Gen.Variant.Kazy.146618_a1c3adcb6e

by malwarelabrobot on March 13th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.146618 (B) (Emsisoft), Gen:Variant.Kazy.146618 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a1c3adcb6eb161412a113ab8a2acb4ad
SHA1: 0428cc7027591c3fd670c299eac5e7ec9023f1b7
SHA256: c34f9537ff60e6781439b3d52c120021c8e1ecfb726a2d10532c6b9589e81d32
SSDeep: 1536:aWPYkjtl3jcHrqnyVSD6wzAx5PG1EjUMWHQnYyz:ah6lg0R6Cc5PG JWHQn/
Size: 119112 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2013-02-14 08:26:30
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1156

Mutexes

The following mutexes were created/opened:

RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
folohadlobos

File activity

The process %original file name%.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@onebox[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hknetmail[1].txt (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (190 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4everdreams[1].htm (10 bytes)
%Documents and Settings%\%current user%\folohadlobos.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tampabay[1].txt (171 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\goldcockerelbooks.co[1].htm (79 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zdnetmail[1].htm (2225 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "43 E8 02 1B 34 4D 66 0C 25 3E 57 70 16 2F 48 61"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 D4 84 DE 40 D2 AB C9 1E 0D DC BC 0D 54 22 3B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"folohadloboszap" = "6D 13 2C 45 5E 77 90 36 4F 68 81 9A 40 59 72 8B"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"folohadlobos" = "%Documents and Settings%\%current user%\folohadlobos.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: tttttt Corporation
Product Name: HD Player
Product Version: 9.00.00.4503
Legal Copyright: (c) tttttt Corporation. All rights reserved.
Legal Trademarks:
Original Filename: migrate.exe
Internal Name: migrate.exe
File Version: 9.00.00.4503 (xpsp.080413-0845)
File Description: MLS Migrate DLL
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 8123 8192 1.95528 bdf9ff571cb715841f3070eab9b48bd6
.rdata 12288 79294 79360 4.18728 2e28b00638373d261901f903a9b718bb
.data 94208 20156 20480 0.023306 b123c4225fd7ea8ee80aedde87c66661
.rdata2 114688 1000 1024 0 0f343b0931126a20f133d67c2b018a3b
.data3 118784 626 1024 2.41596 c09c50076d33f36b4c69df5193709373
.rsrc 122880 960 1024 2.18771 2e5d23bf9177dca909a71f49bd7d990c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://udel.edu/?ptrxcz_KMOQTVXZbdgikmprtwy02469BDFHJL
hxxp://bellsouth.com/ 139.76.134.15
hxxp://mtv.com/ 206.220.43.92
hxxp://jotmail.com/?ptrxcz_qsuwy02468ACEGILNPRTVXZbdfhjlo 64.4.6.233
hxxp://jotmail.com/?ptrxcz_qsuwz13579BEGIKMORTVXZbdgikmpr 64.4.6.233
hxxp://love.com/?ptrxcz_358ACEGILNPRTVXacegikoMOQRTVWY 64.12.79.57
hxxp://allstream.net/ 207.245.244.133
hxxp://laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP
hxxp://talktalk.net/
hxxp://surewest.net/?ptrxcz_DFHJMOQSUWYacegjloqsuwy13579BD
hxxp://job-index.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL
hxxp://yahoo.com.au/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG
hxxp://ministryofsound.net/?ptrxcz_XZcegikmprtvx02468ACEGILNPRTVX 185.26.230.129
hxxp://bodybuilders.com/ 206.207.84.93
hxxp://goldcockerelbooks.co.uk/ 76.73.3.122
hxxp://posten.se/ 147.14.11.241
hxxp://onebox.com/
hxxp://sprintmail.com/ 209.86.93.136
hxxp://sympatico.ca/?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578
hxxp://tahoo.com/?ptrxcz_TVYacegikmprtvxz1468ACEGIKMOQS 116.212.117.220
hxxp://start.no/?ptrxcz_Zbdfhkmprtvxz1368ACEGIKMORTVXZ 193.200.235.71
hxxp://zdnetmail.com/ 216.239.120.238
hxxp://microtek.com/?ptrxcz_acegikoqsuwy02468ACEGIKMOQSUWY
hxxp://yahoo.gr/ 77.238.184.150
hxxp://love.com/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl 64.12.79.57
hxxp://mtv.com/?ptrxcz_rtvxz1368ACEGIKMOQSUWYacegikmp 206.220.43.92
hxxp://actuslendlease.com/
hxxp://tampabay.com/ 54.235.118.206
hxxp://tahoo.com/ 116.212.117.220
hxxp://midway.edu/?ptrxcz_dfikmprtwy02479BDFHJMOQSUWYbdf
hxxp://sunolg.org/ 178.79.190.156
hxxp://bailliegifford.com/?ptrxcz_oqsuwz13579BDFHKMOQSUWYacehjlo 80.75.68.131
hxxp://nifty.ne.jp/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY
hxxp://hknetmail.com/
hxxp://merck.com/?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf 155.91.16.2
hxxp://mchsi.com/ 64.8.70.102
hxxp://crosspaths.net/ 162.39.145.20
hxxp://jotmail.com/?ptrxcz_jmprtvy02468ADFHJLNQSUWYacfhjl 64.4.6.233
hxxp://dr.dk/ 159.20.6.38
hxxp://ohiou.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ
hxxp://wa-net.com/?ptrxcz_VYbdgilpruwz1469CEHJMORTWZbegj 96.127.156.202
hxxp://aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
care2.com 63.146.170.87
frisurf.no 153.110.239.145
croeso.com 104.28.0.49
aol.com.com 54.201.82.69
pba.com 216.145.1.21
knology.net 64.29.151.81
bluewin.com 195.186.196.90
starpower.net 207.172.157.182
virginia.edu 128.143.22.36
yahoo.com.hk 77.238.184.150
roadrunner.com 24.28.199.168
ig.com.br 54.208.23.82
atkearney.com 4.26.46.40
zdnetonebox.com 216.239.120.238
cablelan.net 50.21.229.37
entel.cl 200.12.171.52
tellmeimcute.com 176.74.176.186
markbrent.com 50.63.127.1
arcor.de 151.189.21.100
idealcollectables.com 205.178.189.131
kazza.com 141.8.224.245
redlands.edu 206.208.133.173
avinalarf.co.uk 104.28.13.49
tartarus.uwa.edu.au 130.95.128.3


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Backdoor.Win32.Pushdo.s Checkin

Traffic

POST /?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 147
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: laposte.net
Connection: Keep-Alive
Cache-Control: no-cache

..&.OD".\2....}..r...VUGfT.G..
v..}qY`.k0Y.gl...`$....7.3.Q......
..d..^..~\I..........s$.##..X.^...n...........^....~...r.....uG=......)v..u.
HTTP/1.1 301 Moved Permanently
Location: hXXp://VVV.laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP
Content-Length: 0
Accept-Ranges: bytes
Date: Thu, 12 Mar 2015 07:28:26 GMT
X-Varnish: 3386012683
Age: 0
Via: 1.1 varnish
X-Cache: MISS
HTTP/1.1 301 Moved Permanently..Location: hXXp://VVV.laposte.net/?ptrx
cz_PRTVXZbdgikmprtvy02468ACEGJLNP..Content-Length: 0..Accept-Ranges: b
ytes..Date: Thu, 12 Mar 2015 07:28:26 GMT..X-Varnish: 3386012683..Age:
 0..Via: 1.1 varnish..X-Cache: MISS..



