of its container.OReturns/sets a value which determines if a ListItem or Node object is selected.?Returns/sets the index or key of a ListImage object to be used.

ToolBar Buttons.Returns the number of objects in a collection.NReturns a specific member of a Collection object either by position or by key.,Removes a specific member from a collection.$Removes all objects in a collection.[Adds a Button object to a Buttons collection and returns a reference to the created object.

ToolBar ButtonSReturns/sets the text displayed in an object's title bar or below an object's icon..Stores any extra data needed for your program.dReturns/sets a value that determines whether a form or control can respond to user-generated events.KReturns/sets the index of an object in a collection. Read-only at run time.<Returns/sets the unique string of an object in a collection.FReturns/sets the string displayed when a cursor hovers over an object.LReturns/sets a value that determines whether an object is visible or hidden.$Returns/sets the width of an object.%Returns/sets the height of an object.gReturns/sets the distance between the internal top edge of an object and the top edge of its container.iReturns/sets the distance between the internal left edge of an object and the left edge of its container.$Returns/sets the value of an object.

Returns/sets the button stylemReturns/sets the description displayed when the user clicks a Button object during a customization operation.?Returns/sets the index or key of a ListImage object to be used.?Returns/sets the index or key of a ListImage object to be used.cReturns/sets whether or not controls, Forms or an MDIForm are painted at run time with 3-D effects.IReturns/sets a value which determines if users can customize the Toolbar.HReturns a reference to a Toolbar control's collection of Button objects.dReturns/sets a value that determines whether a form or control can respond to user-generated events.&Returns a handle to a form or control.

Sets a custom mouse icon.MReturns/sets the type of mouse pointer displayed when over part of an object.

.Returns/sets the ImageList control to be used.*Enables/disables ToolTips for tool buttons

ToolBar Controls Collection/Forces a complete repaint of a form or control.ZInvokes the Customize Toolbar dialog box when the user double-clicks on a Toolbar control.?Saves a Toolbar configuration in an initialization (.ini) file.aRestores a toolbar, created with a Toolbar control, to its original state after being customized.DOccurs when the user clicks on a Button object in a Toolbar control.nGenerated after the end user customizes a Toolbar control's appearance using the Customize Toolbar dialog box.MOccurs when the user presses and then releases a mouse button over an object.LOccurs when the user presses the mouse button while an object has the focus.%Occurs when the user moves the mouse.MOccurs when the user releases the mouse button while an object has the focus.dOccurs when you press and release a mouse button and then press and release it again over an object.CA calibrated control with a slider for setting or selecting values.

No TicksLReturns/sets the increment value when the PageDown or PageUp key is pressed.MReturns/sets the increment value when the left or right arrow key is pressed.,Returns/sets the maximum value of a control.,Returns/sets the minimum value of a control.IReturns/sets the orientation of a Slider control, horizontal or vertical.

EReturns/sets whether or not a Slider control can have a select range.0Returns/sets the value where a selection starts.'Returns/sets the length of a selection.4Returns/sets where ticks appear on a Slider control.NReturns/sets the ratio of ticks on a Slider control; 1tick every n increments.$Returns/sets the value of an object.

Sets a custom mouse icon.MReturns/sets the type of mouse pointer displayed when over part of an object.dReturns/sets a value that determines whether a form or control can respond to user-generated events.&Returns a handle to a form or control.,Returns/sets the border style for an object./Forces a complete repaint of a form or control.

Sets the SelLength to 0.8Hidden method that can be used to invoke the Click event8Returns the number of visible ticks on a Slider control.MOccurs when the user presses and then releases a mouse button over an object.AOccurs when the user presses a key while an object has the focus.6Occurs when the user presses and releases an ANSI key.BOccurs when the user releases a key while an object has the focus.LOccurs when the user presses the mouse button while an object has the focus.%Occurs when the user moves the mouse.MOccurs when the user releases the mouse button while an object has the focus.

Slider scroll event6Indicates that the contents of a control have changed.gDisplays a hierarchical list of Node objects, each of which consists of a label and an optional bitmap.

.Returns/sets the ImageList control to be used.AReturns/sets the width of the indentation for a TreeView control._Returns/sets a value that determines if a user can edit the label of a ListItem or Node object.?Returns/sets the style of lines displayed between Node objects.MReturns/sets the type of mouse pointer displayed when over part of an object.