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 131
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: bellsouth.com
Connection: Keep-Alive
Cache-Control: no-cache

hn...:........,..8F...y.............8.*.R.]._.w.y........e....(...[..c......M...Rb
[email protected]}.vp`...,...%.w...w.?....>..c.x')..&...<..
HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 12 Mar 2015 07:28:26 GMT
Content-length: 0
Content-type: text/html
Location: hXXp://VVV.att.com
HTTP/1.1 301 Moved Permanently..Server: Sun-ONE-Web-Server/6.1..Date: 
Thu, 12 Mar 2015 07:28:26 GMT..Content-length: 0..Content-type: text/h
tml..Location: hXXp://VVV.att.com..



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 202
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: posten.se
Connection: Keep-Alive
Cache-Control: no-cache

%q ..;...k..P.h..2M.-c..........e.y...
5U.........`.X
..=.J.!..w......u.i."oN.u.........'......`F......'n...h.M.'..Y..}.........{...k...O.ju......:.. ..c
7."...#...#B..$...%..?&.
'...'J..(.Pl)'.7*..
HTTP/1.1 400 Bad Request
content-length: 1389
content-type: text/html
date: Thu, 12 Mar 2015 07:33:40 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
server: WebSEAL/6.1.1.5 (Build 120405)
pragma: no-cache
cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">.<!-- Copyright
 (C) 2000 Tivoli Systems, Inc. -->.<!-- Copyright (C) 1999 IBM C
orporation -->.<!-- Copyright (C) 1998 Dascom, Inc. -->.<!
-- All Rights Reserved. -->.<!--.     This is a WebSEAL error me
ssage template file.  It is used.     by the WebSEAL server to build a
 response when a particular.     error occurs.  This file can be modif
ied as appropriate...     Error details:     ..     * Code: 0x38cf0424
.     * Text: Bad Request.     .-->.<html>.<head>.<m
eta http-equiv="Content-Type" content= "text/html; charset=UTF-8">.
<!-- Enter Page Title -->.<title>Bad Request</title>
.</head>.<body bgcolor="#FFFFFF">..<img src="/pics/amlo
go.gif" .     width=100% .     height="75" .     border="0".     alt= 
"Access Manager for e-business Home">..<!-- Enter Message Header
 -->.<h1><font color="#FF0000">Bad Request</font>
</h1>..<p><!-- Enter Error Message -->.The Access Ma
nager WebSEAL server received an invalid HTTP request...<BR><
BR><BR>..<!-- Provide Error Explanation -->.<H4>E
xplanation</H4>.Possible causes for this message include:.<UL
>.<LI>Incapatibility between the browser and the server..<
LI>A problem with the browser..</UL>..<BR><BR><
;BR>..<!-- Provide Possible Solution -->.<H4>Solutions&
lt;/H4>.<P>Contact your IBM Support Representative..</
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 184
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tahoo.com
Connection: Keep-Alive
Cache-Control: no-cache

n...>9z.5.\.........R...K...F1......l..kgs.U.<.?........Ne..Ga..t*...........l..\......I.?i@I....'.R..n.iKph...-.`.8..xn.W.J@:..9...f....b......R....
.Fnf
..]...:g....`..'\.........
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 15:16:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Location: hXXp://VVV.99ff.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html;charset=gb2312



POST /?ptrxcz_KMOQTVXZbdgikmprtwy02469BDFHJL HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 246
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: udel.edu
Connection: Keep-Alive
Cache-Control: no-cache

..b%G. X:....~!..~G&.....a...B....`.....l
..N}.'......*(.Cv(...(.;.....))tA)...).r.).>.)......X*...*Q.i.%...
..-.8>-J$..7. ..",.......,......Z.1fI-#..........-.../..P....2.....-..$6......D../...%..R..h30..........2&$.x....&\....|.....1.T/25.....
HTTP/1.1 413 Request Entity Too Large
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8i
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>413 Request Entity Too Large</title>.&l
t;/head><body>.<h1>Request Entity Too Large</h1>.
The requested resource<br />/<br />.does not allow request
 data with POST requests, or the amount of data provided in.the reques
t exceeds the capacity limit..<p>Additionally, a 413 Request Ent
ity Too Large.error was encountered while trying to use an ErrorDocume
nt to handle the request.</p>.<hr>.<address>Apache/2
.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8i Server at udel.edu Port 80&
lt;/address>.</body></html>...



POST /?ptrxcz_acegikoqsuwy02468ACEGIKMOQSUWY HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 199
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: microtek.com
Connection: Keep-Alive
Cache-Control: no-cache

.....J`.Q....
..........Pd...,....2.e.........D.m....w...qU.....E.6...........`.@T....'.|..[Lx...@9...._s6.`..$.{,|.R..dG...........d.........M.p9..&.G.........H.r..T......jJ.......
K.e.{..k...e\....
HTTP/1.1 302 Found
Date: Sun, 22 Mar 2015 09:44:13 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
location: hXXp://ww7.microtek.com.tw
Content-Length: 0
Connection: close
Content-Type: text/html; charset=iso-8859-1



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 152
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mchsi.com
Connection: Keep-Alive
Cache-Control: no-cache

Pz....R.,..n.;.oXl...M..T......s.R..<|.swQfv..\.V.Hx..?.T}V..}T.^.@|.rP.M.5...3.t.1.....U..|..*.Z.(.&...b....2........m.f....w..K"..
F.......J..
....
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 Mar 2015 07:28:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 245
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
X-Varnish: 1576525939
Age: 0
Via: 1.1 varnish
<?xml version="1.0" encoding="utf-8"?>.<!DOCTYPE html PUBLIC 
"-//W3C//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/x
html1-strict.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">
;.<head><title></title></head>.<body><
;/body>.</html>.HTTP/1.1 200 OK..Server: nginx..Date: Thu, 12
 Mar 2015 07:28:37 GMT..Content-Type: text/html; charset=utf-8..Conten
t-Length: 245..Connection: keep-alive..Vary: Accept-Encoding..Accept-R
anges: bytes..X-Varnish: 1576525939..Age: 0..Via: 1.1 varnish..<?xm
l version="1.0" encoding="utf-8"?>.<!DOCTYPE html PUBLIC "-//W3C
//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-s
trict.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<h
ead><title></title></head>.<body></body&
gt;.</html>...



POST /?ptrxcz_TVYacegikmprtvxz1468ACEGIKMOQS HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 180
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tahoo.com
Connection: Keep-Alive
Cache-Control: no-cache

..1..I....
.%8.'.)...(K..
L#....?!..Na.....v^.......S..#.......................6............d...a......$...tkV.....g...(.\..~A..y[...$...^)zTt(kG...?,{{&-x...............,t.1....
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 15:16:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Location: hXXp://VVV.99ff.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html;charset=gb2312



POST /?ptrxcz_Zbdfhkmprtvxz1368ACEGIKMORTVXZ HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: start.no
Connection: Keep-Alive
Cache-Control: no-cache

F..N.C.Oq.Q.o4R...SEf.T...
HTTP/1.1 405 Not allowed.
Server: Varnish
Content-Type: text/html; charset=utf-8
Content-Length: 473
Accept-Ranges: bytes
Date: Thu, 12 Mar 2015 07:28:28 GMT
X-Varnish: 2686377178
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Host: NOSTPX01
X-Cache: MISS
. <?xml version="1.0" encoding="utf-8"?>. <!DOCTYPE html PUBL
IC "-//W3C//DTD XHTML 1.0 Strict//EN".  "hXXp://VVV.w3.org/TR/xhtml1/D
TD/xhtml1-strict.dtd">. <html>.   <head>.     <title
>405 Not allowed.</title>.   </head>.   <body>.  
   <h1>Error 405 Not allowed.</h1>.     <p>Not allow
ed.</p>.     <h3>Guru Meditation:</h3>.     <p>
;XID: 2686377178</p>.     <hr>.     <address>.      
  <a href="hXXp://VVV.start.no/">Start Network AS</a>.    
 </address>.   </body>. </html>. ..



POST /?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 41
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yahoo.com.au
Connection: Keep-Alive
Cache-Control: no-cache

!.6BU\.B...C.&NC...C.W.DL.~D...D..JE.Q.E.
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Location: hXXp://au.yahoo.com/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG
Cache-Control: private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
b9     ..The document has moved <A HREF="hXXp://au.yahoo.com/?ptrxc
z_FIKMOQSUXZbdfhjloqtvxz1357ACEG">here</A>.<P>.<!-- 
fe4.rd.aue.yahoo.com uncompressed/chunked Thu Mar 12 00:28:26 PDT 2015
 -->...0..



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 129
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sprintmail.com
Connection: Keep-Alive
Cache-Control: no-cache

j.....>...-......H..U`...*P..;......R.....h..m......qd....u.6/A.,..
...l.o.!;._Q..........Z.5..F....\..
(...;..;...sF.@.....[ .
HTTP/1.1 302 Found
Location: hXXp://VVV.earthlink.net/
Connection: close



POST /?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: aol.de
Connection: Keep-Alive
Cache-Control: no-cache

....N....C. R..!..."Im.#..c$3.a%.0F&.a.'.].(...(|..)...*f.. ...,j..-..h.T.f/..d0
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:30 GMT
Server: Apache
Location: hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl
Content-Length: 264
Keep-Alive: timeout=15, max=9987
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJK
MOPRTUWYZbdegijl">here</a>.</p>.</body></html&
gt;.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:30 GM
T..Server: Apache..Location: hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKM
OPRTUWYZbdegijl..Content-Length: 264..Keep-Alive: timeout=15, max=9987
..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1.
.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>
<head>.<title>301 Moved Permanently</title>.</hea
d><body>.<h1>Moved Permanently</h1>.<p>The 
document has moved <a href="hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJ
KMOPRTUWYZbdegijl">here</a>.</p>.</body></html
>...



POST /?ptrxcz_358ACEGILNPRTVXacegikoMOQRTVWY HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: love.com
Connection: Keep-Alive
Cache-Control: no-cache

.q
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache
Location: hXXp://VVV.aol.com/
Content-Length: 227
Keep-Alive: timeout=15, max=9421
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.aol.com/">here</a>.&
lt;/p>.</body></html>.HTTP/1.1 301 Moved Permanently..D
ate: Thu, 12 Mar 2015 07:28:26 GMT..Server: Apache..Location: hXXp://w
ww.aol.com/..Content-Length: 227..Keep-Alive: timeout=15, max=9421..Co
nnection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<
;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><
head>.<title>301 Moved Permanently</title>.</head>
;<body>.<h1>Moved Permanently</h1>.<p>The docu
ment has moved <a href="hXXp://VVV.aol.com/">here</a>.<
/p>.</body></html>...



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 123
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: dr.dk
Connection: Keep-Alive
Cache-Control: no-cache

..c.5.a...E......1(.....
.
[..........y.......c.....J.ZDb...F.7.......)*...Z..6W...S.
..^..|...z....
[email protected]...
HTTP/1.1 301 Moved Permanently
Server: Varnish
Cache-Control: public,max-age=0
Location: hXXp://VVV.dr.dk/
X-Cacheable: REDIR:301
Accept-Ranges: bytes
Date: Thu, 12 Mar 2015 07:28:39 GMT
X-Varnish: 1668772977
Age: 0
Via: 1.1 varnish
Connection: close
X-Via: varnishol01.dr.dk (172.18.120.36:80)
X-Cache: MISS
X-WebEdge: 44



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 129
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: crosspaths.net
Connection: Keep-Alive
Cache-Control: no-cache

..X..
9.._.d...eJ.......m.d...ij3......k...m5....A.ok....
R.....G..t....]...1.....*.TW[....v\........tcy(v.zx!.........}z.z..1...
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:38 GMT
Server: IBM_HTTP_Server
Location: hXXp://VVV.windstream.net
Content-Length: 233
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.windstream.net">here</a
>.</p>.</body></html>...



POST /?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 90
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: merck.com
Connection: Keep-Alive
Cache-Control: no-cache

.u...:..,...W...........@u..^:...1...(......1. ..v........D.8...p!T......w..P.x.sf....;...
HTTP/1.1 302 Found
Date: Thu, 12 Mar 2015 07:28:36 GMT
Server: Apache
Location: hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf
Content-Length: 253
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: BIGipServerVVV.merck.com-HTTP=42078380.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSU
WZbdf">here</a>.</p>.</body></html>.HTTP/1.
1 302 Found..Date: Thu, 12 Mar 2015 07:28:36 GMT..Server: Apache..Loca
tion: hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSU
WZbdf..Content-Length: 253..Keep-Alive: timeout=15, max=100..Connectio
n: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..Set-Cookie
: BIGipServerVVV.merck.com-HTTP=42078380.20480.0000; path=/..<!DOCT
YPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head&g
t;.<title>302 Found</title>.</head><body>.<
h1>Found</h1>.<p>The document has moved <a href="htt
p://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf">
;here</a>.</p>.</body></html>...



POST /?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 212
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ohiou.edu
Connection: Keep-Alive
Cache-Control: no-cache

.z../...5...,;.s.
...$...\:........M.E....I*..s..;.S!...$.W.&e.u).
,..k...21...3/.t6k....s.;..2>..p.......[K...MY8 ....QH.8To.\Y..GY>..[i.=^..7aN..c.w`f...hQ..k..6n...pT|.s.
.u.6.x#b.{...}.Nx.3F........N.)^..
HTTP/1.0 302 Found
Location: hXXp://VVV.ohio.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
HTTP/1.0 302 Found..Location: hXXp://VVV.ohio.edu/?ptrxcz_JLNPSUWYaceg
iloqsuwy03579BDFHJ..Server: BigIP..Connection: Keep-Alive..Content-Len
gth: 0..