Sets a custom mouse icon.4Returns a reference to a collection of Node objects.VReturns/sets the delimiter string used for the path returned by the FullPath property.OReturns/sets a value which determines if a ListItem or Node object is selected.TIndicates whether the elements of a control are automatically sorted alphabetically.gDisplays a hierarchical list of Node objects, each of which consists of a label and an optional bitmap.cReturns/sets whether or not controls, Forms or an MDIForm are painted at run time with 3-D effects.,Returns/sets the border style for an object.dReturns/sets a value that determines whether a form or control can respond to user-generated events.

Returns a reference to the ListItem object or Node object located at the coordinates of x and y. Used with drag and drop operations.WReturns the number of Node objects that fit in the internal area of a TreeView control.>Begins a label editing operation on a ListItem or Node object./Forces a complete repaint of a form or control.`Occurs when a user attempts to edit the label of the currently selected ListItem or Node object.VOccurs after a user edits the label of the currently selected Node or ListItem object.BGenerated when any Node object in a TreeView control is collapsed.jOccurs when a Node object in a TreeView control is expanded; that is, when its child nodes become visible.%Occurs when a Node object is clicked.AOccurs when the user presses a key while an object has the focus.BOccurs when the user releases a key while an object has the focus.6Occurs when the user presses and releases an ANSI key.LOccurs when the user presses the mouse button while an object has the focus.%Occurs when the user moves the mouse.MOccurs when the user releases the mouse button while an object has the focus.MOccurs when the user presses and then releases a mouse button over an object.

Treeview Nodes collection.Returns the number of objects in a collection.WAdds a Node object to a Nodes collection and returns a reference to the created object.$Removes all objects in a collection.LReturns a specific item of a Collection object either by position or by key.,Removes a specific member from a collection.AAn object in a TreeView control that can contain images and text.8Returns a reference to the first child of a Node object.4Returns the number of child nodes a Node object has.BReturns/sets a value which specifies if a Node object is expanded.aReturns/sets the Index or Key of an image in an ImageList control used when the Node is expanded.BReturns a reference to the first Node object in a hierarchy level.2Returns the fully qualified name of a Node object.?Returns/sets the index or key of a ListImage object to be used.KReturns/sets the index of an object in a collection. Read-only at run time.<Returns/sets the unique string of an object in a collection.AReturns a reference to the last Node object in a hierarchy level.AReturns a reference to the next Node object in a hierarchy level.8Returns/sets a reference to the parent of a Node object.EReturns a reference to the previous Node object in a hierarchy level.BReturns a reference to the root Node object of a TreeView control.OReturns/sets a value which determines if a ListItem or Node object is selected.tReturns/sets the Index or Key of an image in an ImageList control which is displayed when a Node object is selected.TIndicates whether the elements of a control are automatically sorted alphabetically..Stores any extra data needed for your program.3Returns/sets the text to be displayed in a control.LReturns/sets a value that determines whether an object is visible or hidden.YCreates a composite image from an icon and a caption for use in drag and drop operations.^Ensures a ListItem or Node object is visible, scrolling or expanding the control if necessary.<Displays a collection of ListItems such as files or folders.

PartialWReturns/sets how the icons in a ListView control's Icon or SmallIcon view are arranged.<Returns a reference to a collection of ColumnHeader objects.kReturns a reference to a Node or ListItem object and highlights the object with the system highlight color.ZReturns/sets whether or not a ListView control's column headers are hidden in Report view.[Determines whether the selected item will display as selected when the ListView loses focusRReturns/sets the images associated with the Icon properties of a ListView control.NReturns a reference to a collection of ListItem objects in a ListView control._Returns/sets a value that determines if a user can edit the label of a ListItem or Node object.`Returns or sets a value that determines if labels are wrapped when the ListView is in Icon view.

Returns/sets a value indicating whether a user can make multiple selections in the ListView control and how the multiple selections can be made.FReturns a reference to the currently selected ListItem or Node object.VReturns/sets the images associated with the SmallIcons property of a ListView control.TIndicates whether the elements of a control are automatically sorted alphabetically."Returns/sets the current sort key.ZReturns/sets whether or not the ListItems will be sorted in ascending or descending order.6Returns/sets the current view of the ListView control.cReturns/sets whether or not controls, Forms or an MDIForm are painted at run time with 3-D effects.QReturns/sets the background color used to display text and graphics in an object.,Returns/sets the border style for an object.dReturns/sets a value that determines whether a form or control can respond to user-generated events.

QReturns/sets the background color used to display text and graphics in an object.&Returns a handle to a form or control.?Finds an item in the list and returns a reference to that item.CRetrieves a reference of the first item visible in the client area.