POST /?ptrxcz_VYbdgilpruwz1469CEHJMORTWZbegj HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 21
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: wa-net.com
Connection: Keep-Alive
Cache-Control: no-cache

!.A.....Yx..........-
HTTP/1.1 403 Forbidden
Date: Thu, 12 Mar 2015 07:28:38 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 278
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>403 Forbidden</title>.</head><
body>.<h1>Forbidden</h1>.<p>You don't have permis
sion to access /.on this server.</p>.<hr>.<address>A
pache/2.2.15 (CentOS) Server at wa-net.com Port 80</address>.<
;/body></html>...



GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=6103
Date: Thu, 12 Mar 2015 07:28:25 GMT
Connection: keep-alive
X-CCC: IT
X-CID: 2
1401D04D49E16F8687....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:36:45 GMT
Accept-Ranges: bytes
ETag: "804c50f7c94fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 49859
Cache-Control: max-age=4274
Date: Thu, 12 Mar 2015 07:28:25 GMT
Connection: keep-alive
X-CCC: IT
X-CID: 2
MSCF............,...................I.......#.........WFw. .authroot.s
tl.....08..CK...<.......m..dK.......D.d'....fW...RJe.).."...n.Ie.,E
.RH...L....\...z.^...p.<g.9...~...=.d/.. ...H....8f|&x.N.d..p(....(
[email protected](.p`d. .....D.....g%.j..w.DF..GW .....*.@6....#.8....
v..=T..^.G.G.!.A........_...r..3n...G.g\_.r.....Au..sw.3.....G.f. ..0.
.0.^.R".K|.....y...l..1.......t.(...0Y......4.,......x..ENY.`d..O.....
!..9A~....^[email protected][email protected].).|.H.
..A.[.Q. D`.}YQvx.B`b.=....,X...-.5S..N..=x.....C.Mj^.H....5b...5.....
...I...`..... ..l.n.:.....j...u2gA.hx.`%K.bw...\!o.........R....=..*..
.w..J....q.?^.PuA..W...>.._..O......9|.../......m.E.u.d...J2.U.e?..
..}h.S.zC^...<.c)...^c.b}.2..'X567.!.h. ......5.......S*.z%..%..e..
.R...C#p..k.[...3...jI.<.Z.GX.u.- ....ut{.&>...:.......f...f.)y.
....5.../R.b.......r.!.4.-a.....!...P......Q'7.0.%[.~m_..v....;..:.X..
~...,.......O....u|T.L....w....)5.bBs..W..r..u.......W......'G......y.
..h.. %. z?..............f.Nx./c...R...`..y.>....'......l=.O..#....
..... ..P..Q.......3.............M......%...v.:(...u..zU......G_.<u
e...F.....6Xo......P.......@L#........4<....K.g:...3o.N..:..zb...5.
.,.5...C... .4..`Q0.....$9./.$1....WL)$.0F......^..k..D.*.#.L3. (}.,,.
kd.<W.....[,.....Y.n.b.....4.Y)...c.g..`.y.........X..I? '.{Cb.GDh.
d..F..2B...sT.^..!.L..}.P....C...?.......~.....d....5.j...1.y9^_K..g..
pX.......^z.e)....yc......?..o...e......KJ..H.O..m......B27....?.~m ..
[email protected](....f1...h.0.u4..(.........2b`....]..H.Ja..
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 203
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: talktalk.net
Connection: Keep-Alive
Cache-Control: no-cache

.5.?...@2fg@[email protected] .B...B..zC.Y.C-.EDa..D.".E. .
..E>Q[F.O.F..?G,..GK~$H...H......n
E.I
....0..".L..8M..j.r.hL.<.L...P.k.M4i.Nh.~N...N.1IO.0.OE.-Py`.P...P..^Q/..Qc.\R.%.R..'S.U.S3..St.qT...
HTTP/1.1 302 Object moved
Location: hXXp://VVV.talktalk.co.uk
Connection: close



POST /?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 51
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: job-index.ch
Connection: Keep-Alive
Cache-Control: no-cache

PB......H..!..:":o..^..a..yafe.#.....U7#4.G%.h...*.
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache
Location: hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL
Cache-Control: max-age=1
Expires: Thu, 12 Mar 2015 07:28:27 GMT
Content-Length: 330
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbd
fhjmprtvx02468ADFHJL">here</a>.</p>.<hr>.<addr
ess>Apache Server at job-index.ch Port 80</address>.</body
></html>.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 20
15 07:28:26 GMT..Server: Apache..Location: hXXp://VVV.hrtoday.ch/?ptrx
cz_JLOQSUWYbdfhjmprtvx02468ADFHJL..Cache-Control: max-age=1..Expires: 
Thu, 12 Mar 2015 07:28:27 GMT..Content-Length: 330..Keep-Alive: timeou
t=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset
=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.
<html><head>.<title>301 Moved Permanently</title&
gt;.</head><body>.<h1>Moved Permanently</h1>.&
lt;p>The document has moved <a href="hXXp://VVV.hrtoday.ch/?ptrx
cz_JLOQSUWYbdfhjmprtvx02468ADFHJL">here</a>.</p>.<hr
>.<address>Apache Server at job-index.ch Port 80</address&
gt;.</body></html>...
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 203
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: onebox.com
Connection: Keep-Alive
Cache-Control: no-cache

z.I..3...2a.J0....x.....'...u[(..Y...W&.E.....=.......;.c.....l..}..3.....5..D..3.3..
...Z.I....=.{....K..$L.I..!.x....M....C.s..*h..(..-.<.n....UT
...X.....6..M..5.4..I....e..F..S.c.......a.0q..~....m.
HTTP/1.1 302 Object moved
Date: Thu, 12 Mar 2015 07:28:38 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Pragma: no-cache
Location: hXXp://VVV.onebox.com/oneboxlogin.asp
Content-Length: 158
Content-Type: text/html
Expires: Thu, 12 Mar 2015 07:27:38 GMT
Set-Cookie: xpcook=o9Gjoc8PxanwsxIK74Lvqkzsu4/M4DZ7; expires=Fri, 01-Jan-2016 05:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCSCTCRTT=GAKJCJJACOBFBBCIOFIKIOAH; path=/
Cache-control: no-cache
Set-Cookie: oneboxwb=ffffffff0989118145525d5f4f58455e445a4a423660;expires=Thu, 12-Mar-2015 07:33:38 GMT;path=/;httponly
<head><title>Object moved</title></head>.<b
ody><h1>Object Moved</h1>This object may be found <a
 HREF="hXXp://VVV.onebox.com/oneboxlogin.asp">here</a>.</b
ody>.HTTP/1.1 302 Object moved..Date: Thu, 12 Mar 2015 07:28:38 GMT
..Server: Microsoft-IIS/6.0..X-UA-Compatible: IE=EmulateIE7..X-Powered
-By: ASP.NET..Pragma: no-cache..Location: hXXp://VVV.onebox.com/onebox
login.asp..Content-Length: 158..Content-Type: text/html..Expires: Thu,
 12 Mar 2015 07:27:38 GMT..Set-Cookie: xpcook=o9Gjoc8PxanwsxIK74Lvqkzs
u4/M4DZ7; expires=Fri, 01-Jan-2016 05:00:00 GMT; path=/..Set-Cookie:
 ASPSESSIONIDCSCTCRTT=GAKJCJJACOBFBBCIOFIKIOAH; path=/..Cache-control:
 no-cache..Set-Cookie: oneboxwb=ffffffff0989118145525d5f4f58455e445a4a
423660;expires=Thu, 12-Mar-2015 07:33:38 GMT;path=/;httponly..<head
><title>Object moved</title></head>.<body>&
lt;h1>Object Moved</h1>This object may be found <a HREF="h
ttp://VVV.onebox.com/oneboxlogin.asp">here</a>.</body>.
..
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 200
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tampabay.com
Connection: Keep-Alive
Cache-Control: no-cache

.d..sa....P...N.:U......>N{.....iy......z....;...7..'.......E.M..'e.V$c......O..&L......!.hd.s..6p.....go..h..'.6....c.k..y...w...d.\.......JF......h....m....2..3J.k....R...N...K....8.6vO..rM.G.d..7|.
HTTP/1.1 301 Moved Permanently
Accept-Ranges: bytes
Age: 0
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 12 Mar 2015 07:28:31 GMT
Location: hXXp://VVV.tampabay.com/
Server: nginx/1.6.2
Set-Cookie: TPC=Ci4rJFUBQB9dzF4GBIr1Ag==; expires=Thu, 12-Mar-15 08:28:31 GMT; domain=tampabay.com; path=/
Via: 1.1 varnish
X-Cache: MISS
X-Cacheable: NO CACHE: POST request
X-Served-By: livesite-prd-varnish-2.localdomain
X-Varnish: 1322858855
Content-Length: 232
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.tampabay.com/">here</a&
gt;.</p>.</body></html>.HTTP/1.1 301 Moved Permanent
ly..Accept-Ranges: bytes..Age: 0..Content-Type: text/html; charset=iso
-8859-1..Date: Thu, 12 Mar 2015 07:28:31 GMT..Location: hXXp://VVV.tam
pabay.com/..Server: nginx/1.6.2..Set-Cookie: TPC=Ci4rJFUBQB9dzF4GBIr1A
g==; expires=Thu, 12-Mar-15 08:28:31 GMT; domain=tampabay.com; path=/.
.Via: 1.1 varnish..X-Cache: MISS..X-Cacheable: NO CACHE: POST request.
.X-Served-By: livesite-prd-varnish-2.localdomain..X-Varnish: 132285885
5..Content-Length: 232..Connection: keep-alive..<!DOCTYPE HTML PUBL
IC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title&
gt;301 Moved Permanently</title>.</head><body>.<h
1>Moved Permanently</h1>.<p>The document has moved <
a href="hXXp://VVV.tampabay.com/">here</a>.</p>.</bo
dy></html>...
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hknetmail.com
Connection: Keep-Alive
Cache-Control: no-cache

..*...&.
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 310
Content-Type: text/html; charset=utf-8
Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=1aa95ea7-505a-496c-9960-63c7a2769197; path=/
Set-Cookie: VisitorID=59f14903-41a5-478e-8c2e-c4ca6eb2af2d&Exp=3/12/2018 12:28:37 AM; expires=Mon, 12-Mar-2018 07:28:37 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:37 GMT
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://dp.g.
doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedi
a_test_js&channel=mobile&domain_name=hknetmail.com&output=
html&drid=as-drid-oo-1750951074443211">here</a>.</h2&g
t;..</body></html>..HTTP/1.1 302 Found..Cache-Control: pri
vate..Content-Length: 310..Content-Type: text/html; charset=utf-8..Loc
ation: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?clie
nt=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&
output=html&drid=as-drid-oo-1750951074443211..Server: Microsoft-IIS/7.
5..X-AspNet-Version: 4.0.30319..p3p: CP="CAO PSA OUR"..Set-Cookie: Ses
sionID=1aa95ea7-505a-496c-9960-63c7a2769197; path=/..Set-Cookie: Visit
orID=59f14903-41a5-478e-8c2e-c4ca6eb2af2d&Exp=3/12/2018 12:28:37 AM; e
xpires=Mon, 12-Mar-2018 07:28:37 GMT; path=/..X-Powered-By: ASP.NET..D
ate: Thu, 12 Mar 2015 07:28:37 GMT..<html><head><title&
gt;Object moved</title></head><body>..<h2>Obje
ct moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/do
mainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&d
omain_name=hknetmail.com&output=html&drid=as-drid-oo-175095107
4443211">here</a>.</h2>..</body></html>....
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 31
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: goldcockerelbooks.co.uk
Connection: Keep-Alive
Cache-Control: no-cache

.'..:...!.8..f92..pj.x.h$y...
HTTP/1.1 200 OK
Date: Thu, 12 Mar 2015 07:28:27 GMT
Server: Apache
Last-Modified: Mon, 06 Oct 2014 14:36:36 GMT
Accept-Ranges: bytes
Content-Length: 79
Connection: close
Content-Type: text/html
<meta http-equiv="refresh" content="0; url=hXXp://goldcockerelbooks
.com/web" />..



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 152
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: actuslendlease.com
Connection: Keep-Alive
Cache-Control: no-cache

.P..o.`.?F...At..m=..h......B....%d.......^.h{..8...
........M.k...;Za.......t.........$..m.....g....?ri..s.,..l...]z.{l:......./.......W>.-.....
....
HTTP/1.0 301 Moved Permanently
Location: hXXp://VVV.actuslendlease.com/
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
HTTP/1.0 301 Moved Permanently..Location: hXXp://VVV.actuslendlease.co
m/..Server: BigIP..Connection: Keep-Alive..Content-Length: 0..



POST /?ptrxcz_qsuwy02468ACEGILNPRTVXZbdfhjlo HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 130
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jotmail.com
Connection: Keep-Alive
Cache-Control: no-cache

8!..R...l..... ..QS......O........7./.j.I...cL..}.....5...h..|...H..{..&GM.x...}........`.
.CK...~.4.B...u......>..-....>.......
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:30 GMT
Content-Length: 169
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.b
ing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>
;..</body></html>..HTTP/1.1 302 Found..Cache-Control: priv
ate..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing
.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet
-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:
28:30 GMT..Content-Length: 169..<html><head><title>O
bject moved</title></head><body>..<h2>Object m
oved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSR
PD">here</a>.</h2>..</body></html>..
....


POST /?ptrxcz_jmprtvy02468ADFHJLNQSUWYacfhjl HTTP/1.1


Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 105
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jotmail.com
Connection: Keep-Alive
Cache-Control: no-cache

=..rmy..7 [email protected]........[o.W&!.....
...h.6..... ....Je.....<.....?..4..^d....n..G.xf....Y..tQ.z.
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:42 GMT
Content-Length: 169
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.b
ing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>
;..</body></html>..HTTP/1.1 302 Found..Cache-Control: priv
ate..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing
.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet
-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:
28:42 GMT..Content-Length: 169..<html><head><title>O
bject moved</title></head><body>..<h2>Object m
oved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSR
PD">here</a>.</h2>..</body></html>....