Returns a reference to the ListItem object or Node object located at the coordinates of x and y. Used with drag and drop operations.>Begins a label editing operation on a ListItem or Node object./Forces a complete repaint of a form or control.`Occurs when a user attempts to edit the label of the currently selected ListItem or Node object.VOccurs after a user edits the label of the currently selected Node or ListItem object.COccurs when a ColumnHeader object in a ListView control is clicked.4Occurs when a ListItem object is clicked or selectedAOccurs when the user presses a key while an object has the focus.BOccurs when the user releases a key while an object has the focus.6Occurs when the user presses and releases an ANSI key.LOccurs when the user presses the mouse button while an object has the focus.%Occurs when the user moves the mouse.

MOccurs when the user releases the mouse button while an object has the focus.MOccurs when the user presses and then releases a mouse button over an object.dOccurs when you press and release a mouse button and then press and release it again over an object.

ListView Item collection.Returns the number of objects in a collection.BAdds a ListItem object to a ListItems collection only at run time.$Removes all objects in a collection.LReturns a specific item of a Collection object either by position or by key.,Removes a specific member from a collection.

An item in a ListView control that contains the index of icons associated with it, text, and an array of strings representing subitems that are displayed in Report view.9Returns/sets the state of a ListView control Object item.%Returns/sets the height of an object.EReturns/sets the index of an icon in an associated ImageList control.KReturns/sets the index of an object in a collection. Read-only at run time.<Returns/sets the unique string of an object in a collection.iReturns/sets the distance between the internal left edge of an object and the left edge of its container.OReturns/sets a value which determines if a ListItem or Node object is selected.KReturns/sets the index of an small icon in an associated ImageList control..Stores any extra data needed for your program.3Returns/sets the text to be displayed in a control.gReturns/sets the distance between the internal top edge of an object and the top edge of its container.$Returns/sets the width of an object.CReturns/sets an array of strings representing the ListIitem's data.YCreates a composite image from an icon and a caption for use in drag and drop operations.^Ensures a ListItem or Node object is visible, scrolling or expanding the control if necessary.!ListView Column Header collection.Returns the number of objects in a collection.ZAdds a ColumnHeader object to a ColumnHeaders collection at both design time and run time.$Removes all objects in a collection.NReturns a specific member of a Collection object either by position or by key.,Removes a specific member from a collection.

LReturns/sets a value that determines where an object is displayed on a form.KReturns/sets the index of an object in a collection. Read-only at run time.<Returns/sets the unique string of an object in a collection.iReturns/sets the distance between the internal left edge of an object and the left edge of its container.]Returns the index of the subitem associated with a ColumnHeader object in a ListView control..Stores any extra data needed for your program.3Returns/sets the text to be displayed in a control.$Returns/sets the width of an object.

Single panel simple text[Returns/sets the text displayed when a StatusBar control's Style property is set to Simple.<Returns/sets the the single (simple) or multiple panel style5Returns a reference to a collection of Panel objects.MReturns/sets the type of mouse pointer displayed when over part of an object.

Sets a custom mouse icon.dReturns/sets a value that determines whether a form or control can respond to user-generated events.cReturns/sets a value that determines whether a form or control can respond to user-generated events

Similar to the standard DblClick Event, the PanelDblClick occurs when a user presses and then releases a mouse button twice over a StatusBar control's Panel object.LOccurs when the user presses the mouse button while an object has the focus.%Occurs when the user moves the mouse.MOccurs when the user releases the mouse button while an object has the focus.MOccurs when the user presses and then releases a mouse button over an object.dOccurs when you press and release a mouse button and then press and release it again over an object.

StatusBar Panels collection.Returns the number of objects in a collection.XAdds a Panel object to a Panels collection and returns a reference to the created Panel.

$Removes all objects in a collection.NReturns a specific member of a Collection object either by position or by key.,Removes a specific member from a collection.

2Returns/sets the text to be displayed in a controlKReturns/sets a value that determines whether an object is visible or hidden#Returns/sets the width of an object.Stores any extra data needed for your program.

Error #%d

Invalid entry for %s

}Bitmap and Icon Files (*.bmp, *.ico) |*.bmp;*.ico|Bitmap Files (*.bmp) |*.bmp|Icon Files (*.ico)|*.ico|All Files (*.*)|*.*||

0.00.0061

pb.exe

%original file name%.exe_468_rwx_005F5000_00003000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvbvm60.dll

0.00.0061

pb.exe

iexplore.exe_784:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\MSINET.OCX (132 bytes)
   %System%\COMCTL32.OCX (3681 bytes)
   %System%\COMDLG32.OCX (350 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.