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 162
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: zdnetmail.com
Connection: Keep-Alive
Cache-Control: no-cache

/........C.Z.XQ[.>\......P....._a....~x`..:cp.2...ie.M..k|.....
..i..$...<.y.l......`....Ck.%..3.-..~.np..p....D.r..G=s.o..C.....j...L....~.t.~5...aP....3..~>..G
HTTP/1.1 200 OK
Date: Thu, 12 Mar 2015 07:28:29 GMT
Server: Apache
Expires: Thu Mar 12 07:33:29 2015 GMT
Cache-Control: private, max-age=300, must-revalidate
P3P: CP="NON DSP COR DEVa PSAa PSDa OUR IND UNI COM", policyref="hXXp://VVV.cnet.com/w3c/p3p.xml"
Keep-Alive: timeout=300, max=976
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
23e0..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN
" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<ht
ml><head><!--ss720--><!--ID.113-->.<script>
window.location="hXXp://search.com/search"</script>.<style>
;<!--.img {.        border: 0;.        }..ol, ul {..list-style-imag
e:none;..list-style-position:outside;..list-style-type:none;..}..body 
{..background-color:#FFFFFF;..font-family:arial,helvetica,verdana,sans
-serif;..font-size:13px;..}..a {..color:navy;..text-decoration:underli
ne;..}..#header h1 {..font-size: 150%;..padding-bottom: 10px;..color: 
#333;..}..#header .searchbox {..float:left;..}..#header .searchbox .q 
{..width:300px;..}..#header #wrap {..float: left;..margin: 8px;..width
:750px;..padding-bottom: 15px;..border-bottom: 1px solid #999;..}...qu
ery {..float:left;..}..#results_wrap {..float:left;..width:100%;..}..#
results {..margin:0pt;..padding:0pt;..}..#results h3 {..color:#555555;
..font-size:13px;..margin:10px 0px;..}..#header b {..color:#555555;..f
ont-size:13px;..}..#results #dmoz_wrap {..padding-bottom: 18px;..borde
r-bottom: 1px solid #777;..width:750px;.    margin: 0 0 0 8px;..}..#re
sults #dmoz {..border:0pt none;..font-size:11px;..width: 100%;..margin
: 0 0 0 10px;..}..#results #dmoz b {..font-size:13px;..}..#results #dm
oz td {..padding:5px 5px 5px 0;..}..#results #services_wrap {..width:7
50px;..margin: 0 0 0 8px;..padding-top: 8px;..}..#services {..margin: 
0 0 0 10px;..width: 750px;..}..#services td {..padding:5px 5px 5px
<<< skipped >>>


POST /?ptrxcz_dfikmprtwy02479BDFHJMOQSUWYbdf HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 11
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: midway.edu
Connection: Keep-Alive
Cache-Control: no-cache

A. ..XQ..S.
HTTP/1.1 403 Forbidden
Date: Thu, 12 Mar 2015 07:28:32 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>403 Forbidden</title>.</head><
body>.<h1>Forbidden</h1>.<p>You don't have permis
sion to access /.on this server.</p>.<p>Additionally, a 50
0 Internal Server Error.error was encountered while trying to use an E
rrorDocument to handle the request.</p>.</body></html&g
t;...



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 230
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mtv.com
Connection: Keep-Alive
Cache-Control: no-cache

.z.. ...l........AN.....<r..
.......:J.[email protected].{......._..2..^0D......`..2.t.Q....)@...6:.Y....p...g;...;.5.......W.=^.....j.......6. ...TH....f..x....2.$...e....?|......pG.5...v.,......6....\.Fg..z.'....../..#.r.W....^=.......
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache/2.2.23 (Unix)
Location: hXXp://VVV.mtv.com/
Content-Length: 298
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.mtv.com/">here</a>.&
lt;/p>.<hr>.<address>Apache/2.2.23 (Unix) Server at mtv
.com Port 80</address>.</body></html>...



POST /?ptrxcz_qsuwz13579BEGIKMORTVXZbdgikmpr HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 63
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jotmail.com
Connection: Keep-Alive
Cache-Control: no-cache

v.Q...R.:........d6...j..........oM.....<....c..XY.......*e....
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:26 GMT
Content-Length: 169
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.b
ing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>
;..</body></html>..HTTP/1.1 302 Found..Cache-Control: priv
ate..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing
.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet
-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:
28:26 GMT..Content-Length: 169..<html><head><title>O
bject moved</title></head><body>..<h2>Object m
oved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSR
PD">here</a>.</h2>..</body></html>....



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 241
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yahoo.gr
Connection: Keep-Alive
Cache-Control: no-cache

...@Ay>A..#B...B
.C.:kD/..E...E...FMd2G...G...Hx.zI..EJ;..J...K...Lf.?M.
Nn..N.znO..9PT......Q.phR.....6.."..Ve.IW....{..V...W..1[[email protected][..!\l..\.{.]/.i^^..b..yc!.*d|..d...eL.rf..$g...gj..h..Si P.j...j.J.kK{Ml...m...mi@|n.pGo,;.o.
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:29 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: BX=eouc0qlag2g0t&b=3&s=61; expires=Sun, 12-Mar-2017 07:28:29 GMT; path=/; domain=.yahoo.gr
Cache-Control: max-age=3600, private
Location: hXXp://gr.yahoo.com/
Vary: Accept-Encoding
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Age: 0
Connection: keep-alive
Server: ATS/4.0.2
.<!-- src3.ops.ir2.yahoo.com Thu Mar 12 07:28:29 UTC 2015 -->.HT
TP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:29 GMT..P3P
: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR A
DM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PU
Bi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV
"..Set-Cookie: BX=eouc0qlag2g0t&b=3&s=61; expires=Sun, 12-Mar-2017 07:
28:29 GMT; path=/; domain=.yahoo.gr..Cache-Control: max-age=3600, priv
ate..Location: hXXp://gr.yahoo.com/..Vary: Accept-Encoding..Content-Le
ngth: 62..Content-Type: text/html; charset=UTF-8..Age: 0..Connection: 
keep-alive..Server: ATS/4.0.2...<!-- src3.ops.ir2.yahoo.com Thu Mar
 12 07:28:29 UTC 2015 -->...



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 62
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sprintmail.com
Connection: Keep-Alive
Cache-Control: no-cache

(7"*... .*.-..J/..-1...2V.@4@
6...7..69...:...<j.,>aP.@>..A..
HTTP/1.1 302 Found
Location: hXXp://VVV.earthlink.net/
Connection: close



POST /?ptrxcz_XZcegikmprtvx02468ACEGILNPRTVX HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 248
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ministryofsound.net
Connection: Keep-Alive
Cache-Control: no-cache

..j.'h..u....03.....y.....H."...pXy.." .....g.[..O......^~>..H......bw:.....C...
...n......]....g..Q..
Y.s.u.T.....'.E...v..Y(.>.... Y..
.9O....;.....0...~F......'uh.u....... nd.y....6....-.pe.../....).g....\Z.....^.....<.. ..b.....8.....Y....{..
HTTP/1.1 200 OK
Last-Modified: Wed, 07 Jun 2006 10:38:30 GMT
ETag: "e7a6b-f-4159ff7e7f580"
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Server: NetNames
Transfer-Encoding: chunked
Date: Thu, 12 Mar 2015 07:28:26 GMT
Connection: keep-alive
00f..<HTML>.</HTML>...0..HTTP/1.1 200 OK..Last-Modified: W
ed, 07 Jun 2006 10:38:30 GMT..ETag: "e7a6b-f-4159ff7e7f580"..Vary: Acc
ept-Encoding..Content-Type: text/html; charset=iso-8859-1..Server: Net
Names..Transfer-Encoding: chunked..Date: Thu, 12 Mar 2015 07:28:26 GMT
..Connection: keep-alive..00f..<HTML>.</HTML>...0..



POST /?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 238
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: nifty.ne.jp
Connection: Keep-Alive
Cache-Control: no-cache

..S.......K..4...`
..X ....~7...L..=b.......
..\#..".......G. !@."%9.$.f.%X..'G..)K.. ,.r.=../,<.1.bM.N.b../.=...>.....l:A$.OC...G5..G#P*I...J B"M/;.O&..Q.a.R;&.U2..V)L.XG..[1>.\B..^.d.`0..bA".d8..fI..hM
.j7:|l;3xn?,tpC%pra..tK.hvO.dx`o
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:33 GMT
Server: Apache
Location: hXXp://VVV.nifty.com/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY
Content-Length: 267
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.nifty.com/?ptrxcz_Yacfhjloqsu
wy13579BDFHJMOQSUWY">here</a>.</p>.</body></ht
ml>...



POST /?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578 HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 6
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sympatico.ca
Connection: Keep-Alive
Cache-Control: no-cache

p....@
HTTP/1.1 301 Moved Permanently 
Location: hXXp://VVV.sympatico.ca/?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578
Content-Length: 0







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_1156_rwx_00860000_0000C000:




GetWindowsDirectoryA
kernel32.dll
msvcrt.dll
GetProcessHeap
hsu#%s
.ACl;.
.Wn.r
0obP0.aU
[email protected]
cbL*elT<.bL
aiM%te;%ux
W:\eF
d5.FSp

%original file name%.exe_1156_rwx_00880000_0000F000:




GetWindowsDirectoryA
kernel32.dll
msvcrt.dll
GetProcessHeap
hsu#%s
.ACl;.
.Wn.r
0obP0.aU
[email protected]
cbL*elT<.bL
aiM%te;%ux
W:\eF
d5.FSp

%original file name%.exe_1156_rwx_008B0000_0000F000:




.text
`.rdata
@.data
.reloc
SSh(S
software\microsoft\windows\currentversion\run
%s\%s.exe
Content-Length: %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
\system32\svchost.exe
hXXps://%s
software\microsoft\windows\currentversion
del %s
if exist %s goto :repeat
hXXp://%s
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
PSAPI.DLL
USERENV.dll
IPHLPAPI.DLL
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCrackUrlA
WININET.dll
WS2_32.dll
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
CryptExportKey
CryptGenKey
ADVAPI32.dll
ole32.dll
bEiO5\E.XD0]L;k]O
0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;

%original file name%.exe_1156_rwx_01DA0000_00006000:




.text
`.rdata
@.data
.reloc
hXXp://%s/?ptrxcz_%s
hXXp://%s/
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: %d
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
WININET.dll
WS2_32.dll
SHLWAPI.dll
KERNEL32.dll
USER32.dll
ole32.dll
XNG7opotonline.net
accountant.com
brick.net
gmx.com
wagged.com
aol.de
stargate.net
starpower.net
orange.pl
ohiou.edu
zdnetonebox.com
jjay.cuny.edu
univision.com
fluor.com
zdnetmail.com
charter.com
hoymail.com
laposte.net
aon.at
wilbursmith.com
sympatico.ca
yahoo.gr
windstream.net
yahoo.com.au
cbunited.com
happemail.com
eznet.net
tampabay.com
kazza.com
metrocast.net
cytanet.com.cy
migente.com
frisurf.no
posten.se
dr.dk
24.com
markbrent.com
163.com
croeso.com
ntl.com
actuslendlease.com
rowdee.com
love.com
valornet.com
primusonline.com.au
otakumail.com
talktalk.net
mail.unomaha.edu
injersey.com
embarqmail.com
tartarus.uwa.edu.au
allstream.net
korea.com
mynet.com
tigers-net.com
redlands.edu
surewest.net
erre.net
clear.net.nz
bailliegifford.com
nmsu.edu
ig.com.br
mtv.com
the-wild-west.com
allstate.com
atkearney.com
catt.com
cocmast.net
crosspaths.net
metro.net
bluewin.com
models.com
excite.it
jotmail.com
schoolsports.com
windermere.com
genesys.com
cybertron.com
creighton.edu
sscomputing.com
hotmiail.com
american.edu
dsl.com
microtek.com
nsatel.net
yahoo.dk
world-net.co.nz
tahoo.com
hawaiiantel.net
bodybuilders.com
tellmeimcute.com
excite.co.jp
law.com
bassettfurniture.com
newparkdf.com
coastalnow.net
earthlink.net
kiva.net
cablelan.net
earthlink.com
sprintmail.com
madrid.com
ethansalwen.com
chickensys.com
bendcable.com
midway.edu
goldcockerelbooks.co.uk
blackplanet.com
mchsi.com
rcn.com
bellsouth.com
entel.cl
bluewin.ch
cableone.net
tvn.hu
nifty.ne.jp
eircom.net
knology.net
mweb.co.za
arcor.de
gm.com
briansmail.com
rediffmail.com
caramail.com
orst.edu
spin.com
onebox.com
iupui.edu
optonline.com
merck.com
jwu.edu
sify.com
q.com
carolina.com
cox.com
virginia.edu
ministryofsound.net
start.no
t-online.de
metallica.com
mzsg.at
roadrunner.com
tylerknott.com
iwon.com
aol.com.com
avinalarf.co.uk
gci.net
erzt.com
globalcrossing.com
rockford.edu
job-index.ch
yahoo.com.hk
txstate.edu
mailshell.com
waupacafoundry.com
evansville.net
pba.com
care2.com
ono.es
mountainmax.net
wa-net.com
genie.co.uk
sunolg.org
diamondcpu.com
hknetmail.com
grayfoot.mailshell.com
cablelynx.com
gallatinriver.net
robvivian.com
catech-systems.com
idealcollectables.com
colorado.edu
bigmir.net
udel.edu
o2.co.uk
yahoo.hk
infoseek.jp
webound.com
ciudad.com.ar
potamkinmitsubishi.com
backpacker.com
voicestream.com
0 0&0,02080

%original file name%.exe_1156_rwx_04000000_0000F000:




.text
`.rdata
@.data
.reloc
SSh(S
software\microsoft\windows\currentversion\run
%s\%s.exe
Content-Length: %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
\system32\svchost.exe
hXXps://%s
software\microsoft\windows\currentversion
del %s
if exist %s goto :repeat
hXXp://%s
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
PSAPI.DLL
USERENV.dll
IPHLPAPI.DLL
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCrackUrlA
WININET.dll
WS2_32.dll
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
CryptExportKey
CryptGenKey
ADVAPI32.dll
ole32.dll
hXXp://%s/?ptrxcz_%s
hXXp://%s/
XNG7opotonline.net
accountant.com
brick.net
gmx.com
wagged.com
aol.de
stargate.net
starpower.net
orange.pl
ohiou.edu
zdnetonebox.com
jjay.cuny.edu
univision.com
fluor.com
zdnetmail.com
charter.com
hoymail.com
laposte.net
aon.at
wilbursmith.com
sympatico.ca
yahoo.gr
windstream.net
yahoo.com.au
cbunited.com
happemail.com
eznet.net
tampabay.com
kazza.com
metrocast.net
cytanet.com.cy
migente.com
frisurf.no
posten.se
dr.dk
24.com
markbrent.com
163.com
croeso.com
ntl.com
actuslendlease.com
rowdee.com
love.com
valornet.com
primusonline.com.au
otakumail.com
talktalk.net
mail.unomaha.edu
injersey.com
embarqmail.com
tartarus.uwa.edu.au
allstream.net
korea.com
mynet.com
tigers-net.com
redlands.edu
surewest.net
erre.net
clear.net.nz
bailliegifford.com
nmsu.edu
ig.com.br
mtv.com
the-wild-west.com
allstate.com
atkearney.com
catt.com
cocmast.net
crosspaths.net
metro.net
bluewin.com
models.com
excite.it
jotmail.com
schoolsports.com
windermere.com
genesys.com
cybertron.com
creighton.edu
sscomputing.com
hotmiail.com
american.edu
dsl.com
microtek.com
nsatel.net
yahoo.dk
world-net.co.nz
tahoo.com
hawaiiantel.net
bodybuilders.com
tellmeimcute.com
excite.co.jp
law.com
bassettfurniture.com
newparkdf.com
coastalnow.net
earthlink.net
kiva.net
cablelan.net
earthlink.com
sprintmail.com
madrid.com
ethansalwen.com
chickensys.com
bendcable.com
midway.edu
goldcockerelbooks.co.uk
blackplanet.com
mchsi.com
rcn.com
bellsouth.com
entel.cl
bluewin.ch
cableone.net
tvn.hu
nifty.ne.jp
eircom.net
knology.net
mweb.co.za
arcor.de
gm.com
briansmail.com
rediffmail.com
caramail.com
orst.edu
spin.com
onebox.com
iupui.edu
optonline.com
merck.com
jwu.edu
sify.com
q.com
carolina.com
cox.com
virginia.edu
ministryofsound.net
start.no
t-online.de
metallica.com
mzsg.at
roadrunner.com
tylerknott.com
iwon.com
aol.com.com
avinalarf.co.uk
gci.net
erzt.com
globalcrossing.com
rockford.edu
job-index.ch
yahoo.com.hk
txstate.edu
mailshell.com
waupacafoundry.com
evansville.net
pba.com
care2.com
ono.es
mountainmax.net
wa-net.com
genie.co.uk
sunolg.org
diamondcpu.com
hknetmail.com
grayfoot.mailshell.com
cablelynx.com
gallatinriver.net
robvivian.com
catech-systems.com
idealcollectables.com
colorado.edu
bigmir.net
udel.edu
o2.co.uk
yahoo.hk
infoseek.jp
webound.com
ciudad.com.ar
potamkinmitsubishi.com
backpacker.com
voicestream.com
0 0&0,02080
opotonline.net;accountant.com;brick.net;gmx.com;wagged.com;aol.de;stargate.net;starpower.net;orange.pl;ohiou.edu;zdnetonebox.com;jjay.cuny.edu;univision.com;fluor.com;zdnetmail.com;charter.com;hoymail.com;laposte.net;aon.at;wilbursmith.com;sympatico.ca;yahoo.gr;windstream.net;yahoo.com.au;cbunited.com;happemail.com;eznet.net;tampabay.com;kazza.com;metrocast.net;cytanet.com.cy;migente.com;frisurf.no;posten.se;dr.dk;24.com;markbrent.com;163.com;croeso.com;ntl.com;actuslendlease.com;rowdee.com;love.com;valornet.com;primusonline.com.au;otakumail.com;talktalk.net;mail.unomaha.edu;injersey.com;embarqmail.com;tartarus.uwa.edu.au;allstream.net;korea.com;mynet.com;tigers-net.com;redlands.edu;surewest.net;erre.net;clear.net.nz;bailliegifford.com;nmsu.edu;ig.com.br;mtv.com;the-wild-west.com;allstate.com;atkearney.com;catt.com;cocmast.net;crosspaths.net;metro.net;bluewin.com;models.com;excite.it;jotmail.com;schoolsports.com;windermere.com;genesys.com;cybertron.com;creighton.edu;sscomputing.com;hotmiail.com;american.edu;dsl.com;microtek.com;nsatel.net;yahoo.dk;world-net.co.nz;tahoo.com;hawaiiantel.net;bodybuilders.com;tellmeimcute.com;excite.co.jp;law.com;bassettfurniture.com;newparkdf.com;coastalnow.net;earthlink.net;kiva.net;cablelan.net;earthlink.com;sprintmail.com;madrid.com;ethansalwen.com;chickensys.com;bendcable.com;midway.edu;goldcockerelbooks.co.uk;blackplanet.com;mchsi.com;rcn.com;bellsouth.com;entel.cl;bluewin.ch;cableone.net;tvn.hu;nifty.ne.jp;eircom.net;knology.net;mweb.co.za;arcor.de;gm.com;briansmail.com;rediffmail.com;caramail.com;orst.edu;spin.com;onebox.com;iupui.edu;optonline.com;merck.com;jwu.edu;sify.com;q.com;carolina.com;cox.com;virginia.edu;ministryofsound.net;start.no;t-online.de;metallica.com;ohiou.edu;mzsg.at;univision.com;fluor.com;roadrunner.com;hoymail.com;laposte.net;tylerknott.com;iwon.com;aol.com.com;avinalarf.co.uk;yahoo.com.au;gci.net;erzt.com;markbrent.com;globalcrossing.com;rockford.edu;job-index.ch;yahoo.com.hk;txstate.edu;valornet.com;mailshell.com;waupacafoundry.com;evansville.net;pba.com;tartarus.uwa.edu.au;care2.com;ono.es;mountainmax.net;wa-net.com;tigers-net.com;genie.co.uk;sunolg.org;diamondcpu.com;hknetmail.com;grayfoot.mailshell.com;cablelynx.com;bailliegifford.com;gallatinriver.net;robvivian.com;the-wild-west.com;allstate.com;catech-systems.com;idealcollectables.com;crosspaths.net;colorado.edu;bigmir.net;udel.edu;jotmail.com;o2.co.uk;yahoo.hk;cybertron.com;infoseek.jp;webound.com;american.edu;ciudad.com.ar;potamkinmitsubishi.com;backpacker.com;world-net.co.nz;voicestream.com;
4events.at;4everandever.de;4everevents.nl;4evermusic.pl;4evernet.de;4everweb.nl;4everyone.nl;4everyware.nl;9online.fr;9t6grafikdesign.de;7atable.be;accountingtechs.biz;0daymusic.biz;4dmobil.at;4dbabamozi.hu;4estates.eu;4etoiles.fr;4ever4you.de;4everdreams.nl;4everflashlight.de;
0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;
%Documents and Settings%\%current user%\folohadlobos.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Cookies\Current_User@onebox[2].txt (410 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hknetmail[1].txt (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (190 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4everdreams[1].htm (10 bytes)
    %Documents and Settings%\%current user%\folohadlobos.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tampabay[1].txt (171 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\goldcockerelbooks.co[1].htm (79 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zdnetmail[1].htm (2225 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "folohadlobos" = "%Documents and Settings%\%current user%\folohadlobos.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now